Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2021, 9:30 a.m.	Aug. 4, 2021, 9:51 a.m.

Size	358.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`059b1244ac9fda54de086692db4b5a08`
SHA256	`abb29be2c1eccd851bdb99b126e822a8cf0f57be95e9b71a921aa703b2c285be`
CRC32	`560408C9`
ssdeep	`6144:GCeJWu3gGB7g1TaqXp/bTLwlLGX7lQtbzRuYqCRxPi4f+99:uWcgGCTaqXhKLGEvRrnm99`
PDB Path	C:\xampp\htdocs\Cryptor\0238f0732c6a40e5a54bccb37ef03c58\Loader\Project1\Release\Project1.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library Win_Trojan_Formbook_Zero - Used Formbook

bincrypted.exe "C:\Users\test22\AppData\Local\Temp\bincrypted.exe"
2972
- bincrypted.exe "C:\Users\test22\AppData\Local\Temp\bincrypted.exe"
  1896

Name	Response	Post-Analysis Lookup
www.runninghogfarm.com	A 23.108.179.100	23.108.179.100
www.gilleyaviation.com
www.atokastore.com	CNAME atokastore.com A 34.102.136.180	34.102.136.180
www.cmnkt-byem.xyz
www.macrovigilance.com	A 154.212.216.43	154.212.216.43
www.466se.com	A 198.74.106.237	198.74.106.237
www.ifn.xyz	A 104.17.92.27 CNAME connect.shopbase.com A 104.17.66.15	104.17.92.27
www.joinlashedbyjamie.com	A 74.208.236.178	74.208.236.178
www.circusocks.com	A 163.123.204.26 CNAME circusocks.com	163.123.204.26
www.nazarppe.com	CNAME www23.wixdns.net A 34.80.190.141 CNAME td-balancer-ae1-190-141.wixdns.net CNAME 47363d5c-balancer.wixdns.net CNAME balancer.wixdns.net	34.80.190.141
www.gee825.com
www.lovebodystyles.com	A 34.102.136.180 CNAME lovebodystyles.com	34.102.136.180
www.tunnurl.com	A 34.102.136.180 CNAME tunnurl.com	34.102.136.180
www.twinedinmagic.com	CNAME twined-in-magic.myshopify.com A 23.227.38.74 CNAME shops.myshopify.com	23.227.38.74
www.ejsuniqueclasses.com	A 164.68.104.58 CNAME ejsuniqueclasses.com	164.68.104.58

IP Address	Status	Action
104.17.66.15	Active	Moloch
154.212.216.43	Active	Moloch
163.123.204.26	Active	Moloch
164.124.101.2	Active	Moloch
164.68.104.58	Active	Moloch
198.74.106.237	Active	Moloch
23.108.179.100	Active	Moloch
23.227.38.74	Active	Moloch
34.102.136.180	Active	Moloch
34.80.190.141	Active	Moloch
74.208.236.178	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49208 -> 154.212.216.43:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.212.216.43:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.212.216.43:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 104.17.66.15:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 104.17.66.15:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 104.17.66.15:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 104.17.66.15:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 23.108.179.100:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 23.108.179.100:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 23.108.179.100:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 163.123.204.26:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 163.123.204.26:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 163.123.204.26:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 74.208.236.178:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 74.208.236.178:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 74.208.236.178:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 164.68.104.58:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 164.68.104.58:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 164.68.104.58:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 34.80.190.141:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 34.80.190.141:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 34.80.190.141:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 198.74.106.237:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 198.74.106.237:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 198.74.106.237:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\xampp\htdocs\Cryptor\0238f0732c6a40e5a54bccb37ef03c58\Loader\Project1\Release\Project1.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.twinedinmagic.com/ehp9/?DXFTJ=I8oiP9SoG5h48m6KhZc1JhaZpcQmSrut+JcyFmPalQS48JdChQkexhtZM/EBi3DjLJXpgbrL&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lovebodystyles.com/ehp9/?DXFTJ=fQONYJVf+drtsBymL6LN0IYUYxuzf9afeJHOCvotCVRqAxc+aKra+zVgjtRtDEfwsmLVAV7e&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.macrovigilance.com/ehp9/?DXFTJ=TrVpt/Sm2xJ9IGi4K3NwgAhB6j/uvsDHzHwNFROlzNa3rgYvh2eLdGW0sMsxruWtvTWJfmAK&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tunnurl.com/ehp9/?DXFTJ=QhkqBxVohxlqPUcu6G0chdX25ZqKuFpZq4xLpZwu6mKCp53I4Tvx5rMPt0/BXf9pPvuvFI6V&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.atokastore.com/ehp9/?DXFTJ=0LqjHGvSuyDGgeop76VF70PcmE//HpHSJ558UeTMc749V6eczRm/Pf3IqfOFmaD//tqFBTEy&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.runninghogfarm.com/ehp9/?DXFTJ=TiEJkYh9nBwlrsDRUzymswvqStp9NyNn6K1JUARvaYpBqYPnTPyRdaxdWm2SESo4LeuL0jJk&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ejsuniqueclasses.com/ehp9/?DXFTJ=8c/5QoMU/LJp2F/JqDOgvqNfypt6IHckOwRzCQjdzO4ATzLHPoPQ6gSPk/oNBgTWB7oKG4q8&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.joinlashedbyjamie.com/ehp9/?DXFTJ=+eGaCpWIeY1GeVLPRfBKIdnCFP4bn1fBUg7gUF+CiQV6Bp5ohh8tCc+mNs21JISC/amISJ9y&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.circusocks.com/ehp9/?DXFTJ=oRr9ZXzYir31EMpQ4cLVquMpSAfNXH/ZGOcaxDo65nuPHc2Zv4aHZ1gD7lNSjr7j2ZXrkkv7&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.nazarppe.com/ehp9/?DXFTJ=ForhLKJW5s3cPVf6/6Q1cyVpQBFSYL410ahzi4TIJRZgcvQolUc5UDI3pLbwinN7hftJyfKf&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ifn.xyz/ehp9/?DXFTJ=52eH09aBYPtE5DyiejMY8v2uxe7c6i3pelrpIF5DWEK+lqUjHfhnU3NPACtVlTQkZMRHjcr5&Jt7=XPv4nH2h
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.466se.com/ehp9/?DXFTJ=UsPTfcJ2cekV2xN0pFMXthX3126RUWmODdc5A73g6eF5qcZ7S3zbdbbJe1Glq8VOYp62ahzf&Jt7=XPv4nH2h

Performs some HTTP requests (23 events)

request	POST http://www.twinedinmagic.com/ehp9/
request	GET http://www.twinedinmagic.com/ehp9/?DXFTJ=I8oiP9SoG5h48m6KhZc1JhaZpcQmSrut+JcyFmPalQS48JdChQkexhtZM/EBi3DjLJXpgbrL&Jt7=XPv4nH2h
request	POST http://www.lovebodystyles.com/ehp9/
request	GET http://www.lovebodystyles.com/ehp9/?DXFTJ=fQONYJVf+drtsBymL6LN0IYUYxuzf9afeJHOCvotCVRqAxc+aKra+zVgjtRtDEfwsmLVAV7e&Jt7=XPv4nH2h
request	GET http://www.macrovigilance.com/ehp9/?DXFTJ=TrVpt/Sm2xJ9IGi4K3NwgAhB6j/uvsDHzHwNFROlzNa3rgYvh2eLdGW0sMsxruWtvTWJfmAK&Jt7=XPv4nH2h
request	POST http://www.tunnurl.com/ehp9/
request	GET http://www.tunnurl.com/ehp9/?DXFTJ=QhkqBxVohxlqPUcu6G0chdX25ZqKuFpZq4xLpZwu6mKCp53I4Tvx5rMPt0/BXf9pPvuvFI6V&Jt7=XPv4nH2h
request	POST http://www.atokastore.com/ehp9/
request	GET http://www.atokastore.com/ehp9/?DXFTJ=0LqjHGvSuyDGgeop76VF70PcmE//HpHSJ558UeTMc749V6eczRm/Pf3IqfOFmaD//tqFBTEy&Jt7=XPv4nH2h
request	POST http://www.runninghogfarm.com/ehp9/
request	GET http://www.runninghogfarm.com/ehp9/?DXFTJ=TiEJkYh9nBwlrsDRUzymswvqStp9NyNn6K1JUARvaYpBqYPnTPyRdaxdWm2SESo4LeuL0jJk&Jt7=XPv4nH2h
request	POST http://www.ejsuniqueclasses.com/ehp9/
request	GET http://www.ejsuniqueclasses.com/ehp9/?DXFTJ=8c/5QoMU/LJp2F/JqDOgvqNfypt6IHckOwRzCQjdzO4ATzLHPoPQ6gSPk/oNBgTWB7oKG4q8&Jt7=XPv4nH2h
request	POST http://www.joinlashedbyjamie.com/ehp9/
request	GET http://www.joinlashedbyjamie.com/ehp9/?DXFTJ=+eGaCpWIeY1GeVLPRfBKIdnCFP4bn1fBUg7gUF+CiQV6Bp5ohh8tCc+mNs21JISC/amISJ9y&Jt7=XPv4nH2h
request	POST http://www.circusocks.com/ehp9/
request	GET http://www.circusocks.com/ehp9/?DXFTJ=oRr9ZXzYir31EMpQ4cLVquMpSAfNXH/ZGOcaxDo65nuPHc2Zv4aHZ1gD7lNSjr7j2ZXrkkv7&Jt7=XPv4nH2h
request	POST http://www.nazarppe.com/ehp9/
request	GET http://www.nazarppe.com/ehp9/?DXFTJ=ForhLKJW5s3cPVf6/6Q1cyVpQBFSYL410ahzi4TIJRZgcvQolUc5UDI3pLbwinN7hftJyfKf&Jt7=XPv4nH2h
request	POST http://www.ifn.xyz/ehp9/
request	GET http://www.ifn.xyz/ehp9/?DXFTJ=52eH09aBYPtE5DyiejMY8v2uxe7c6i3pelrpIF5DWEK+lqUjHfhnU3NPACtVlTQkZMRHjcr5&Jt7=XPv4nH2h
request	POST http://www.466se.com/ehp9/
request	GET http://www.466se.com/ehp9/?DXFTJ=UsPTfcJ2cekV2xN0pFMXthX3126RUWmODdc5A73g6eF5qcZ7S3zbdbbJe1Glq8VOYp62ahzf&Jt7=XPv4nH2h

Sends data using the HTTP POST Method (11 events)

request	POST http://www.twinedinmagic.com/ehp9/
request	POST http://www.lovebodystyles.com/ehp9/
request	POST http://www.tunnurl.com/ehp9/
request	POST http://www.atokastore.com/ehp9/
request	POST http://www.runninghogfarm.com/ehp9/
request	POST http://www.ejsuniqueclasses.com/ehp9/
request	POST http://www.joinlashedbyjamie.com/ehp9/
request	POST http://www.circusocks.com/ehp9/
request	POST http://www.nazarppe.com/ehp9/
request	POST http://www.ifn.xyz/ehp9/
request	POST http://www.466se.com/ehp9/

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 4, 2021, 9:30 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00df4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:30 a.m.	process_identifier: 2972 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:30 a.m.	process_identifier: 2972 region_size: 217088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:30 a.m.	process_identifier: 1896 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 4, 2021, 9:30 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2972 called NtSetContextThread to modify thread in remote process 1896
NtSetContextThread Aug. 4, 2021, 9:30 a.m.	registers.eip: 2000355780 registers.esp: 1374604 registers.edi: 0 registers.eax: 4313120 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000009c process_identifier: 1896	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.101:49207

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Noon.l!c
DrWeb	Trojan.Packed2.43330
MicroWorld-eScan	Trojan.GenericKD.46727443
FireEye	Generic.mg.059b1244ac9fda54
ALYac	Generic.Cryptor.X.1735B54E
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanSpy:Win32/FormBook.46f77094
CrowdStrike	win/malicious_confidence_70% (W)
Arcabit	Generic.Cryptor.X.1735B54E
BitDefenderTheta	Gen:NN.ZexaF.34050.wyZ@aqwvwKfi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HLXQ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Trojan.GenericKD.46727443
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46727443
Emsisoft	Generic.Cryptor.X.1735B54E (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Sophos	Mal/Generic-S
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Kryptik.sklls
Microsoft	Trojan:Win32/FormBook.SM!MTB
GData	Trojan.GenericKD.46727443
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Generic.C4575975
McAfee	RDN/Generic PWS.y
MAX	malware (ai score=80)
VBA32	BScope.Backdoor.Androm
Malwarebytes	Trojan.Injector
Rising	Trojan.Kryptik!1.D84E (CLASSIC)
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Kryptik.HLWX!tr
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.4ac9fd
Panda	Trj/CI.A
Qihoo-360	Win32/Ransom.Cryptor.HwoCueAA

bincrypted.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All