Summary | ZeroBOX

loader2.exe

NSIS Generic Malware Malicious Library UPX PE File DLL PE32
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 29, 2021, 9:26 a.m. Oct. 29, 2021, 9:42 a.m.
Size 248.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 25f27297055176dde7fb735ee70eaa8f
SHA256 08c2207b023f1d2e65be57b75a4395908b2474b1f244d8f53d43914f94b7be8d
CRC32 7671DEAA
ssdeep 6144:wBlL/cJTTgq/Hxyi0X3W37gGma27yxayiXU8Z2W/t:CeJg6RyLWrgGmZ7yx/c2et
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49210 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.64.119.157:80 2221045 SURICATA HTTP Unexpected Request body Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 154.64.119.157:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.64.119.157:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.64.119.157:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 199.59.242.153:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 199.59.242.153:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 199.59.242.153:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.80.190.141:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.80.190.141:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 13.248.160.216:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.80.190.141:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 13.248.160.216:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 13.248.160.216:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.216:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.216:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.216:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.cfaatampa.com/o2go/?Dxlpd=Pl/Ol+nOsw6/w/y+aU9P1RKojiUc7vyeNPaxTQPmfD352vP1/9QBqpNGE02dwnx78NU/bhk7&mnSh=TxlhkdU
suspicious_features GET method with no useragent header suspicious_request GET http://www.canopuslector.com/o2go/?Dxlpd=ZAUpSgkpEDg8niFzuNKe6gEWnHhBWtidA2LwxNth08Qz4PbCXRD40C59E3bfaaHzXCIDtzc4&mnSh=TxlhkdU
suspicious_features GET method with no useragent header suspicious_request GET http://www.expatriatecafe.com/o2go/?Dxlpd=+cW4o3L1nfvEkkPOkZGTjQfjWekF/hM2MaTEXDdcC09Onuz+XEMDyox0luu0PClFcWinXzsf&mnSh=TxlhkdU
suspicious_features GET method with no useragent header suspicious_request GET http://www.daybydayneeds.com/o2go/?Dxlpd=/FrPOgiDhDip/ySNZI8OLKS5OxIhXPdMrfM/1s/okw0wECr+nAKcZ38irIHgJAMCO3WjHnMc&mnSh=TxlhkdU
suspicious_features GET method with no useragent header suspicious_request GET http://www.fanaticscardgroup.com/o2go/?Dxlpd=8H0rDLcccfrSnzJo6xqaIh8cFRP5shFVfEo30ND+W3j0LJ9pYzmIPxBjjF03wuELOtv43EjU&mnSh=TxlhkdU
suspicious_features GET method with no useragent header suspicious_request GET http://www.koltemp.com/o2go/?Dxlpd=d/I/y4E919y90/NgD6lGRdsG+efKLObNvHJeST29zYsXDGROtBHMrcb1ki8bN5CEtxKsUn6o&mnSh=TxlhkdU
request POST http://www.cfaatampa.com/o2go/
request GET http://www.cfaatampa.com/o2go/?Dxlpd=Pl/Ol+nOsw6/w/y+aU9P1RKojiUc7vyeNPaxTQPmfD352vP1/9QBqpNGE02dwnx78NU/bhk7&mnSh=TxlhkdU
request POST http://www.canopuslector.com/o2go/
request GET http://www.canopuslector.com/o2go/?Dxlpd=ZAUpSgkpEDg8niFzuNKe6gEWnHhBWtidA2LwxNth08Qz4PbCXRD40C59E3bfaaHzXCIDtzc4&mnSh=TxlhkdU
request POST http://www.expatriatecafe.com/o2go/
request GET http://www.expatriatecafe.com/o2go/?Dxlpd=+cW4o3L1nfvEkkPOkZGTjQfjWekF/hM2MaTEXDdcC09Onuz+XEMDyox0luu0PClFcWinXzsf&mnSh=TxlhkdU
request POST http://www.daybydayneeds.com/o2go/
request GET http://www.daybydayneeds.com/o2go/?Dxlpd=/FrPOgiDhDip/ySNZI8OLKS5OxIhXPdMrfM/1s/okw0wECr+nAKcZ38irIHgJAMCO3WjHnMc&mnSh=TxlhkdU
request POST http://www.fanaticscardgroup.com/o2go/
request GET http://www.fanaticscardgroup.com/o2go/?Dxlpd=8H0rDLcccfrSnzJo6xqaIh8cFRP5shFVfEo30ND+W3j0LJ9pYzmIPxBjjF03wuELOtv43EjU&mnSh=TxlhkdU
request POST http://www.koltemp.com/o2go/
request GET http://www.koltemp.com/o2go/?Dxlpd=d/I/y4E919y90/NgD6lGRdsG+efKLObNvHJeST29zYsXDGROtBHMrcb1ki8bN5CEtxKsUn6o&mnSh=TxlhkdU
request POST http://www.cfaatampa.com/o2go/
request POST http://www.canopuslector.com/o2go/
request POST http://www.expatriatecafe.com/o2go/
request POST http://www.daybydayneeds.com/o2go/
request POST http://www.fanaticscardgroup.com/o2go/
request POST http://www.koltemp.com/o2go/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73795000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2240
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00820000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsl657A.tmp\psdqz.dll
file C:\Users\test22\AppData\Local\Temp\nsl657A.tmp\psdqz.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2240
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0
Process injection Process 112 called NtSetContextThread to modify thread in remote process 2240
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314080
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 2240
1 0 0
Elastic malicious (high confidence)
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
BitDefender Trojan.NSISX.Spy.Gen.2
Arcabit Trojan.NSISX.Spy.Gen.2
Cyren W32/Injector.ANV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EQKC
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
McAfee-GW-Edition BehavesLike.Win32.Vopak.dc
FireEye Generic.mg.25f27297055176dd
Sophos Generic ML PUA (PUA)
Ikarus Trojan.NSIS.Agent
MAX malware (ai score=89)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Zum.Androm.1
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector_AGen.AW!tr
BitDefenderTheta Gen:NN.ZedlaF.34236.bu4@aOwRvMki
Cybereason malicious.705517
Time & API Arguments Status Return Repeated

CreateProcessInternalW

thread_identifier: 2244
thread_handle: 0x0000021c
process_identifier: 2240
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\loader2.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\loader2.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\loader2.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000220
1 1 0

NtGetContextThread

thread_handle: 0x0000021c
1 0 0

NtAllocateVirtualMemory

process_identifier: 2240
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0

NtSetContextThread

registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314080
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 2240
1 0 0