Summary | ZeroBOX

macindas2.1.exe

NSIS UPX Malicious Library PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 26, 2023, 1:31 p.m. Nov. 26, 2023, 1:40 p.m.
Size 457.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 84682f07f2f1698e49b6a29573c5679d
SHA256 77339a584f9271a01eb8b5cc7fb4b67d7c4098dd2965edd2e1f3adac59ea519e
CRC32 555806D3
ssdeep 6144:BBlL/24RQJ0LozxdrCufm7vTY5FXc+B0f2KTSuskyRwUWWzGVPfrvx7cMAg6PofC:HMlPTDfOvsPXc+BY2KTSP4vx7c+Ru5
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49171 -> 104.21.32.135:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 104.21.32.135:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 34.149.87.45:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 172.67.154.55:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 91.195.240.19:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.salvanandcie.com/tb8i/?-ZeTi6B=UMOMUPRltOuIOavlOV9TAbzOI3NyPSxU0IiF98vYZIoJYysmNQovnALCNihIDsZ76SkBnDz1&2d=lnxh
suspicious_features GET method with no useragent header suspicious_request GET http://www.free-indeed.faith/tb8i/?-ZeTi6B=mjsfGumS0MCj+go/ckdO0h+daXKQjTCMjol4fCy+GQ9z9EIRohWOFaX9TAL/50qANRa4gnnD&2d=lnxh
suspicious_features GET method with no useragent header suspicious_request GET http://www.texwwfrx.com/tb8i/?-ZeTi6B=zluqp2Qif7Juk0jSJTDTdhTVgLgB+eVfrKJdSE4Bz8PdBwx7LJWv3E/FDzXvfZ8eIpu6oPdn&2d=lnxh
suspicious_features GET method with no useragent header suspicious_request GET http://www.tron-pk.xyz/tb8i/?-ZeTi6B=5rJxyOnP1GB0ESD4ttWy9/4jFy42toRxagw3E+bnB/pmFdmTHJRzMwLMKKbb+ploXs+4W+sP&2d=lnxh
request GET http://www.salvanandcie.com/tb8i/?-ZeTi6B=UMOMUPRltOuIOavlOV9TAbzOI3NyPSxU0IiF98vYZIoJYysmNQovnALCNihIDsZ76SkBnDz1&2d=lnxh
request GET http://www.free-indeed.faith/tb8i/?-ZeTi6B=mjsfGumS0MCj+go/ckdO0h+daXKQjTCMjol4fCy+GQ9z9EIRohWOFaX9TAL/50qANRa4gnnD&2d=lnxh
request GET http://www.texwwfrx.com/tb8i/?-ZeTi6B=zluqp2Qif7Juk0jSJTDTdhTVgLgB+eVfrKJdSE4Bz8PdBwx7LJWv3E/FDzXvfZ8eIpu6oPdn&2d=lnxh
request GET http://www.tron-pk.xyz/tb8i/?-ZeTi6B=5rJxyOnP1GB0ESD4ttWy9/4jFy42toRxagw3E+bnB/pmFdmTHJRzMwLMKKbb+ploXs+4W+sP&2d=lnxh
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2076
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00330000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00340000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2128
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b60000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\pujipqto.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2076 called NtSetContextThread to modify thread in remote process 2128
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2005598660
registers.esp: 2291956
registers.edi: 0
registers.eax: 4321472
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000009c
process_identifier: 2128
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
DrWeb Trojan.Loader.1550
MicroWorld-eScan Trojan.GenericKD.70578826
FireEye Trojan.GenericKD.70578826
Skyhigh BehavesLike.Win32.BadFile.gc
ALYac Gen:Heur.Mint.Zard.55
Cylance unsafe
Sangfor Trojan.Win32.Agent.V7xr
K7AntiVirus Trojan ( 005ae5eb1 )
Alibaba Trojan:Win32/Strab.bd9486e6
K7GW Trojan ( 005ae5eb1 )
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZexaF.36792.GyW@aW0sFpp
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETMM
Cynet Malicious (score: 99)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.70578826
Avast Win32:MalwareX-gen [Trj]
Tencent Win32.Trojan.Strab.Pqil
Emsisoft Trojan.GenericKD.70578826 (B)
F-Secure Trojan.TR/AD.GenShell.ysgqj
VIPRE Gen:Variant.Nemesis.1955
Sophos Mal/Generic-S
Webroot W32.Malware.Gen
Avira TR/AD.GenShell.ysgqj
Antiy-AVL Trojan/Win32.Injector
Kingsoft Win32.Troj.Unknown.a
Microsoft Trojan:Win32/Guloader.SMTK!MTB
Gridinsoft Ransom.Win32.Wacatac.sa
Arcabit Trojan.Generic.D434F28A
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
GData Win32.Trojan.Agent.JR9Z8Z
Varist W32/ABRisk.TJBM-4704
AhnLab-V3 Malware/Win.Generic.C5551419
McAfee RDN/Generic.dx
MAX malware (ai score=85)
VBA32 BScope.Trojan.Strab
Malwarebytes Spyware.AgentTesla
Panda Trj/Chgt.AD
Rising Trojan.Strab!8.12D03 (TFE:5:qCpbHD75FAV)
Ikarus Trojan.MSIL.Inject
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:MalwareX-gen [Trj]
DeepInstinct MALICIOUS