popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

wininit.exe

NSIS UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 28, 2023, 5:21 p.m. July 28, 2023, 5:23 p.m.
Size 274.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 a0bfccb8cc68d350b02287d70507e70d
SHA256 d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab
CRC32 C14913CF
ssdeep 6144:PYa689fXW3LMiiTEqOyYKFEZWAQoAALLg6UM6KYUvjuyT2XH9PDD0:PYS9fXW+TEqdXkLg6YUrui2Xd7D0
Yara
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 91.195.240.123:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
request POST http://www.ionbet88s.top/egtq/
request GET http://www.ionbet88s.top/egtq/?aO=JpbngjiX6O9g3ygRoA4H1UbRh4cNSG6rKa2sZMHI38JPoS8sDChuKI7wn0j5oSg+PVRxv5HG+vHHa6u8dIR+bPRFSMXfcXnRdl9nJjk=&SWD__T=KKmxdR_Mh8yQsLY3
request GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
request POST http://www.creditworld.online/egtq/
request GET http://www.creditworld.online/egtq/?aO=461q18RMOxDnaqNJkfUvY5IkWUicQOOUykzcHkGDr0ojiLNEzcqHfSdPNleOyJBeadYyul1KhY7SHM+u3o5PCPusFJY9E0Tu3vQ30G0=&SWD__T=KKmxdR_Mh8yQsLY3
request POST http://www.venusoutfitters.com/egtq/
request GET http://www.venusoutfitters.com/egtq/?aO=AG/8kS8hRI7iSvIQVXo4bLIk8R036qZtlLK3QEpyWmEDwEtJlP4N3V8/1EyQAIIfeNFCTAf3Fb8poTCACfVw9c6yosc2Tpj7usW0+/E=&SWD__T=KKmxdR_Mh8yQsLY3
request POST http://www.fumart.info/egtq/
request GET http://www.fumart.info/egtq/?aO=fw90bLaqAcmFERwnqJAYPoE2BeWi5Uid+2aFH0/PJfU3kufJIFUcu6PL/Pz6bf1s8lPkFRRtp+LRMBkR5Fml0evqjrgFZcXS4OlyoU0=&SWD__T=KKmxdR_Mh8yQsLY3
request POST http://www.18openai.com/egtq/
request GET http://www.18openai.com/egtq/?aO=BEFxgyEhfwgGN5USHx2zrNUqAIC83z3/D0cA5Mihd1ofFN8Iz71zyO++mpZ3G1shHvRyqvcTqr8AVxBqNInK/d3Y2zubNQdlXVdEQ9s=&SWD__T=KKmxdR_Mh8yQsLY3
request POST http://www.ionbet88s.top/egtq/
request POST http://www.creditworld.online/egtq/
request POST http://www.venusoutfitters.com/egtq/
request POST http://www.fumart.info/egtq/
request POST http://www.18openai.com/egtq/
domain www.ionbet88s.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018d000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c40000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2120
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nskC06E.tmp\wkybeb.dll
file C:\Users\test22\AppData\Local\Temp\nskC06E.tmp\wkybeb.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 1932 called NtSetContextThread to modify thread in remote process 2120
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199904
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000208
process_identifier: 2120
1 0 0
dead_host 156.235.147.223:80
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
MicroWorld-eScan Trojan.Generic.34039111
FireEye Generic.mg.a0bfccb8cc68d350
McAfee Artemis!A0BFCCB8CC68
Cylance unsafe
Sangfor Suspicious.Win32.Save.ins
Alibaba Trojan:Win32/Strab.1dadd08e
K7GW Trojan ( 005a8a8d1 )
Cybereason malicious.8cd098
Arcabit Trojan.Generic.D2076547
VirIT Trojan.Win32.GenusT.DOSJ
Cyren W32/Ninjector.JO.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETDD
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Strab.gen
BitDefender Trojan.Generic.34039111
Avast Win32:MalwareX-gen [Trj]
Sophos Mal/Generic-S
F-Secure Trojan.TR/Injector.vngok
VIPRE Trojan.Generic.34039111
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Trapmine malicious.moderate.ml.score
Emsisoft Trojan.Generic.34039111 (B)
SentinelOne Static AI - Suspicious PE
Avira TR/AD.Swotter.wzwgm
Antiy-AVL Trojan/Win32.Injector
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.gen
GData Trojan.Generic.34039111
Google Detected
AhnLab-V3 Trojan/Win.NSISInject.R587856
BitDefenderTheta Gen:NN.ZedlaF.36318.dq4@aOUFk7j
ALYac Gen:Variant.Zusy.477960
MAX malware (ai score=80)
Malwarebytes Trojan.Injector.NSIS
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H07GK23
Rising Trojan.Strab!8.12D03 (TFE:5:uYcalWbz3kJ)
Ikarus Trojan.Win32.Injector
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:MalwareX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)