popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

nmnb.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 26, 2023, 10:45 a.m. Jan. 26, 2023, 11 a.m.
Size 331.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 58a93d1d064b9e8265ea798531adb0bf
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
CRC32 6E888843
ssdeep 6144:PYa69K+mD7y0q2hhBCH4m6Qx8qQ5+/ucZiE2TZPwc7j0W6KmZE0HOkv/kBa:PYnUD71qc+6Q+qQuu/Tn396KmLDv/
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 153.127.67.174:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 172.247.35.173:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 153.127.67.174:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 172.247.35.173:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 153.127.67.174:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 172.247.35.173:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 142.250.206.243:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 142.250.206.243:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 142.250.206.243:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 104.21.35.28:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 104.21.35.28:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 104.21.35.28:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 172.255.33.179:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 172.255.33.179:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 172.255.33.179:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 192.64.115.133:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 192.64.115.133:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 192.64.115.133:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 85.159.66.93:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 85.159.66.93:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 85.159.66.93:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 85.159.66.93:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.drzjup.space/poub/?J48=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&EhU4Nv=gdM0vL4huV
suspicious_features GET method with no useragent header suspicious_request GET http://www.agence-dragonne.com/poub/?J48=AJ1lnItlOBOMu4VTxug+YhiyjjMIB0X6igB7b1gQ1/FyMjSiMMj6SiFHodYf6/xohFqvUB4/&EhU4Nv=gdM0vL4huV
suspicious_features GET method with no useragent header suspicious_request GET http://www.peiphitan.com/poub/?J48=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&EhU4Nv=gdM0vL4huV
suspicious_features GET method with no useragent header suspicious_request GET http://www.soldbylena.com/poub/?J48=Yx1Go82kz3quMGBdMT8MTkTpwx2C2fKFreghtdDiaVm/DdA3lQSzkCq363BA4rx6egegMd3w&EhU4Nv=gdM0vL4huV
suspicious_features GET method with no useragent header suspicious_request GET http://www.cheapboden.com/poub/?J48=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&EhU4Nv=gdM0vL4huV
suspicious_features GET method with no useragent header suspicious_request GET http://www.midundao.net/poub/?J48=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&EhU4Nv=gdM0vL4huV
request GET http://www.drzjup.space/poub/?J48=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&EhU4Nv=gdM0vL4huV
request GET http://www.agence-dragonne.com/poub/?J48=AJ1lnItlOBOMu4VTxug+YhiyjjMIB0X6igB7b1gQ1/FyMjSiMMj6SiFHodYf6/xohFqvUB4/&EhU4Nv=gdM0vL4huV
request GET http://www.peiphitan.com/poub/?J48=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&EhU4Nv=gdM0vL4huV
request GET http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip
request GET http://www.soldbylena.com/poub/?J48=Yx1Go82kz3quMGBdMT8MTkTpwx2C2fKFreghtdDiaVm/DdA3lQSzkCq363BA4rx6egegMd3w&EhU4Nv=gdM0vL4huV
request GET http://www.cheapboden.com/poub/?J48=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&EhU4Nv=gdM0vL4huV
request GET http://www.midundao.net/poub/?J48=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&EhU4Nv=gdM0vL4huV
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2748
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\xnozsgld.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 77.73.134.27
Process injection Process 2684 called NtSetContextThread to modify thread in remote process 2748
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4325136
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000a0
process_identifier: 2748
1 0 0
dead_host 67.21.71.208:80
Lionic Trojan.Win32.Noon.4!c
FireEye Generic.mg.58a93d1d064b9e82
McAfee Artemis!58A93D1D064B
Cylance Unsafe
Sangfor Suspicious.Win32.Save.ins
Cyren W32/Injector.BJL.gen!Eldorado
Symantec Packed.NSISPacker!g14
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESPG
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
Avast Win32:InjectorX-gen [Trj]
DrWeb Trojan.Siggen19.32851
McAfee-GW-Edition BehavesLike.Win32.Downloader.fc
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Webroot W32.Infostealer.Formbook
Avira TR/AD.GenShell.kxkjx
Antiy-AVL Trojan/Win32.Sabsik
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Casdet!rfn
GData Win32.Trojan-Stealer.FormBook.UVFAG0
Google Detected
Malwarebytes Trojan.MalPack.GS
Rising Trojan.Injector!8.C4 (CLOUD)
Ikarus Trojan.Inject
Fortinet W32/Injector.NSAY!tr
AVG Win32:InjectorX-gen [Trj]