Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 11, 2021, 9:53 a.m.	Oct. 11, 2021, 10:17 a.m.

Size	255.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`baf212e9711b33e14adcaef461189e40`
SHA256	`7c0ab1d837684e8d37e75578f4821e25d7729cb9d3739f397cabbb9c95f2ddae`
CRC32	`81AD546C`
ssdeep	`6144:F8LxBsYraWyTroLJvxcB2MjzGbK86mNeYjrEi1OjePBT:/NWGsLJiIOi768eY31OGBT`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer

fj.exe "C:\Users\test22\AppData\Local\Temp\fj.exe"
2232
- fj.exe "C:\Users\test22\AppData\Local\Temp\fj.exe"
  2680

Flow	SID	Signature	Category
TCP 192.168.56.101:49207 -> 209.17.116.163:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 209.17.116.163:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 209.17.116.163:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 104.195.48.226:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 104.195.48.226:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 104.195.48.226:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 11, 2021, 9:53 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.chevalsk.com/nk6l/?ndiHKd=EaZkIt/dsbgGmtP3z3fG5X1OrV1k+ItimY3tDs5cepHzfg8Rj7GgJx6GdJ5RhaIBRqlzCCHC&1bj=jlK0MPU0w
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.clairewashere.site/nk6l/?ndiHKd=Dos/SRlugC4+vL8SY+lT6eayun6OXC9NQ0dHCaF9xdDTN/3HMO23XGTYqHWsARQsOO5DUhg+&1bj=jlK0MPU0w

request	GET http://www.chevalsk.com/nk6l/?ndiHKd=EaZkIt/dsbgGmtP3z3fG5X1OrV1k+ItimY3tDs5cepHzfg8Rj7GgJx6GdJ5RhaIBRqlzCCHC&1bj=jlK0MPU0w
request	GET http://www.clairewashere.site/nk6l/?ndiHKd=Dos/SRlugC4+vL8SY+lT6eayun6OXC9NQ0dHCaF9xdDTN/3HMO23XGTYqHWsARQsOO5DUhg+&1bj=jlK0MPU0w

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 11, 2021, 9:53 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d2000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 11, 2021, 9:53 a.m.	process_identifier: 2680 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\AppData\Local\Temp\nsx63E4.tmp\nvmhx.dll

file	C:\Users\test22\AppData\Local\Temp\nsx63E4.tmp\nvmhx.dll

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 11, 2021, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 11, 2021, 9:53 a.m.	process_identifier: 2680 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000218	1	0	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 called NtSetContextThread to modify thread in remote process 2680
NtSetContextThread Oct. 11, 2021, 9:53 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321520 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000214 process_identifier: 2680	1	0	0

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Cylance	Unsafe
Arcabit	Trojan.NSISX.Spy.Gen.2
Cyren	W32/Agent.DML.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EQGK
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.NSISX.Spy.Gen.2
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.2
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.AdwareDotDo.dc
FireEye	Generic.mg.baf212e9711b33e1
Emsisoft	Trojan.NSISX.Spy.Gen.2 (B)
Webroot	W32.Adware.Gen
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Formbook!MTB
GData	Zum.Androm.1
McAfee	Artemis!BAF212E9711B
MAX	malware (ai score=85)
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZedlaF.34170.bq4@au2FuHfi

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 11, 2021, 9:53 a.m.	thread_identifier: 2208 thread_handle: 0x00000214 process_identifier: 2680 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\fj.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\fj.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\fj.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000218	1	1
NtGetContextThread Oct. 11, 2021, 9:53 a.m.	thread_handle: 0x00000214	1	0
NtAllocateVirtualMemory Oct. 11, 2021, 9:53 a.m.	process_identifier: 2680 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000218	1	0
NtSetContextThread Oct. 11, 2021, 9:53 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321520 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000214 process_identifier: 2680	1	0

fj.exe