Summary | ZeroBOX

lzoCW4lLiTNeo.exe

Formbook NSIS UPX Malicious Library PE File DLL OS Processor Check PE32
Category Machine Started Completed
FILE s1_win7_x6401 July 20, 2023, 7:35 a.m. July 20, 2023, 7:38 a.m.
Size 256.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 bacd8202f058ddcc5fddf57f8fce99d8
SHA256 4b6eb1fa81423abeb496eafc4d4d7c768e3c571294d7030c7a52935068166e1b
CRC32 96F4281A
ssdeep 6144:vYa6IDRFsZTfFSRGOPTWtUuuPjhnttVP8E/vYKc8i4Y5NYe:vYeDATfsTuShnVPhYKxHe
Yara
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

IP Address Status Action
103.138.151.78 Active Moloch
104.21.47.7 Active Moloch
104.21.48.94 Active Moloch
162.0.238.217 Active Moloch
164.124.101.2 Active Moloch
170.130.208.37 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49169 -> 103.138.151.78:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.trwc.online/k2l0/?v2Jx4=TY0eLS25TbGWIPoAvIBkbiGMyWIlUL+junlCch65rY0chgQMasfhvMnMRaLp/GGSn7X9xMH4&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.ezkiosystem.com/k2l0/?v2Jx4=xqYImV8HKxPdTcT8y9GMwftV4Cj/nHOqtw0ItIHCgt3zlewQWki2gcTtgHbczwBAu8VEYRGB&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.1xboro7.click/k2l0/?v2Jx4=gdIo5mM9lXBdi558t2eJ3ed4IEH2JjF3YUJjs/DuOxOlHAWx6kMfp5pai83Dg+nwI9+C5pp6&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.mtproductions.xyz/k2l0/?v2Jx4=o2du+VOpfCxxrHF0jTeQdwEN/Nb3oP3iwGp0y37hEj8zJFJ0k0b8cpmxFrA37JuCeHQ21Z1q&jJBP_F=PPJHa6cP0fV4ANB0
suspicious_features GET method with no useragent header suspicious_request GET http://www.getflooringservices.today/k2l0/?v2Jx4=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.trwc.online/k2l0/?v2Jx4=TY0eLS25TbGWIPoAvIBkbiGMyWIlUL+junlCch65rY0chgQMasfhvMnMRaLp/GGSn7X9xMH4&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.ezkiosystem.com/k2l0/?v2Jx4=xqYImV8HKxPdTcT8y9GMwftV4Cj/nHOqtw0ItIHCgt3zlewQWki2gcTtgHbczwBAu8VEYRGB&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.1xboro7.click/k2l0/?v2Jx4=gdIo5mM9lXBdi558t2eJ3ed4IEH2JjF3YUJjs/DuOxOlHAWx6kMfp5pai83Dg+nwI9+C5pp6&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.mtproductions.xyz/k2l0/?v2Jx4=o2du+VOpfCxxrHF0jTeQdwEN/Nb3oP3iwGp0y37hEj8zJFJ0k0b8cpmxFrA37JuCeHQ21Z1q&jJBP_F=PPJHa6cP0fV4ANB0
request GET http://www.getflooringservices.today/k2l0/?v2Jx4=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&jJBP_F=PPJHa6cP0fV4ANB0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7393b000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f30000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2668
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00970000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nssF176.tmp\btsbjnjm.dll
file C:\Users\test22\AppData\Local\Temp\nssF176.tmp\btsbjnjm.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2564 called NtSetContextThread to modify thread in remote process 2668
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321488
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000218
process_identifier: 2668
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
FireEye Generic.mg.bacd8202f058ddcc
McAfee Artemis!BACD8202F058
Sangfor Trojan.Win32.Agent.V059
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta Gen:NN.ZedlaF.36318.du4@aifJYkdi
Cyren W32/Injector.BOI.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ETDA
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.24
Avast FileRepMalware [Trj]
Sophos Mal/Generic-S
F-Secure Trojan.TR/AD.Swotter.hxuhr
VIPRE Trojan.NSISX.Spy.Gen.24
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Trapmine malicious.moderate.ml.score
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
Ikarus Trojan.Win32.Injector
Webroot W32.Trojan.NSISX.Spy
Avira TR/AD.Swotter.hxuhr
Gridinsoft Trojan.Win32.FormBook.bot
Microsoft Trojan:Win32/Strab.GNG!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Win32.Trojan.Agent.YC5W7E
Google Detected
AhnLab-V3 Infostealer/Win.Generic.R563828
MAX malware (ai score=83)
Cylance unsafe
Panda Trj/Chgt.AD
Rising Trojan.Injector!1.E835 (CLASSIC)
SentinelOne Static AI - Suspicious PE
Fortinet NSIS/Agent.DCAC!tr
AVG FileRepMalware [Trj]
Cybereason malicious.2f058d
DeepInstinct MALICIOUS