popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

003737.exe

NSIS UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 7, 2023, 10:28 a.m. June 7, 2023, 10:30 a.m.
Size 300.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 d93dd4200d1997c9b734bc2b1de77dc8
SHA256 12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6
CRC32 976D8CB2
ssdeep 6144:AYa6rb6wHR86N8RbEpztPAZ3IZUOGAdHwWM0g4uGFzq8Mh:AYJbFx86CBEe3Il/LpXukQh
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.brick2theatercompany.org
A 184.154.216.162
CNAME brick2theatercompany.org
184.154.216.162
www.dwcmy.icu
A 107.148.132.109
107.148.132.109
www.sqlite.org
A 45.33.6.223
45.33.6.223
IP Address Status Action
107.148.132.109 Active Moloch
164.124.101.2 Active Moloch
184.154.216.162 Active Moloch
45.33.6.223 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:56630 -> 164.124.101.2:53 2026888 ET INFO DNS Query for Suspicious .icu Domain Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 107.148.132.109:80 2026887 ET INFO HTTP POST Request to Suspicious *.icu domain Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 107.148.132.109:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 107.148.132.109:80 2026887 ET INFO HTTP POST Request to Suspicious *.icu domain Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 184.154.216.162:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 184.154.216.162:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 184.154.216.162:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 107.148.132.109:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 107.148.132.109:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 107.148.132.109:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.brick2theatercompany.org/jaux/?RA2Ffnn=icakqaRty6vlYpraZuLZDt8iqw6TAXaANP93WqO2tXnG28cx2yzbZzs/HE+K7qwLPazhHRQPHP7+Ft+vCQAGl34EUMiC/bZO7D7RKMw=&gLB=QULU5
suspicious_features GET method with no useragent header suspicious_request GET http://www.dwcmy.icu/jaux/?RA2Ffnn=dXzChEviWThMepFS/xxtUmXNQtBwn4KvgZ5ardr6ndysj8KT1gjetGIPwrBptW+hnPwvo+gRGgTDVleeJCFvAYnj9Conz55LaaEoVKU=&gLB=QULU5
request GET http://www.brick2theatercompany.org/jaux/?RA2Ffnn=icakqaRty6vlYpraZuLZDt8iqw6TAXaANP93WqO2tXnG28cx2yzbZzs/HE+K7qwLPazhHRQPHP7+Ft+vCQAGl34EUMiC/bZO7D7RKMw=&gLB=QULU5
request GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
request POST http://www.dwcmy.icu/jaux/
request GET http://www.dwcmy.icu/jaux/?RA2Ffnn=dXzChEviWThMepFS/xxtUmXNQtBwn4KvgZ5ardr6ndysj8KT1gjetGIPwrBptW+hnPwvo+gRGgTDVleeJCFvAYnj9Conz55LaaEoVKU=&gLB=QULU5
request POST http://www.dwcmy.icu/jaux/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3036
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03290000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x032a0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2212
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsh276B.tmp\rnthgfcoj.dll
file C:\Users\test22\AppData\Local\Temp\nsh276B.tmp\rnthgfcoj.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 3036 called NtSetContextThread to modify thread in remote process 2212
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2001207748
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199136
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 2212
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.67401925
FireEye Generic.mg.d93dd4200d1997c9
McAfee Artemis!D93DD4200D19
Malwarebytes Malware.AI.2287091883
VIPRE Gen:Variant.Nemesis.22835
Sangfor Trojan.Win32.Agent.Vdgb
CrowdStrike win/malicious_confidence_100% (W)
K7GW Trojan ( 005a63941 )
K7AntiVirus Trojan ( 005a63941 )
Arcabit Trojan.Nemesis.D5933 [many]
Cyren W32/Injector.BNP.gen!Eldorado
Symantec Trojan Horse
ESET-NOD32 Win32/Formbook.AK
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.GenericKD.67401925
Avast Win32:PWSX-gen [Trj]
Emsisoft Trojan.GenericKD.67401925 (B)
F-Secure Trojan.TR/AD.GenShell.cgaxh
DrWeb Trojan.Siggen20.59355
TrendMicro TrojanSpy.Win32.NOON.USPAXF623
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Sophos Mal/Generic-S
Ikarus Trojan-Spy.Agent
Webroot W32.Noon.Gen
Avira TR/AD.GenShell.cgaxh
Antiy-AVL Trojan/Win32.NSISInject
Microsoft Trojan:Win32/FormBook.TG!MTB
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.gen
GData Trojan.GenericKD.67401925
Google Detected
AhnLab-V3 Trojan/Win.Bazarloader.R584928
MAX malware (ai score=89)
Panda Trj/Chgt.AD
TrendMicro-HouseCall TrojanSpy.Win32.NOON.USPAXF623
Rising Trojan.Nsisinject!8.11178 (TFE:5:8iPUQb4QmBF)
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:PWSX-gen [Trj]
Cybereason malicious.00d199
DeepInstinct MALICIOUS