Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 28, 2021, 3:55 p.m.	Sept. 28, 2021, 4:14 p.m.

Size	163.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3b710cc2fd2ed7c2c71e88b128cb1297`
SHA256	`0c22acaa973cbb781aea92dc1fb5a8c7cc1fd2abd403f2a6b9703f8f1e1c8657`
CRC32	`4566D7E9`
ssdeep	`3072:QspeY2fikqwsoKMDwDNBit6hFEYtLXq4lyQaZ:QRnz27MDkXit6hFEQq4lyQ0`
Yara	PE_Header_Zero - PE File Signature Win_Trojan_Formbook_Zero - Used Formbook IsPE32 - (no description)

hak.exe "C:\Users\test22\AppData\Local\Temp\hak.exe"
1052

Name	Response	Post-Analysis Lookup
www.socialmediaplugin.com	A 52.58.78.16	52.58.78.16
www.miyonbuilding.com
www.chatcure.com	A 52.20.84.62	52.20.84.62
www.bjjinmei.com	A 154.205.217.133	154.205.217.133
www.calmingscience.com	A 172.67.215.123 A 104.21.51.3	104.21.51.3
www.murdabudz.com	CNAME murdabudz.com A 182.50.132.242	182.50.132.242
www.ventasdecasasylotes.xyz
www.volteraenergy.net	CNAME volteraenergy.net A 34.102.136.180	34.102.136.180
www.reemletenleafy.com
www.welcome-sber.store	A 87.236.16.91	87.236.16.91
www.ziototoristorante.com	A 199.59.242.153	199.59.242.153
www.upgradepklohb.xyz	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.216
www.simpeltattofor.men	A 103.224.182.210	103.224.182.210
www.wenyuexuan.com
www.single-on-purpose.com	A 192.0.78.25 A 192.0.78.24 CNAME single-on-purpose.com	192.0.78.24
www.healthylifefit.com	CNAME target.clickfunnels.com A 104.16.15.194 A 104.16.16.194 A 104.16.12.194 A 104.16.13.194 A 104.16.14.194	104.16.13.194

IP Address	Status	Action
103.224.182.210	Active	Moloch
104.16.14.194	Active	Moloch
104.21.51.3	Active	Moloch
154.205.217.133	Active	Moloch
164.124.101.2	Active	Moloch
182.50.132.242	Active	Moloch
192.0.78.24	Active	Moloch
198.54.117.210	Active	Moloch
199.59.242.153	Active	Moloch
34.102.136.180	Active	Moloch
52.20.84.62	Active	Moloch
52.58.78.16	Active	Moloch
87.236.16.91	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 104.16.14.194:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 104.16.14.194:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 104.16.14.194:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 182.50.132.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 182.50.132.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 182.50.132.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 199.59.242.153:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 199.59.242.153:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 199.59.242.153:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 104.21.51.3:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 104.21.51.3:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 104.21.51.3:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 154.205.217.133:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 154.205.217.133:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 154.205.217.133:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 52.58.78.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 52.58.78.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 52.58.78.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 87.236.16.91:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 87.236.16.91:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 87.236.16.91:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 198.54.117.210:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 198.54.117.210:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 198.54.117.210:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 198.54.117.210:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.102:49170 -> 103.224.182.210:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 103.224.182.210:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 103.224.182.210:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 52.20.84.62:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 52.20.84.62:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 52.20.84.62:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 192.0.78.24:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 192.0.78.24:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 192.0.78.24:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.healthylifefit.com/mjyv/?uTuD=wu4G29Df/3jk6rtufY07T1aH5SRRTSPupQ0Am8+JIxBphBMLoCuvIjFknaaw90h7xGBdC+KC&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bjjinmei.com/mjyv/?uTuD=tK48cpNOceqqCiIAD7hTSWdfMm0U+M5ICQ0DMQW4dcqulfLFmq83X0mVZBBYriEB2HGVoedd&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.murdabudz.com/mjyv/?uTuD=hg13/nVpXa7sw8wTOoVMHFZDgDUsR9Gv/arf8487HKoYm/D9BgH6B8HPQM6vzvqD84xy947Y&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.chatcure.com/mjyv/?uTuD=Q1v42zleUYIi8flkghcQmr8tAyGjsl4sXlxb78q+SjvyPDjFfh7215Q2cKPJE2klAkGZe5l7&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ziototoristorante.com/mjyv/?uTuD=BGF3MaDqcKXz2+ypQpBN49HcofQtIb5uumrf5yGZXgK71e6jsOADztt5ugiiGjAz+eZLHYvw&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.volteraenergy.net/mjyv/?uTuD=6GSsGhXNJ4X+IglcYBeGMK5UD+vC/aYPjEqHkj3TutxRiNJSuqpeM1lWW/9MfcCLuZzXea82&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.simpeltattofor.men/mjyv/?uTuD=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.welcome-sber.store/mjyv/?uTuD=Kv+/SJ7M/lzJbcaI/wLw7bttHXU14P8fHaqyHUXbe+/kB7RUPLEP6r3tla+4qncMfsOmfoJX&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.upgradepklohb.xyz/mjyv/?uTuD=9dnvdWURialXEyaz2ywPsOoM6gGuiR5AxFBltEEFKs81axtXl2dPjYUDr1hLwXJCVRBcbtND&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.single-on-purpose.com/mjyv/?uTuD=Q7OMrrO86y0JqdY0g4bf91NmCgnX6BTekei23iJFdfIv5eDZ2hVr8AZAqZJxsWpRuuzn5HXG&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.calmingscience.com/mjyv/?uTuD=88UrMb6q8kEA6d0RMNJBQg7TjSnN5axFSt02V9alnUE8WVXARanhd7Zn9ZpbXjvnPJPP0laE&Kj6dY=ATxxQ4G
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.socialmediaplugin.com/mjyv/?uTuD=OU27+ysrGKu/jK/yOqR5sqFza95Uvw+WRzi5j7TKNAgvfz99QkpIgkjRoF2Ht6HwV+67RAOW&Kj6dY=ATxxQ4G

Performs some HTTP requests (12 events)

request	GET http://www.healthylifefit.com/mjyv/?uTuD=wu4G29Df/3jk6rtufY07T1aH5SRRTSPupQ0Am8+JIxBphBMLoCuvIjFknaaw90h7xGBdC+KC&Kj6dY=ATxxQ4G
request	GET http://www.bjjinmei.com/mjyv/?uTuD=tK48cpNOceqqCiIAD7hTSWdfMm0U+M5ICQ0DMQW4dcqulfLFmq83X0mVZBBYriEB2HGVoedd&Kj6dY=ATxxQ4G
request	GET http://www.murdabudz.com/mjyv/?uTuD=hg13/nVpXa7sw8wTOoVMHFZDgDUsR9Gv/arf8487HKoYm/D9BgH6B8HPQM6vzvqD84xy947Y&Kj6dY=ATxxQ4G
request	GET http://www.chatcure.com/mjyv/?uTuD=Q1v42zleUYIi8flkghcQmr8tAyGjsl4sXlxb78q+SjvyPDjFfh7215Q2cKPJE2klAkGZe5l7&Kj6dY=ATxxQ4G
request	GET http://www.ziototoristorante.com/mjyv/?uTuD=BGF3MaDqcKXz2+ypQpBN49HcofQtIb5uumrf5yGZXgK71e6jsOADztt5ugiiGjAz+eZLHYvw&Kj6dY=ATxxQ4G
request	GET http://www.volteraenergy.net/mjyv/?uTuD=6GSsGhXNJ4X+IglcYBeGMK5UD+vC/aYPjEqHkj3TutxRiNJSuqpeM1lWW/9MfcCLuZzXea82&Kj6dY=ATxxQ4G
request	GET http://www.simpeltattofor.men/mjyv/?uTuD=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&Kj6dY=ATxxQ4G
request	GET http://www.welcome-sber.store/mjyv/?uTuD=Kv+/SJ7M/lzJbcaI/wLw7bttHXU14P8fHaqyHUXbe+/kB7RUPLEP6r3tla+4qncMfsOmfoJX&Kj6dY=ATxxQ4G
request	GET http://www.upgradepklohb.xyz/mjyv/?uTuD=9dnvdWURialXEyaz2ywPsOoM6gGuiR5AxFBltEEFKs81axtXl2dPjYUDr1hLwXJCVRBcbtND&Kj6dY=ATxxQ4G
request	GET http://www.single-on-purpose.com/mjyv/?uTuD=Q7OMrrO86y0JqdY0g4bf91NmCgnX6BTekei23iJFdfIv5eDZ2hVr8AZAqZJxsWpRuuzn5HXG&Kj6dY=ATxxQ4G
request	GET http://www.calmingscience.com/mjyv/?uTuD=88UrMb6q8kEA6d0RMNJBQg7TjSnN5axFSt02V9alnUE8WVXARanhd7Zn9ZpbXjvnPJPP0laE&Kj6dY=ATxxQ4G
request	GET http://www.socialmediaplugin.com/mjyv/?uTuD=OU27+ysrGKu/jK/yOqR5sqFza95Uvw+WRzi5j7TKNAgvfz99QkpIgkjRoF2Ht6HwV+67RAOW&Kj6dY=ATxxQ4G

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1052 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027c00', u'virtual_address': u'0x00001000', u'entropy': 7.328005143193911, u'name': u'.text', u'virtual_size': u'0x00027b7c'}

entropy

7.32800514319

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 28, 2021, 3:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.679962
McAfee	GenericRXLS-VV!3B710CC2FD2E
Cylance	Unsafe
K7AntiVirus	Trojan ( 00536d121 )
K7GW	Trojan ( 00536d121 )
Cybereason	malicious.2fd2ed
Arcabit	Trojan.Razy.DA601A
BitDefenderTheta	AI:Packer.F58C5BA21E
Cyren	W32/Formbook.A.gen!Eldorado
Symantec	Trojan.Formbook
ESET-NOD32	a variant of Win32/Formbook.AA
Paloalto	generic.ml
ClamAV	Win.Malware.Formbook-9802749-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Razy.679962
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	Win32:Formbook-B [Trj]
Ad-Aware	Gen:Variant.Razy.679962
Emsisoft	Trojan.Formbook (A)
DrWeb	Trojan.Siggen9.48175
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
FireEye	Generic.mg.3b710cc2fd2ed7c2
Sophos	ML/PE-A + Troj/Formbook-A
APEX	Malicious
Avira	TR/Crypt.ZPACK.Gen
MAX	malware (ai score=85)
Microsoft	Trojan:Win32/Formbook!MTB
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Razy.679962
Cynet	Malicious (score: 100)
Acronis	suspicious
VBA32	BScope.TrojanPSW.Banker
ALYac	Gen:Variant.Razy.679962
Malwarebytes	Spyware.FormBook
Ikarus	Trojan-Spy.FormBook
Rising	Trojan.Generic@ML.100 (RDML:mAbFVIx0MKNPsSp0/0mlww)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/GenKryptik.AYEB!tr
AVG	Win32:Formbook-B [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

hak.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All