Summary | ZeroBOX

balotek2.1.exe

NSIS UPX Malicious Library PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 27, 2023, 9:23 a.m. Nov. 27, 2023, 9:38 a.m.
Size 456.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 cf52e32f7257ad06e9436c2090585f55
SHA256 f727949e07d541b18cebe8cd2b7bb9d6411de4dc70da6c0d50e192443f7348f0
CRC32 E9AA8B5D
ssdeep 12288:HMQ9NbCGz1EAj3xAQId/jvIAl1nUiAbqTtzcN1GrkwX:sK0y1EAlAQE/jvI21nkstzcN1GowX
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • UPX_Zero - UPX packed file

IP Address Status Action
104.21.82.142 Active Moloch
163.44.185.180 Active Moloch
164.124.101.2 Active Moloch
208.91.197.132 Active Moloch
62.149.128.45 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49170 -> 208.91.197.132:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 163.44.185.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.21.82.142:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 62.149.128.45:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
suspicious_features GET method with no useragent header suspicious_request GET http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg
suspicious_features GET method with no useragent header suspicious_request GET http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg
suspicious_features GET method with no useragent header suspicious_request GET http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg
request GET http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
request GET http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg
request GET http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg
request GET http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73272000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2652
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00200000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2696
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00aa0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\pedchgywx.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2652 called NtSetContextThread to modify thread in remote process 2696
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 1995571652
registers.esp: 5767108
registers.edi: 0
registers.eax: 4321408
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000009c
process_identifier: 2696
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
Skyhigh BehavesLike.Win32.Trojan.gc
McAfee RDN/Generic.dx
Malwarebytes Spyware.AgentTesla
VIPRE Trojan.NSISX.Spy.Gen.24
Sangfor Trojan.Win32.Strab.Vjpm
Alibaba Trojan:Win32/Guloader.b3fb8f9b
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETMM
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Strab.gen
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:MalwareX-gen [Trj]
Tencent Win32.Trojan.Strab.Pcnw
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
DrWeb Trojan.Loader.1550
TrendMicro Ransom.Win32.GULOADER.USBLKQ23
FireEye Generic.mg.cf52e32f7257ad06
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Inject
Webroot W32.Trojan.NSISX.Spy
Google Detected
Avira TR/AD.GenShell.dwjyc
Varist W32/ABRisk.EGPX-0756
Kingsoft malware.kb.a.945
Microsoft Trojan:Win32/Guloader.SMTK!MTB
Gridinsoft Trojan.Win32.FormBook.tr
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
ViRobot Trojan.Win.Z.Strab.467872
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
GData Win32.Trojan.Agent.12FJA7
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.C5551419
BitDefenderTheta Gen:NN.ZexaF.36792.GyW@ailve9p
ALYac Gen:Heur.Mint.Zard.55
MAX malware (ai score=83)
VBA32 BScope.Trojan.Strab
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R014C0DKQ23
Rising Trojan.Strab!8.12D03 (TFE:5:qCpbHD75FAV)
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:MalwareX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)