Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 17, 2021, 9:52 a.m.	Aug. 17, 2021, 9:58 a.m.

Size	160.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`53d55c75030ff7d58afd45080fa00dd2`
SHA256	`0a27390d4913479f0929cd8ae68ca7f1e7f5c48139e3552677cc19a27d42a935`
CRC32	`819DA7E6`
ssdeep	`3072:yyBcst6tZJAxgC2oWNd336/Ktt0OWNXRJfUqZhEktnS1AVL+Q:yJrjloWfnMKtCOWNXRq8znSm8Q`
Yara	PE_Header_Zero - PE File Signature Win_Trojan_Formbook_Zero - Used Formbook IsPE32 - (no description)

dow-0.exe "C:\Users\test22\AppData\Local\Temp\dow-0.exe"
560
- wscript.exe "C:\Windows\SysWOW64\wscript.exe"
  1616
  - cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\dow-0.exe"
    1628

Name	Response	Post-Analysis Lookup
www.hsicclassactionsettlement.com
www.gaigoilaocai.com	A 104.21.84.71 A 172.67.187.204	172.67.187.204
www.kyg-cpa.com
www.organicdiscover.com
www.iqpt.info	A 67.199.248.12 CNAME iqpt.info A 67.199.248.13	67.199.248.13
www.recipesdunnright.com	CNAME recipesdunnright.com A 66.235.200.147	66.235.200.147
www.zwq.xyz	A 103.139.0.32	103.139.0.32
www.setadragon.com	A 209.99.40.222	209.99.40.222
www.qq4004.com
www.hk6628.com	A 34.102.136.180 CNAME hk6628.com	34.102.136.180
www.talleresmulticar.com	A 35.214.181.99 CNAME talleresmulticar.com	35.214.181.99
www.solanohomebuyerclass.com	A 198.71.232.3 CNAME solanohomebuyerclass.com	182.50.132.242
www.mimortgageexpert.com	CNAME s.website.thryv.com A 35.172.94.1 A 100.24.208.97 CNAME s.partnerwebsitedns.com	100.24.208.97
www.sctsmney.com
www.rootmoover.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74

IP Address	Status	Action
103.139.0.32	Active	Moloch
164.124.101.2	Active	Moloch
172.67.187.204	Active	Moloch
198.71.232.3	Active	Moloch
209.99.40.222	Active	Moloch
23.227.38.74	Active	Moloch
34.102.136.180	Active	Moloch
35.172.94.1	Active	Moloch
35.214.181.99	Active	Moloch
66.235.200.147	Active	Moloch
67.199.248.13	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 67.199.248.13:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 67.199.248.13:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 67.199.248.13:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 66.235.200.147:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 66.235.200.147:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 66.235.200.147:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 35.172.94.1:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 35.172.94.1:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 35.172.94.1:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 35.214.181.99:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 35.214.181.99:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 35.214.181.99:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 103.139.0.32:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 103.139.0.32:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 103.139.0.32:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 103.139.0.32:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 172.67.187.204:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 172.67.187.204:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 172.67.187.204:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 198.71.232.3:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 209.99.40.222:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 198.71.232.3:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 209.99.40.222:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 198.71.232.3:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 209.99.40.222:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gaigoilaocai.com/wufn/?kDHl=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hk6628.com/wufn/?kDHl=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.iqpt.info/wufn/?kDHl=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.recipesdunnright.com/wufn/?kDHl=SehEse1yNcuBWox84Asm4eELW9pHyFfqJvW7VO2nDRTT0VQDXxZnF10XUkI9sb+IBYeHWwT5&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.zwq.xyz/wufn/?kDHl=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.setadragon.com/wufn/?kDHl=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.rootmoover.com/wufn/?kDHl=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.talleresmulticar.com/wufn/?kDHl=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mimortgageexpert.com/wufn/?kDHl=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.solanohomebuyerclass.com/wufn/?kDHl=+zzRrn2LuczUop/Cd/o3ZSAnv7QTnqViuhwHS4/CIqz6rF5318dL6hgqnxmK9Gf+t0N7z3vJ&KtxD=PnCTGx9Pf

Performs some HTTP requests (10 events)

request	GET http://www.gaigoilaocai.com/wufn/?kDHl=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&KtxD=PnCTGx9Pf
request	GET http://www.hk6628.com/wufn/?kDHl=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&KtxD=PnCTGx9Pf
request	GET http://www.iqpt.info/wufn/?kDHl=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&KtxD=PnCTGx9Pf
request	GET http://www.recipesdunnright.com/wufn/?kDHl=SehEse1yNcuBWox84Asm4eELW9pHyFfqJvW7VO2nDRTT0VQDXxZnF10XUkI9sb+IBYeHWwT5&KtxD=PnCTGx9Pf
request	GET http://www.zwq.xyz/wufn/?kDHl=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&KtxD=PnCTGx9Pf
request	GET http://www.setadragon.com/wufn/?kDHl=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&KtxD=PnCTGx9Pf
request	GET http://www.rootmoover.com/wufn/?kDHl=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&KtxD=PnCTGx9Pf
request	GET http://www.talleresmulticar.com/wufn/?kDHl=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&KtxD=PnCTGx9Pf
request	GET http://www.mimortgageexpert.com/wufn/?kDHl=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&KtxD=PnCTGx9Pf
request	GET http://www.solanohomebuyerclass.com/wufn/?kDHl=+zzRrn2LuczUop/Cd/o3ZSAnv7QTnqViuhwHS4/CIqz6rF5318dL6hgqnxmK9Gf+t0N7z3vJ&KtxD=PnCTGx9Pf

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 17, 2021, 9:52 a.m.	process_identifier: 560 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 17, 2021, 9:52 a.m.	process_identifier: 1616 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\dow-0.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 17, 2021, 9:52 a.m.	thread_identifier: 1636 thread_handle: 0x00000090 process_identifier: 1628 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /c del "C:\Users\test22\AppData\Local\Temp\dow-0.exe" filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000e8	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027000', u'virtual_address': u'0x00001000', u'entropy': 7.317875567916584, u'name': u'.text', u'virtual_size': u'0x00026f90'}

entropy

7.31787556792

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 17, 2021, 9:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 17, 2021, 9:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/c del "C:\Users\test22\AppData\Local\Temp\dow-0.exe"

One or more non-whitelisted processes were created (1 event)

parent_process

wscript.exe

martian_process

/c del "C:\Users\test22\AppData\Local\Temp\dow-0.exe"

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen9.48175
MicroWorld-eScan	Gen:Variant.Razy.679962
McAfee	GenericRXLS-VV!53D55C75030F
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
K7GW	Trojan ( 00536d121 )
K7AntiVirus	Trojan ( 00536d121 )
Arcabit	Trojan.Razy.DA601A
BitDefenderTheta	AI:Packer.C7A57D171E
Cyren	W32/Formbook.A.gen!Eldorado
Symantec	Trojan.Formbook
ESET-NOD32	a variant of Win32/Formbook.AA
APEX	Malicious
ClamAV	Win.Malware.Formbook-9802749-0
Kaspersky	VHO:Trojan-Spy.Win32.Convagent.gen
BitDefender	Gen:Variant.Razy.679962
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	Win32:Formbook-B [Trj]
Ad-Aware	Gen:Variant.Razy.679962
Sophos	ML/PE-A + Troj/Formbook-A
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
FireEye	Generic.mg.53d55c75030ff7d5
Emsisoft	Trojan.Formbook (A)
Ikarus	Trojan-Spy.FormBook
Avira	TR/Crypt.ZPACK.Gen
Microsoft	Trojan:Win32/Formbook!MTB
GData	Gen:Variant.Razy.679962
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.FormBook.R369478
Acronis	suspicious
VBA32	BScope.TrojanPSW.Banker
ALYac	Gen:Variant.Razy.679962
MAX	malware (ai score=82)
Malwarebytes	Spyware.FormBook
Rising	Trojan.Generic@ML.99 (RDML:1owSDJhIdG8QlPsJQPfmIA)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.AYEB!tr
AVG	Win32:Formbook-B [Trj]
Qihoo-360	HEUR/QVM20.1.503B.Malware.Gen

dow-0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All