Summary | ZeroBOX

borilpokonta2.1.exe

NSIS Malicious Library UPX PE File OS Processor Check PE32
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 1, 2023, 5:15 p.m. Oct. 1, 2023, 5:17 p.m.
Size 348.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 ff5073e7ca0e1ec86ee0268f040af237
SHA256 8b8f90243e714bc9f2f2bdd1a70bd0f884b7915aa7d04bb456603ae82e871e8d
CRC32 F371FA3C
ssdeep 6144:GnPdudwDNA/zUz6mvUwSaLHqhcSB6xhyLWshdUDBweVyP2IjksQNFFa8/SLm:GnPdZ8U9UwS6OcKAoTUl6fksG
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xffd7f0e0
registers.esp: 4390292
registers.edi: 0
registers.eax: 1968976824
registers.ebp: 4390300
registers.edx: 4292341984
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2656
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00530000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\tjwcbu.exe
file C:\Users\test22\AppData\Local\Temp\tjwcbu.exe
file C:\Users\test22\AppData\Local\Temp\tjwcbu.exe
Process injection Process 2656 called NtSetContextThread to modify thread in remote process 2708
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 1995571652
registers.esp: 4390392
registers.edi: 0
registers.eax: 848096
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000cc
process_identifier: 2708
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
McAfee Artemis!FF5073E7CA0E
Malwarebytes Trojan.Injector
Sangfor Spyware.Win32.Injector.V3jn
K7AntiVirus Trojan ( 005abde11 )
Alibaba Trojan:Win32/Strab.940d2679
K7GW Trojan ( 005abde11 )
Cybereason malicious.ce5e06
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta Gen:NN.ZexaF.36738.muW@aqNo5cbi
Cyren W32/Kryptik.KSY.gen!Eldorado
Symantec Trojan Horse
ESET-NOD32 a variant of Win32/Injector.ETIL
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Strab.gen
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:AdwareX-gen [Adw]
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
F-Secure Heuristic.HEUR/AGEN.1318984
DrWeb Trojan.Loader.1550
VIPRE Trojan.NSISX.Spy.Gen.24
TrendMicro TROJ_GEN.R002C0XIT23
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
FireEye Generic.mg.ff5073e7ca0e1ec8
Sophos Mal/Generic-S
Jiangmin Trojan.Fsysna.pez
Webroot W32.Trojan.NSISX.Spy
Avira HEUR/AGEN.1337940
MAX malware (ai score=89)
Antiy-AVL Trojan/Win32.Injector
Kingsoft malware.kb.a.971
Gridinsoft Trojan.Win32.FormBook.bot
Microsoft Trojan:Win32/FormBook.AFB!MTB
ViRobot Trojan.Win.Z.Injector.356821
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
GData Trojan.NSISX.Spy.Gen.24
Google Detected
AhnLab-V3 Win-Trojan/Gandcrab08.Exp
ALYac Gen:Variant.Fragtor.375445
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H0CIT23
Rising Trojan.Injector!8.C4 (TFE:5:qmDInMxbeCI)
Ikarus Trojan.Win32.Crypt
Fortinet W32/Injector.ESIU!tr
AVG Win32:AdwareX-gen [Adw]