Summary | ZeroBOX

shedume2.1.exe

NSIS Malicious Library UPX PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6403_us April 25, 2023, 10:10 a.m. April 25, 2023, 10:13 a.m.
Size 279.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 c2193488994db0c99893eb8d336874e3
SHA256 e492e308b1967fc1dcd6cef3ad6f20d1a77ca5953460162d1d1ee71b000d66f7
CRC32 32C3436B
ssdeep 6144:/Ya6kZ/qTiW9GQW+e6YmWInO3PXE9hnAK620WIQsNAFF1iEhXvD0P9baR:/YSZ/qOWUrIOf09R90IsNAFF13D0PIR
Yara
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 198.49.23.144:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.49.23.144:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.49.23.144:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.billydeluca.com/sd03/?jBZ4=bwn3WNXG1QkKkY/peZjHiiVfFEeZEuNxgxDQNfmA0NAm5QlqR0e5861NDsuhGMHW1ZdwAArQ&P0D=Abs0IXf
request GET http://www.billydeluca.com/sd03/?jBZ4=bwn3WNXG1QkKkY/peZjHiiVfFEeZEuNxgxDQNfmA0NAm5QlqR0e5861NDsuhGMHW1ZdwAArQ&P0D=Abs0IXf
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2088
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c70000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2160
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\onzqy.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2088 called NtSetContextThread to modify thread in remote process 2160
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2005598660
registers.esp: 3735056
registers.edi: 0
registers.eax: 4321472
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000c4
process_identifier: 2160
1 0 0
Lionic Trojan.Win32.Agent.tshg
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
FireEye Generic.mg.c2193488994db0c9
ALYac Trojan.NSISX.Spy.Gen.24
Malwarebytes Trojan.Injector
VIPRE Trojan.NSISX.Spy.Gen.24
CrowdStrike win/malicious_confidence_100% (D)
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta Gen:NN.ZexaF.36164.fuW@aOfFC2ai
Cyren W32/Injector.BMM.gen!Eldorado
Symantec Packed.NSISPacker!g14
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESWZ
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:TrojanX-gen [Trj]
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
F-Secure Heuristic.HEUR/AGEN.1319135
McAfee-GW-Edition BehavesLike.Win32.Trojan.dc
Trapmine malicious.high.ml.score
Sophos Mal/Generic-S
Ikarus Trojan-Spy.FormBook
Avira HEUR/AGEN.1319135
MAX malware (ai score=80)
Gridinsoft Ransom.Win32.Sabsik.sa
Microsoft Trojan:Win32/VecStealer.LK!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Gen:Variant.Fragtor.267099
Google Detected
AhnLab-V3 Infostealer/Win.Generic.R563828
Acronis suspicious
McAfee Artemis!C2193488994D
Cylance unsafe
Rising Trojan.VecStealer!8.180E7 (TFE:5:fMtsFeBi6KP)
SentinelOne Static AI - Suspicious PE
Fortinet W32/Injector.ESWY!tr
AVG Win32:TrojanX-gen [Trj]
DeepInstinct MALICIOUS