Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 29, 2021, 9:52 a.m.	July 29, 2021, 10 a.m.

Size	402.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a584c1efdc2d5911278ab43d1fc671af`
SHA256	`8c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771`
CRC32	`0C38D7ED`
ssdeep	`6144:3I9XKqGvBcQqh3SB5o4AOnBplAIeqnG/sLYGKYWRkynp9x:3QvGvOk5Ky0T6G4YGKrHLx`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2076
- svchost.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2152

Name	Response	Post-Analysis Lookup
www.lotusinplay247.com	A 3.108.71.249 CNAME lotusinplay247.com	3.108.71.249
www.hybrid-sol.com	CNAME hybrid-sol.com A 95.216.102.241	95.216.102.241
www.q99f.com	CNAME epoxttc4kk.bigbackbone.com A 134.122.133.171 CNAME epoxttc4kk.hellomyai.com CNAME tyc-99f51.com.txwlcdn09.com	134.122.133.171
www.fortmyerscruisevacation.com	CNAME fortmyerscruisevacation.com A 34.102.136.180	34.102.136.180

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 95.216.102.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49163 -> 95.216.102.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49163 -> 95.216.102.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 134.122.133.171:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 134.122.133.171:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 134.122.133.171:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

section

.gfids

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hybrid-sol.com/dd2v/?5jrDZDS=QU76MMVDaEalz7inlspnMh66/1hVeZvVrtBx8jpddEDRMVGqwAVNDg/Yi8GXR76xKGaxYqiQ&kxl0db=LhH8
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fortmyerscruisevacation.com/dd2v/?5jrDZDS=nhj7AeJneWpfdej/qaMWIItsPR9NP5l0GvNSoiv+0Olc+IAL+00AVB05K12uB4NevRRrPgK/&kxl0db=LhH8
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.q99f.com/dd2v/?5jrDZDS=zjDRxF5X1wZRPIzYbdlYAg34k3BLnyx0cmez+iV0Xc8ymW4mETi0Mumbu1nv3zHBsM04IXAc&kxl0db=LhH8

request	GET http://www.hybrid-sol.com/dd2v/?5jrDZDS=QU76MMVDaEalz7inlspnMh66/1hVeZvVrtBx8jpddEDRMVGqwAVNDg/Yi8GXR76xKGaxYqiQ&kxl0db=LhH8
request	GET http://www.fortmyerscruisevacation.com/dd2v/?5jrDZDS=nhj7AeJneWpfdej/qaMWIItsPR9NP5l0GvNSoiv+0Olc+IAL+00AVB05K12uB4NevRRrPgK/&kxl0db=LhH8
request	GET http://www.q99f.com/dd2v/?5jrDZDS=zjDRxF5X1wZRPIzYbdlYAg34k3BLnyx0cmez+iV0Xc8ymW4mETi0Mumbu1nv3zHBsM04IXAc&kxl0db=LhH8

Time & API	Arguments	Status
NtProtectVirtualMemory July 29, 2021, 9:52 a.m.	process_identifier: 2076 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0018f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2021, 9:52 a.m.	process_identifier: 2076 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2021, 9:52 a.m.	process_identifier: 2076 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2021, 9:52 a.m.	process_identifier: 2152 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 29, 2021, 9:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 29, 2021, 9:52 a.m.	thread_identifier: 2156 thread_handle: 0x00000078 process_identifier: 2152 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000007c	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2076 called NtSetContextThread to modify thread in remote process 2152
NtSetContextThread July 29, 2021, 9:52 a.m.	registers.eip: 1997996484 registers.esp: 1047180 registers.edi: 0 registers.eax: 4320368 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000078 process_identifier: 2152	1	0	0

dead_host

3.108.71.249:80

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46700343
FireEye	Generic.mg.a584c1efdc2d5911
McAfee	Artemis!A584C1EFDC2D
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (W)
Alibaba	Trojan:Win32/runner.ali1000123
Cyren	W32/GameHack.AG.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FIBP
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.46700343
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46700343
DrWeb	Trojan.Inject4.14771
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	Mal/Generic-S
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1139979
MAX	malware (ai score=99)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Tnega.RV!MTB
GData	Win32.Trojan-Stealer.FormBook.DNEOHJ
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZexaF.34050.zuZ@aWZsVdde
VBA32	BScope.Trojan-Dropper.Injector
Malwarebytes	MachineLearning/Anomalous.100%
Rising	Trojan.Generic@ML.88 (RDML:NDYJWqSCQMsgdF2nPeOFug)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.FIBB
AVG	Win32:MalwareX-gen [Trj]
Qihoo-360	Win32/TrojanSpy.Noon.HgIASZQA

vbc.exe