popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

slot Charges.exe

PE32 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 12, 2021, 10:09 a.m. May 12, 2021, 10:11 a.m.
Size 205.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 5830b69895c4f5b70d2f5c94cd718fa6
SHA256 735d11c1fa476083846e9e622af57a902ff20be1a1bbce7d8ec9f7f4179d1bb3
CRC32 931AB34B
ssdeep 6144:L9X0GglZvjfTwLvgHg+U7elvRPfCNJx56:l0VlhOvgYelvRCNJxk
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49212 -> 104.21.12.135:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 104.21.12.135:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 104.21.12.135:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 87.236.16.223:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 87.236.16.223:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 87.236.16.223:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 52.58.78.16:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 52.58.78.16:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 52.58.78.16:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.75.52.202:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.75.52.202:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.75.52.202:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.rafbar.com/u8nw/?ArR=GTZNlL4srifKV7o+w2siTAOBcwC+lUBY5oxqGvkubCu3nseBJgD5e0+L6/JLHdvG2vg5MIvg&I6A=4hLpNJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.ultimatepoolwater.com/u8nw/?ArR=5pV3Y3LQlTAHcxwnvg+J5bdrE68HsxNUtav1EpPN7ScspS4D4Pk/4j83n4j7zgJV+i3d5aNd&I6A=4hLpNJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.customessayjojo.com/u8nw/?ArR=VD0G0CGdCcqSJGj9F5ozBooVoq7ayOcemun/I6O/ytbQ1s6HP9Wd06MBA5a//0vZR3htC47K&I6A=4hLpNJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.lifehakershagirl.online/u8nw/?ArR=EXiYcxo4bbCmOiu8jraNZMcl9Xa41Px+Bk+bYaDVKnF62kAJD39G59r42R29jKW5593tei3D&I6A=4hLpNJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.bloodtypealpha.com/u8nw/?ArR=yoc8xqwT44MyZdAyBAA1pFVBjk8JhV1KxJr6rO/M4XaWItqc4FsSwgggqnIeqmBydcMzsW89&I6A=4hLpNJ
request POST http://www.rafbar.com/u8nw/
request GET http://www.rafbar.com/u8nw/?ArR=GTZNlL4srifKV7o+w2siTAOBcwC+lUBY5oxqGvkubCu3nseBJgD5e0+L6/JLHdvG2vg5MIvg&I6A=4hLpNJ
request POST http://www.ultimatepoolwater.com/u8nw/
request GET http://www.ultimatepoolwater.com/u8nw/?ArR=5pV3Y3LQlTAHcxwnvg+J5bdrE68HsxNUtav1EpPN7ScspS4D4Pk/4j83n4j7zgJV+i3d5aNd&I6A=4hLpNJ
request POST http://www.customessayjojo.com/u8nw/
request GET http://www.customessayjojo.com/u8nw/?ArR=VD0G0CGdCcqSJGj9F5ozBooVoq7ayOcemun/I6O/ytbQ1s6HP9Wd06MBA5a//0vZR3htC47K&I6A=4hLpNJ
request POST http://www.lifehakershagirl.online/u8nw/
request GET http://www.lifehakershagirl.online/u8nw/?ArR=EXiYcxo4bbCmOiu8jraNZMcl9Xa41Px+Bk+bYaDVKnF62kAJD39G59r42R29jKW5593tei3D&I6A=4hLpNJ
request POST http://www.bloodtypealpha.com/u8nw/
request GET http://www.bloodtypealpha.com/u8nw/?ArR=yoc8xqwT44MyZdAyBAA1pFVBjk8JhV1KxJr6rO/M4XaWItqc4FsSwgggqnIeqmBydcMzsW89&I6A=4hLpNJ
request POST http://www.rafbar.com/u8nw/
request POST http://www.ultimatepoolwater.com/u8nw/
request POST http://www.customessayjojo.com/u8nw/
request POST http://www.lifehakershagirl.online/u8nw/
request POST http://www.bloodtypealpha.com/u8nw/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1016
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02810000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1160
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00910000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsv651C.tmp\2r8212a51w7v2sg.dll
file C:\Users\test22\AppData\Local\Temp\nsv651C.tmp\2r8212a51w7v2sg.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 1016 called NtSetContextThread to modify thread in remote process 1160
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313280
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 1160
1 0 0
dead_host 160.122.148.221:80
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Siggen13.25995
MicroWorld-eScan Gen:Variant.Androm.29
FireEye Generic.mg.5830b69895c4f5b7
McAfee Artemis!5830B69895C4
Cylance Unsafe
Sangfor Trojan.Win32.Noon.gen
Alibaba TrojanSpy:Win32/Gryphon.1988d806
Cybereason malicious.40d632
Cyren W32/Injector.AHU.gen!Eldorado
Symantec Packed.Generic.604
ESET-NOD32 Win32/Formbook.AA
APEX Malicious
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Gen:Variant.Androm.29
Paloalto generic.ml
Rising Trojan.Injector!8.C4 (CLOUD)
Emsisoft Gen:Variant.Androm.29 (B)
Comodo TrojWare.Win32.Agent.fqmds@0
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Vopak.dc
Sophos Mal/Generic-S + Troj/Formbo-AEN
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.SpyNoon
Avira TR/AD.Swotter.kwfap
MAX malware (ai score=80)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Spynoon.VAM!MTB
GData Win32.Trojan-Stealer.FormBook.U4IM2P
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.C4467379
ALYac Spyware.Noon.gen
TrendMicro-HouseCall TROJ_GEN.F0D1C00EB21
Ikarus Trojan.Win32.Injector
Fortinet W32/Androm.29!tr
AVG Win32:RATX-gen [Trj]
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_90% (W)