popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

woproz2.1.exe

NSIS UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 30, 2023, 8:55 a.m. July 30, 2023, 9:08 a.m.
Size 228.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 9c2b4213a8a1a6ba0dd80dba7c012337
SHA256 95aea449af146a5df5c7af7968d773ad5b8a2ed543d6202b8213abc74b7c87b3
CRC32 AE45E883
ssdeep 6144:gYa6zVLdOSrwVv99xmFCvwqbG9562gf4Jig0:gYnd/w1jxmFDeagfqB0
Yara
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
worrynot.duckdns.org
A 85.208.139.45
85.208.139.45
IP Address Status Action
164.124.101.2 Active Moloch
85.208.139.45 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
domain worrynot.duckdns.org
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02160000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004b90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nstBDFD.tmp\gyisjg.dll
file C:\Users\test22\AppData\Roaming\hmhqavf\oktpyienws.exe
file C:\Users\test22\AppData\Local\Temp\nstBDFD.tmp\gyisjg.dll
file C:\Users\test22\AppData\Roaming\hmhqavf\oktpyienws.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cxhq reg_value C:\Users\test22\AppData\Roaming\hmhqavf\oktpyienws.exe "C:\Users\test22\AppData\Local\Temp\woproz2.1.exe"
Process injection Process 516 called NtSetContextThread to modify thread in remote process 2056
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4216632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2056
1 0 0
dead_host 85.208.139.45:8520
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
McAfee Artemis!9C2B4213A8A1
Malwarebytes Trojan.Injector
Sangfor Spyware.Win32.Agent.Vazw
Arcabit Trojan.NSISX.Spy.Gen.24
Cyren W32/Ninjector.JU.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ETDU
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:PWSX-gen [Trj]
VIPRE Trojan.NSISX.Spy.Gen.24
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
FireEye Generic.mg.9c2b4213a8a1a6ba
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
Avira TR/AD.GenShell.tmifg
Microsoft Trojan:Win32/Sabsik.TE.B!ml
ViRobot Trojan.Win.Z.Spy.233619
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Win32.Trojan.Agent.1BUEGY
Google Detected
AhnLab-V3 Infostealer/Win.Generic.C5395778
ALYac Trojan.NSISX.Spy.Gen.24
MAX malware (ai score=87)
Cylance unsafe
Panda Trj/Chgt.AD
Rising Trojan.Lokibot!8.F1B5 (TFE:5:lQY4QMl2gVH)
Ikarus Trojan.Win32.Injector
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:PWSX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)