Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 24, 2021, 6:08 p.m.	May 24, 2021, 6:21 p.m.

Size	160.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9191f2c11d448ac2baa34768d210f3a7`
SHA256	`8d27c368e6431f796a96389ac517d654ca3de20a6b9047095a47691532c7cf11`
CRC32	`44414692`
ssdeep	`3072:qnB3Iv1lKekDI1xqMoAjrE6j30kSxSObtCxv4kLay2CG5ETpA:qx3DmLoAvRz0kSkObtCxv4kLDG5wpA`
Yara	Win_Trojan_Formbook_Zero - Used Formbook PE_Header_Zero - PE File Signature IsPE32 - (no description)

bin---0.exe "C:\Users\test22\AppData\Local\Temp\bin---0.exe"
2648

Name	Response	Post-Analysis Lookup
www.leonardocarrillo.com	A 209.99.40.222
www.untylservice.com	A 185.224.137.223 CNAME untylservice.com	185.224.137.223
www.micheldrake.com	A 192.0.78.25 A 192.0.78.24 CNAME micheldrake.com	192.0.78.25
www.zgcbw.net
www.buylocalclub.info
www.alfenas.info	CNAME alfenas.info A 34.102.136.180	34.102.136.180
www.myfavbutik.com	A 172.67.161.4 A 104.21.15.16	172.67.161.4
www.liminaltechnology.com	CNAME liminaltechnology.com A 185.111.89.170	185.111.89.170
www.adultpeace.com	CNAME adultpeace.com A 163.44.239.73	163.44.239.73
www.tricqr.com
www.pandemisorgugirisi-tr.com
www.essentiallyourscandles.com	CNAME shops.myshopify.com CNAME essentially-yours-candles-by-taylor.myshopify.com A 23.227.38.74	23.227.38.74
www.vectoroutlines.com	A 198.54.126.105 CNAME vectoroutlines.com	198.54.126.105
www.yunlimall.com	A 142.111.47.2	142.111.47.2

IP Address	Status	Action
104.21.15.16	Active	Moloch
142.111.47.2	Active	Moloch
163.44.239.73	Active	Moloch
164.124.101.2	Active	Moloch
185.111.89.170	Active	Moloch
185.224.137.223	Active	Moloch
192.0.78.24	Active	Moloch
198.54.126.105	Active	Moloch
209.99.40.222	Active	Moloch
23.227.38.74	Active	Moloch
34.102.136.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49215 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 192.0.78.24:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 185.224.137.223:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 192.0.78.24:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 185.224.137.223:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 192.0.78.24:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 185.224.137.223:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 198.54.126.105:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 185.111.89.170:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 198.54.126.105:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 185.111.89.170:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 198.54.126.105:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 185.111.89.170:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 104.21.15.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 104.21.15.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 163.44.239.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 104.21.15.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 163.44.239.73:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 163.44.239.73:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 209.99.40.222:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 209.99.40.222:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 209.99.40.222:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 142.111.47.2:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 142.111.47.2:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 142.111.47.2:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.untylservice.com/p2io/?8pz8KT3x=L8zxg9SOaofWzoyPv00N4yNSfvs8vmV6MzKbpPLG03vcM8SdHJJ++2zBKn8m8TZ8Pf8jLpz7&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.alfenas.info/p2io/?8pz8KT3x=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.liminaltechnology.com/p2io/?8pz8KT3x=PfX6gvL1n2k6iJTsm2w17tv0qq3FBu3hWsZA38xYtqeUN4691F0nKiAgOKyjpkHMBi57ZW6+&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vectoroutlines.com/p2io/?8pz8KT3x=RfOK6jKjejKyxd8Ge5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG3jMmZvEd1BBCDsLyI+Y&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.micheldrake.com/p2io/?8pz8KT3x=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yunlimall.com/p2io/?8pz8KT3x=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.myfavbutik.com/p2io/?8pz8KT3x=dKp6rERBK113SD0GvHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqFHc7ZWN2qvn1fWpyoOF&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.essentiallyourscandles.com/p2io/?8pz8KT3x=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.adultpeace.com/p2io/?8pz8KT3x=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&CR=CFQH8Xe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.leonardocarrillo.com/p2io/?8pz8KT3x=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&CR=CFQH8Xe

Performs some HTTP requests (20 events)

request	POST http://www.untylservice.com/p2io/
request	GET http://www.untylservice.com/p2io/?8pz8KT3x=L8zxg9SOaofWzoyPv00N4yNSfvs8vmV6MzKbpPLG03vcM8SdHJJ++2zBKn8m8TZ8Pf8jLpz7&CR=CFQH8Xe
request	POST http://www.alfenas.info/p2io/
request	GET http://www.alfenas.info/p2io/?8pz8KT3x=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&CR=CFQH8Xe
request	POST http://www.liminaltechnology.com/p2io/
request	GET http://www.liminaltechnology.com/p2io/?8pz8KT3x=PfX6gvL1n2k6iJTsm2w17tv0qq3FBu3hWsZA38xYtqeUN4691F0nKiAgOKyjpkHMBi57ZW6+&CR=CFQH8Xe
request	POST http://www.vectoroutlines.com/p2io/
request	GET http://www.vectoroutlines.com/p2io/?8pz8KT3x=RfOK6jKjejKyxd8Ge5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG3jMmZvEd1BBCDsLyI+Y&CR=CFQH8Xe
request	POST http://www.micheldrake.com/p2io/
request	GET http://www.micheldrake.com/p2io/?8pz8KT3x=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&CR=CFQH8Xe
request	POST http://www.yunlimall.com/p2io/
request	GET http://www.yunlimall.com/p2io/?8pz8KT3x=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&CR=CFQH8Xe
request	POST http://www.myfavbutik.com/p2io/
request	GET http://www.myfavbutik.com/p2io/?8pz8KT3x=dKp6rERBK113SD0GvHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqFHc7ZWN2qvn1fWpyoOF&CR=CFQH8Xe
request	POST http://www.essentiallyourscandles.com/p2io/
request	GET http://www.essentiallyourscandles.com/p2io/?8pz8KT3x=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&CR=CFQH8Xe
request	POST http://www.adultpeace.com/p2io/
request	GET http://www.adultpeace.com/p2io/?8pz8KT3x=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&CR=CFQH8Xe
request	POST http://www.leonardocarrillo.com/p2io/
request	GET http://www.leonardocarrillo.com/p2io/?8pz8KT3x=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&CR=CFQH8Xe

Sends data using the HTTP POST Method (10 events)

request	POST http://www.untylservice.com/p2io/
request	POST http://www.alfenas.info/p2io/
request	POST http://www.liminaltechnology.com/p2io/
request	POST http://www.vectoroutlines.com/p2io/
request	POST http://www.micheldrake.com/p2io/
request	POST http://www.yunlimall.com/p2io/
request	POST http://www.myfavbutik.com/p2io/
request	POST http://www.essentiallyourscandles.com/p2io/
request	POST http://www.adultpeace.com/p2io/
request	POST http://www.leonardocarrillo.com/p2io/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 24, 2021, 6:08 p.m.	process_identifier: 2648 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027000', u'virtual_address': u'0x00001000', u'entropy': 7.318477367615169, u'name': u'.text', u'virtual_size': u'0x00026fa0'}

entropy

7.31847736762

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 24, 2021, 6:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
ClamAV	Win.Malware.Formbook-9802749-0
FireEye	Generic.mg.9191f2c11d448ac2
McAfee	GenericRXLS-VV!9191F2C11D44
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00536d121 )
K7GW	Trojan ( 00536d121 )
Cybereason	malicious.11d448
Cyren	W32/Formbook.A.gen!Eldorado
Symantec	Trojan.Formbook
ESET-NOD32	a variant of Win32/Formbook.AA
APEX	Malicious
Avast	Win32:Formbook-B [Trj]
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Razy.679962
NANO-Antivirus	Virus.Win32.Gen.ccmw
Paloalto	generic.ml
MicroWorld-eScan	Gen:Variant.Razy.679962
Ad-Aware	Gen:Variant.Razy.679962
Emsisoft	Trojan.Formbook (A)
DrWeb	Trojan.Siggen9.48175
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	ML/PE-A + Troj/Formbook-A
Ikarus	Trojan-Spy.FormBook
Avira	TR/Crypt.ZPACK.Gen
Microsoft	Trojan:Win32/Formbook!MTB
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Razy.679962
AhnLab-V3	Malware/Win32.Generic.R369478
Acronis	suspicious
BitDefenderTheta	AI:Packer.5A66CC2C1E
ALYac	Gen:Variant.Razy.679962
MAX	malware (ai score=80)
VBA32	BScope.TrojanPSW.Banker
Malwarebytes	Spyware.FormBook
Rising	Stealer.Fareit!8.170 (TFE:dGZlOgKB3kMUFgoSCw)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.AYEB!tr
AVG	Win32:Formbook-B [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

bin---0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All