Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 23, 2021, 7:06 p.m.	Aug. 23, 2021, 7:08 p.m.

Size	164.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`305c02b6842f5b81a6fa7a2aab07b00e`
SHA256	`47fda47985cd25b0810445d6e35b3007d3e56c8015ce7d000f850ba1c333ffa7`
CRC32	`58642711`
ssdeep	`3072:6icBig6z0HHDfM4ocAF4mf4gjDKOO9HQ13WOwz4z412s7lw:6iFKLNoco5ggjeOO9w13XLz412s7O`
Yara	PE_Header_Zero - PE File Signature Win_Trojan_Formbook_Zero - Used Formbook IsPE32 - (no description)

r.exe "C:\Users\test22\AppData\Local\Temp\r.exe"
2472

Name	Response	Post-Analysis Lookup
www.stlcityc.com	A 103.139.0.32	103.139.0.32
www.verisignwebsite-verified.com	CNAME verisignwebsite-verified.com A 185.196.8.122	185.196.8.122
www.5923599.com	CNAME k9cdna.51w4.com A 45.142.156.44	45.142.156.44
www.rlxagva.com
www.citysucces.com	CNAME citysucces.com A 184.168.131.241	184.168.131.241
www.goddessruby.com
www.oldhousechicago.com	CNAME oldhousechicago.com A 45.83.86.245	45.83.86.245
www.fashionelixirs.com	CNAME fashionelixirs.com A 184.168.131.241	184.168.131.241
www.science-laboratory.info	A 209.99.40.222	209.99.40.222
www.grandrapidsvirtualboatshow.com	CNAME grandrapidsvirtualboatshow.com A 34.102.136.180	34.102.136.180
www.floortak.co.uk	CNAME fwd3.hosts.co.uk A 85.233.160.22 A 85.233.160.23 A 85.233.160.24	85.233.160.22
www.writingleagues.com	A 204.11.56.48	204.11.56.48
www.nl-cafe.com	A 23.226.52.164	23.226.52.164
www.mack3sleeve.com	A 34.102.136.180 CNAME mack3sleeve.com	34.102.136.180
www.exdysis.com	CNAME exdysis.com A 34.98.99.30	34.98.99.30

IP Address	Status	Action
103.139.0.32	Active	Moloch
164.124.101.2	Active	Moloch
184.168.131.241	Active	Moloch
185.196.8.122	Active	Moloch
204.11.56.48	Active	Moloch
209.99.40.222	Active	Moloch
23.226.52.164	Active	Moloch
34.102.136.180	Active	Moloch
34.98.99.30	Active	Moloch
45.142.156.44	Active	Moloch
45.83.86.245	Active	Moloch
85.233.160.22	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49182 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 185.196.8.122:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 185.196.8.122:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 185.196.8.122:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 184.168.131.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 184.168.131.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 184.168.131.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 85.233.160.22:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 85.233.160.22:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 85.233.160.22:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 23.226.52.164:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 23.226.52.164:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 23.226.52.164:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 209.99.40.222:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 209.99.40.222:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 209.99.40.222:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 45.83.86.245:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 45.83.86.245:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 45.83.86.245:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 184.168.131.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 184.168.131.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 184.168.131.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 45.142.156.44:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 45.142.156.44:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 45.142.156.44:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 103.139.0.32:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 103.139.0.32:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 103.139.0.32:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 184.168.131.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 184.168.131.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 184.168.131.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 204.11.56.48:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 204.11.56.48:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 204.11.56.48:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.citysucces.com/n58i/?-Zlpd6I=KZIzYVxAQpcTYtobWmj1UPG5K5R9NnHuf0RrbShrXmsvVrVhxvmYdjAsOWtc/dkVV+rflXZO&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mack3sleeve.com/n58i/?-Zlpd6I=qZci4eCxhQIq67bxmD8yxm5V81S+h6tSaZJP73tHPhAaZkJunDnOJhOERfLB6WVODJ1YcUPc&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.writingleagues.com/n58i/?-Zlpd6I=Z6pcotGHuwup7vEJjItj1SMHlg1lI5Bof4K5Wxog5cvylXCYemKJNG9ltyRUngPfK9sxmYhZ&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.exdysis.com/n58i/?-Zlpd6I=ar/hIjdwXaCGf/zdCDkC4zsWp5P7JdaYWCx8Owc4v4wJnpGf9FeXfuCAHZspk67PmQf770IM&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.verisignwebsite-verified.com/n58i/?-Zlpd6I=XTVW7Jo2gvRqiEaI/sIMQWbMhFkMtGnqkQB68uCXOe+MAHXwIzjfWh0i/TEE6wJi9coosj2z&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fashionelixirs.com/n58i/?-Zlpd6I=2MarohCXJGtzO5KijtWpZ6tpmiifjax3IcswJvFbJYnD8s/zp8BDI56dCC/lebOR9voDqH90&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.grandrapidsvirtualboatshow.com/n58i/?-Zlpd6I=OS+vzmTsnmN10NeNgCtuygPzY9t4uWhaxu5Nv18Vn7M4GGCiu5ByynyiNgJ6krK/bHgQrClL&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.nl-cafe.com/n58i/?-Zlpd6I=dWyvCTk6qzBk5tQTWdvNT7b5/8qdhAsQ/biP+tl913DTpQRW05YYrZEgjkVCG8NuIqrlrrLw&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.science-laboratory.info/n58i/?-Zlpd6I=/nrcVLyNbZ8bYrDk6/UlbutTqsEUanwD8p6K9ytcogSviWuK5Nx4baFKDnT+NePORnTimWea&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.floortak.co.uk/n58i/?-Zlpd6I=pQmM9Y5t5dxvkFXQKfmWGEE0N5/IJF3moBqOslL4HJEdPUTnkZQuk/UltHUu3hWKDkbYR94e&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.oldhousechicago.com/n58i/?-Zlpd6I=CK4+1XAVCoeZwyHbixU/1VMC/3ullPTgwlkVzkJuJ8wPuPx8xeqByV5EBcZtpXh2eT3NYNjS&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.5923599.com/n58i/?-Zlpd6I=WfKFfWUZkc85OmL1xKrDJMWuh4MURh0lzQfSoppYt54ugY1RFf52IxAuWjoc55Oi676SGeLg&2d=lnxdA
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.stlcityc.com/n58i/?-Zlpd6I=uzwaBAU/pBgcbN1zupTtS4xKhn/JfyJ+hchnD3b71uo3p2+6HxfOIRQU6DCQj21baC8sD6fO&2d=lnxdA

Performs some HTTP requests (13 events)

request	GET http://www.citysucces.com/n58i/?-Zlpd6I=KZIzYVxAQpcTYtobWmj1UPG5K5R9NnHuf0RrbShrXmsvVrVhxvmYdjAsOWtc/dkVV+rflXZO&2d=lnxdA
request	GET http://www.mack3sleeve.com/n58i/?-Zlpd6I=qZci4eCxhQIq67bxmD8yxm5V81S+h6tSaZJP73tHPhAaZkJunDnOJhOERfLB6WVODJ1YcUPc&2d=lnxdA
request	GET http://www.writingleagues.com/n58i/?-Zlpd6I=Z6pcotGHuwup7vEJjItj1SMHlg1lI5Bof4K5Wxog5cvylXCYemKJNG9ltyRUngPfK9sxmYhZ&2d=lnxdA
request	GET http://www.exdysis.com/n58i/?-Zlpd6I=ar/hIjdwXaCGf/zdCDkC4zsWp5P7JdaYWCx8Owc4v4wJnpGf9FeXfuCAHZspk67PmQf770IM&2d=lnxdA
request	GET http://www.verisignwebsite-verified.com/n58i/?-Zlpd6I=XTVW7Jo2gvRqiEaI/sIMQWbMhFkMtGnqkQB68uCXOe+MAHXwIzjfWh0i/TEE6wJi9coosj2z&2d=lnxdA
request	GET http://www.fashionelixirs.com/n58i/?-Zlpd6I=2MarohCXJGtzO5KijtWpZ6tpmiifjax3IcswJvFbJYnD8s/zp8BDI56dCC/lebOR9voDqH90&2d=lnxdA
request	GET http://www.grandrapidsvirtualboatshow.com/n58i/?-Zlpd6I=OS+vzmTsnmN10NeNgCtuygPzY9t4uWhaxu5Nv18Vn7M4GGCiu5ByynyiNgJ6krK/bHgQrClL&2d=lnxdA
request	GET http://www.nl-cafe.com/n58i/?-Zlpd6I=dWyvCTk6qzBk5tQTWdvNT7b5/8qdhAsQ/biP+tl913DTpQRW05YYrZEgjkVCG8NuIqrlrrLw&2d=lnxdA
request	GET http://www.science-laboratory.info/n58i/?-Zlpd6I=/nrcVLyNbZ8bYrDk6/UlbutTqsEUanwD8p6K9ytcogSviWuK5Nx4baFKDnT+NePORnTimWea&2d=lnxdA
request	GET http://www.floortak.co.uk/n58i/?-Zlpd6I=pQmM9Y5t5dxvkFXQKfmWGEE0N5/IJF3moBqOslL4HJEdPUTnkZQuk/UltHUu3hWKDkbYR94e&2d=lnxdA
request	GET http://www.oldhousechicago.com/n58i/?-Zlpd6I=CK4+1XAVCoeZwyHbixU/1VMC/3ullPTgwlkVzkJuJ8wPuPx8xeqByV5EBcZtpXh2eT3NYNjS&2d=lnxdA
request	GET http://www.5923599.com/n58i/?-Zlpd6I=WfKFfWUZkc85OmL1xKrDJMWuh4MURh0lzQfSoppYt54ugY1RFf52IxAuWjoc55Oi676SGeLg&2d=lnxdA
request	GET http://www.stlcityc.com/n58i/?-Zlpd6I=uzwaBAU/pBgcbN1zupTtS4xKhn/JfyJ+hchnD3b71uo3p2+6HxfOIRQU6DCQj21baC8sD6fO&2d=lnxdA

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 23, 2021, 7:06 p.m.	process_identifier: 2472 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027200', u'virtual_address': u'0x00001000', u'entropy': 7.309624019099236, u'name': u'.text', u'virtual_size': u'0x00027020'}

entropy

7.3096240191

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 23, 2021, 7:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Generates some ICMP traffic

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.679962
ALYac	Gen:Variant.Razy.679962
Malwarebytes	Spyware.FormBook
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00536d121 )
K7GW	Trojan ( 00536d121 )
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.Razy.DA601A
Cyren	W32/Formbook.A.gen!Eldorado
Symantec	Trojan.Formbook
ESET-NOD32	a variant of Win32/Formbook.AA
APEX	Malicious
ClamAV	Win.Malware.Formbook-9802749-0
Kaspersky	VHO:Trojan-Spy.Win32.Noon.gen
BitDefender	Gen:Variant.Razy.679962
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	Win32:Formbook-B [Trj]
Rising	Trojan.Generic@ML.99 (RDML:YBy/xeCJFy2NbGuVE+e7Bw)
Ad-Aware	Gen:Variant.Razy.679962
Sophos	ML/PE-A + Troj/Formbook-A
DrWeb	Trojan.Siggen9.48175
McAfee-GW-Edition	BehavesLike.Win32.VirRansom.cc
FireEye	Generic.mg.305c02b6842f5b81
Emsisoft	Trojan.Formbook (A)
Ikarus	Trojan-Spy.FormBook
Avira	TR/Crypt.XPACK.Gen2
Microsoft	Trojan:Win32/Formbook!MTB
GData	Gen:Variant.Razy.679962
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.FormBook.R431880
Acronis	suspicious
McAfee	GenericRXLS-VV!305C02B6842F
MAX	malware (ai score=81)
VBA32	BScope.TrojanPSW.Banker
Cylance	Unsafe
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.AYEB!tr
BitDefenderTheta	Gen:NN.ZexaF.34088.keX@aWMnjMe
AVG	Win32:Formbook-B [Trj]

r.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All