popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

lzoCW4lLiTNeo.exe

Formbook NSIS UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 20, 2023, 7:35 a.m. July 20, 2023, 7:38 a.m.
Size 256.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 bacd8202f058ddcc5fddf57f8fce99d8
SHA256 4b6eb1fa81423abeb496eafc4d4d7c768e3c571294d7030c7a52935068166e1b
CRC32 96F4281A
ssdeep 6144:vYa6IDRFsZTfFSRGOPTWtUuuPjhnttVP8E/vYKc8i4Y5NYe:vYeDATfsTuShnVPhYKxHe
Yara
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.1xboro7.click
A 104.21.47.7
A 172.67.169.171
104.21.47.7
www.mtproductions.xyz
CNAME mtproductions.xyz
A 103.138.151.78
103.138.151.78
www.getflooringservices.today
A 172.67.183.64
A 104.21.48.94
172.67.183.64
www.ezkiosystem.com
A 170.130.208.37
170.130.208.37
www.trwc.online
A 162.0.238.217
162.0.238.217
IP Address Status Action
103.138.151.78 Active Moloch
104.21.47.7 Active Moloch
104.21.48.94 Active Moloch
162.0.238.217 Active Moloch
164.124.101.2 Active Moloch
170.130.208.37 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49169 -> 103.138.151.78:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.trwc.online/k2l0/?v2Jx4=TY0eLS25TbGWIPoAvIBkbiGMyWIlUL+junlCch65rY0chgQMasfhvMnMRaLp/GGSn7X9xMH4&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.ezkiosystem.com/k2l0/?v2Jx4=xqYImV8HKxPdTcT8y9GMwftV4Cj/nHOqtw0ItIHCgt3zlewQWki2gcTtgHbczwBAu8VEYRGB&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.1xboro7.click/k2l0/?v2Jx4=gdIo5mM9lXBdi558t2eJ3ed4IEH2JjF3YUJjs/DuOxOlHAWx6kMfp5pai83Dg+nwI9+C5pp6&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.mtproductions.xyz/k2l0/?v2Jx4=o2du+VOpfCxxrHF0jTeQdwEN/Nb3oP3iwGp0y37hEj8zJFJ0k0b8cpmxFrA37JuCeHQ21Z1q&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.getflooringservices.today/k2l0/?v2Jx4=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.trwc.online/k2l0/?v2Jx4=TY0eLS25TbGWIPoAvIBkbiGMyWIlUL+junlCch65rY0chgQMasfhvMnMRaLp/GGSn7X9xMH4&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.ezkiosystem.com/k2l0/?v2Jx4=xqYImV8HKxPdTcT8y9GMwftV4Cj/nHOqtw0ItIHCgt3zlewQWki2gcTtgHbczwBAu8VEYRGB&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.1xboro7.click/k2l0/?v2Jx4=gdIo5mM9lXBdi558t2eJ3ed4IEH2JjF3YUJjs/DuOxOlHAWx6kMfp5pai83Dg+nwI9+C5pp6&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.mtproductions.xyz/k2l0/?v2Jx4=o2du+VOpfCxxrHF0jTeQdwEN/Nb3oP3iwGp0y37hEj8zJFJ0k0b8cpmxFrA37JuCeHQ21Z1q&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.getflooringservices.today/k2l0/?v2Jx4=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&jJBP_F=PPJHa6cP0fV4ANB0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7393b000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f30000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2668
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00970000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nssF176.tmp\btsbjnjm.dll
file C:\Users\test22\AppData\Local\Temp\nssF176.tmp\btsbjnjm.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2564 called NtSetContextThread to modify thread in remote process 2668
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321488
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000218
process_identifier: 2668
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
FireEye Generic.mg.bacd8202f058ddcc
McAfee Artemis!BACD8202F058
Sangfor Trojan.Win32.Agent.V059
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta Gen:NN.ZedlaF.36318.du4@aifJYkdi
Cyren W32/Injector.BOI.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ETDA
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.24
Avast FileRepMalware [Trj]
Sophos Mal/Generic-S
F-Secure Trojan.TR/AD.Swotter.hxuhr
VIPRE Trojan.NSISX.Spy.Gen.24
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Trapmine malicious.moderate.ml.score
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
Ikarus Trojan.Win32.Injector
Webroot W32.Trojan.NSISX.Spy
Avira TR/AD.Swotter.hxuhr
Gridinsoft Trojan.Win32.FormBook.bot
Microsoft Trojan:Win32/Strab.GNG!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Win32.Trojan.Agent.YC5W7E
Google Detected
AhnLab-V3 Infostealer/Win.Generic.R563828
MAX malware (ai score=83)
Cylance unsafe
Panda Trj/Chgt.AD
Rising Trojan.Injector!1.E835 (CLASSIC)
SentinelOne Static AI - Suspicious PE
Fortinet NSIS/Agent.DCAC!tr
AVG FileRepMalware [Trj]
Cybereason malicious.2f058d
DeepInstinct MALICIOUS