popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

liboshed2.1.exe

NSIS UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 20, 2023, 7:32 a.m. June 20, 2023, 7:38 a.m.
Size 298.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 4e13394b41e8d0cf8b1721aabdbfd719
SHA256 f31be72f929b86c056e683db26b8ec78a40f3d1156821fca58901189a8ee965e
CRC32 32415BA4
ssdeep 6144:AYa6CpByitT/b/XCuKj9/sB+9EjS6SNFKBar:AYspBPT/e59/sBKEjSnKB0
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.ltnmgt.com
www.speakerbluetooth.com
www.cqmksw.com
A 38.63.218.163
38.63.218.163
IP Address Status Action
164.124.101.2 Active Moloch
38.63.218.163 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49165 -> 38.63.218.163:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 38.63.218.163:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 38.63.218.163:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.cqmksw.com/sy18/?w2J=Zy+5j3JkY/5oFGK5gEpmELBKxN+VFSamS+lHIjSON5I8UbvG5ESo2ZHDPO/F7FQpS9xXmmGk&tFQt=YP4D1tE0
request GET http://www.cqmksw.com/sy18/?w2J=Zy+5j3JkY/5oFGK5gEpmELBKxN+VFSamS+lHIjSON5I8UbvG5ESo2ZHDPO/F7FQpS9xXmmGk&tFQt=YP4D1tE0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02de0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02e30000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsgC1D6.tmp\axzwo.dll
file C:\Users\test22\AppData\Local\Temp\nsgC1D6.tmp\axzwo.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 1460 called NtSetContextThread to modify thread in remote process 2064
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321552
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000224
process_identifier: 2064
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
MicroWorld-eScan Gen:Variant.Nemesis.22790
FireEye Generic.mg.4e13394b41e8d0cf
McAfee Artemis!4E13394B41E8
Cylance unsafe
VIPRE Gen:Variant.Nemesis.22790
Sangfor Trojan.Win32.Agent.Vhrh
Cybereason malicious.b41e8d
Arcabit Trojan.Nemesis.D5906 [many]
Cyren W32/Injector.BOF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETBA
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Nemesis.22790
Avast FileRepMalware [Trj]
Emsisoft Gen:Variant.Nemesis.22790 (B)
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Sophos Mal/Generic-S
Webroot W32.Malware.Gen
Microsoft Trojan:Win32/Casdet!rfn
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Zum.Androm.1
Google Detected
AhnLab-V3 Infostealer/Win.Generic.C5395778
MAX malware (ai score=82)
Malwarebytes Generic.Malware/Suspicious
Panda Trj/Chgt.AD
Rising Trojan.Avemariarat!8.11CB9 (TFE:6:M0iIpRjbqhI)
Ikarus Trojan.NSIS.Agent
Fortinet NSIS/Agent.DCAC!tr
AVG FileRepMalware [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (D)