popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

justin.exe

Formbook PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 21, 2021, 8:52 a.m. Aug. 21, 2021, 9:13 a.m.
Size 182.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6d7edf1f66a4d43e76d1e47f400f97d0
SHA256 af0e9136ff8915ef261cd9068ddb08262cf0d034c52776854169f9f75ec13227
CRC32 6AD54FF3
ssdeep 3072:KAkCv/Z8iADCn4YAkm5d8LFyLRG33MUI8k6iQxnsfFKt6n4Hx:7kFiuYJm5mLkL43lf00nnK4x
Yara
  • PE_Header_Zero - PE File Signature
  • Win_Trojan_Formbook_Zero - Used Formbook
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.bleacheater.com
www.zxyoo.com
www.sunflowerhybrid.com
CNAME sunflowerhybrid.com
A 34.98.99.30
34.98.99.30
www.danielsdonuteria.com
A 209.99.40.222
209.99.40.222
www.ujenzihypermarket.com
CNAME ujenzihypermarket.com
A 82.163.176.101
82.163.176.101
IP Address Status Action
164.124.101.2 Active Moloch
209.99.40.222 Active Moloch
34.98.99.30 Active Moloch
82.163.176.101 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49166 -> 82.163.176.101:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 82.163.176.101:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 82.163.176.101:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 209.99.40.222:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 209.99.40.222:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 209.99.40.222:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 34.98.99.30:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 34.98.99.30:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 34.98.99.30:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

suspicious_features GET method with no useragent header suspicious_request GET http://www.sunflowerhybrid.com/glgd/?alF=hT+HcWgz9FEH+jyDEtB4UKrfm+OZpFXj/c8x97815zMY4Nb3Km6/aedgRXGlirVN41Axg2GW&Qzr=LlvxwrIp0zSd
suspicious_features GET method with no useragent header suspicious_request GET http://www.danielsdonuteria.com/glgd/?alF=IpIqRkOeyywi3K8x4XdnqdH9Qx+aXhYHwHTGsqzrpTB78CdxIABDUEXezTmookMwz0BXydeD&Qzr=LlvxwrIp0zSd
suspicious_features GET method with no useragent header suspicious_request GET http://www.ujenzihypermarket.com/glgd/?alF=KhhcN9s7gbbF0deJVEzP4Fr+CUF5+jhuG5G/YStQzUimyA5hxfgIe5MXcBKjjQi+4esf+xkO&Qzr=LlvxwrIp0zSd
request GET http://www.sunflowerhybrid.com/glgd/?alF=hT+HcWgz9FEH+jyDEtB4UKrfm+OZpFXj/c8x97815zMY4Nb3Km6/aedgRXGlirVN41Axg2GW&Qzr=LlvxwrIp0zSd
request GET http://www.danielsdonuteria.com/glgd/?alF=IpIqRkOeyywi3K8x4XdnqdH9Qx+aXhYHwHTGsqzrpTB78CdxIABDUEXezTmookMwz0BXydeD&Qzr=LlvxwrIp0zSd
request GET http://www.ujenzihypermarket.com/glgd/?alF=KhhcN9s7gbbF0deJVEzP4Fr+CUF5+jhuG5G/YStQzUimyA5hxfgIe5MXcBKjjQi+4esf+xkO&Qzr=LlvxwrIp0zSd
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00af0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0002c600', u'virtual_address': u'0x00001000', u'entropy': 7.400925512786747, u'name': u'.text', u'virtual_size': u'0x0002c434'} entropy 7.40092551279 description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Bkav W32.AIDetect.malware1
Lionic Trojan.Win32.Noon.l!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.679962
ALYac Gen:Variant.Razy.679962
Cylance Unsafe
K7AntiVirus Trojan ( 00536d121 )
Alibaba Trojan:Win32/Formbook.92feda80
K7GW Trojan ( 00536d121 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Razy.DA601A
Cyren W32/Formbook.A.gen!Eldorado
Symantec Trojan.Formbook
ESET-NOD32 a variant of Win32/Formbook.AA
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Formbook-7399661-0
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Razy.679962
NANO-Antivirus Virus.Win32.Gen.ccmw
Avast Win32:Formbook-B [Trj]
Tencent Win32.Trojan.Razy.Wrhe
Ad-Aware Gen:Variant.Razy.679962
Sophos ML/PE-A + Troj/Formbook-A
DrWeb Trojan.Siggen9.48175
McAfee-GW-Edition BehavesLike.Win32.VirRansom.cc
FireEye Generic.mg.6d7edf1f66a4d43e
Emsisoft Trojan.Formbook (A)
Ikarus Trojan-Spy.FormBook
Avira TR/Crypt.ZPACK.Gen
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Formbook!MTB
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Gen:Variant.Razy.679962
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Formbook.C4173787
Acronis suspicious
McAfee GenericRXCD-ZZ!6D7EDF1F66A4
MAX malware (ai score=84)
VBA32 BScope.TrojanPSW.Banker
Malwarebytes Malware.AI.1449483265
Rising Stealer.Formbook!1.C470 (CLASSIC)
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_97%
Fortinet W32/Generic.AP.F9B00!tr
BitDefenderTheta AI:Packer.D09B17711E
AVG Win32:Formbook-B [Trj]
Cybereason malicious.f66a4d
MaxSecure Trojan.Malware.300983.susgen