Windows Analysis Report
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207 (renamed file extension from 17207 to exe)
Analysis ID: 626424
MD5: 14848f52302c15e27b26fee5fada11c1
SHA1: 04d62d915bd1a81c4b5ed35df6edb953107398c8
SHA256: 4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b
Tags: exe
Infos:

Detection

FormBook
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Virustotal: Detection: 41% Perma Link
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Virustotal: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe ReversingLabs: Detection: 24%
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.miylwnpd.exe.2cb0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\sltck\alpfsb\pnlp\5a4eb681595f48a7816b70c325f39788\dfkzie\sffldbix\Release\sffldbix.pdb source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe, 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmp, miylwnpd.exe, 00000001.00000000.230322990.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000002.00000000.232221642.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, nsaF211.tmp.0.dr, miylwnpd.exe.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.beamaster.info/p0ip/
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040580F

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
PE file contains strange resources
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E1890 1_2_002E1890
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E9C12 1_2_002E9C12
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E96A0 1_2_002E96A0
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E7E88 1_2_002E7E88
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002EC3BD 1_2_002EC3BD
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002EA184 1_2_002EA184
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002EB3F1 1_2_002EB3F1
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Virustotal: Detection: 41%
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Jump to behavior
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Command line argument: ^F. 1_2_002E45B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe File created: C:\Users\user\AppData\Local\Temp\nsaF210.tmp Jump to behavior
Source: classification engine Classification label: mal84.troj.winEXE@5/4@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404ABB
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\sltck\alpfsb\pnlp\5a4eb681595f48a7816b70c325f39788\dfkzie\sffldbix\Release\sffldbix.pdb source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe, 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmp, miylwnpd.exe, 00000001.00000000.230322990.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000002.00000000.232221642.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, nsaF211.tmp.0.dr, miylwnpd.exe.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E2445 push ecx; ret 1_2_002E2458
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe File created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_002E1890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E7A95 IsDebuggerPresent, 1_2_002E7A95
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_002E558A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E86ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_002E86ED
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E439B SetUnhandledExceptionFilter, 1_2_002E439B
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_002E43CC
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E3283 cpuid 1_2_002E3283
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe Code function: 1_2_002E3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_002E3EC8

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626424 Sample: SecuriteInfo.com.Trojan.NSI... Startdate: 14/05/2022 Architecture: WINDOWS Score: 84 17 Found malware configuration 2->17 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 2 other signatures 2->23 7 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe 19 2->7         started        process3 file4 15 C:\Users\user\AppData\Local\...\miylwnpd.exe, PE32 7->15 dropped 10 miylwnpd.exe 7->10         started        process5 signatures6 25 Multi AV Scanner detection for dropped file 10->25 13 miylwnpd.exe 10->13         started        process7
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.beamaster.info/p0ip/ true
  • Avira URL Cloud: safe
 low