popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

macbomard2.1.exe

NSIS UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 12, 2023, 7:42 a.m. Oct. 12, 2023, 7:49 a.m.
Size 332.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 7f4be9fcb7371a4a4c98462602a33639
SHA256 7475dc716905ee9a57aa78bdb02c71c1d22d93c67326ac2eedb0b72ca82207b0
CRC32 334C2FFB
ssdeep 6144:6XFKo5kfRpRMZl+qmHg+CNZEibarfXGqDcEHFM6uOv6:6XojRMiN9DGqDcYM0S
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.new-minerals.com
A 103.146.179.167
CNAME cname.xg167.lhxh.cn
103.146.179.167
www.abstractcertify.com
www.ocoala.com
A 76.223.54.146
A 13.248.169.48
13.248.169.48
www.aspiredstudio.com
CNAME aspiredstudio.com
A 199.36.158.100
199.36.158.100
www.tugerdi.site
A 93.89.226.17
CNAME tugerdi.site
93.89.226.17
IP Address Status Action
103.146.179.167 Active Moloch
164.124.101.2 Active Moloch
199.36.158.100 Active Moloch
76.223.54.146 Active Moloch
93.89.226.17 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 76.223.54.146:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 199.36.158.100:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 103.146.179.167:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 93.89.226.17:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.ocoala.com/t6tg/?Tj=Bo69CXQCSq8YAZlSXsSXSHHhzBc0NkTLrUDc3+XWv9vtXAWnC5Ex0xTxf+gUzISZTYrGWz37&RX=dn98bVV8c4CP
suspicious_features GET method with no useragent header suspicious_request GET http://www.aspiredstudio.com/t6tg/?Tj=2Be6iIgSXmfB1nqJxUfd7To44XQGyUfcHTuBHOXScd6rc4VNel4uavXkn/Sr1IDzPZX3+Zir&RX=dn98bVV8c4CP
suspicious_features GET method with no useragent header suspicious_request GET http://www.new-minerals.com/t6tg/?Tj=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&RX=dn98bVV8c4CP
request GET http://www.ocoala.com/t6tg/?Tj=Bo69CXQCSq8YAZlSXsSXSHHhzBc0NkTLrUDc3+XWv9vtXAWnC5Ex0xTxf+gUzISZTYrGWz37&RX=dn98bVV8c4CP
request GET http://www.aspiredstudio.com/t6tg/?Tj=2Be6iIgSXmfB1nqJxUfd7To44XQGyUfcHTuBHOXScd6rc4VNel4uavXkn/Sr1IDzPZX3+Zir&RX=dn98bVV8c4CP
request GET http://www.new-minerals.com/t6tg/?Tj=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&RX=dn98bVV8c4CP
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2120
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2192
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ynyasozukh.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2120 called NtSetContextThread to modify thread in remote process 2192
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321408
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000cc
process_identifier: 2192
1 0 0
Lionic Trojan.Win32.Remcos.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
Skyhigh BehavesLike.Win32.Generic.fc
McAfee Artemis!7F4BE9FCB737
Malwarebytes Generic.Malware/Suspicious
VIPRE Trojan.NSISX.Spy.Gen.24
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ETJG
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:Trojan.Win32.Strab.ddb
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:Evo-gen [Trj]
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
FireEye Generic.mg.7f4be9fcb7371a4a
Sophos Mal/Generic-S
Ikarus Trojan.NSIS.Agent
Varist W32/Trojan.DNGJ-4663
MAX malware (ai score=85)
Kingsoft malware.kb.a.905
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Znyonm
ZoneAlarm UDS:Trojan.Win32.Strab.gen
GData Trojan.NSISX.Spy.Gen.24
Google Detected
VBA32 BScope.Trojan.Injector
ALYac Gen:Variant.Fragtor.386231
Cylance unsafe
Panda Trj/Chgt.AD
Rising Trojan.Generic@AI.98 (RDML:KiTIC8lmrni13eTvjLC7Zg)
BitDefenderTheta Gen:NN.ZexaF.36738.kmW@aKHPk3b
AVG Win32:Evo-gen [Trj]
Cybereason malicious.5a81e7
DeepInstinct MALICIOUS