Summary | ZeroBOX

loader1.exe

UPX Malicious Library PE File DLL OS Processor Check PE32
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 13, 2021, 1 p.m. Nov. 13, 2021, 1:22 p.m.
Size 295.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 18208aa1787da8cb3bfe2289a4a4a423
SHA256 8fd4cb7b07bdb7b57f310832aa93c1974ccfec2edd53b5a165bdac986eb49504
CRC32 47786594
ssdeep 6144:rGixFQ2RhvycwxRHvVdZA+qgbn7B9/kwhINrGYmDiwJGeNM9PUIuTJUQ:l3v6eObn7BZINr+DifeNwYJUQ
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 104.21.75.49:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 104.21.75.49:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 104.21.75.49:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 103.56.98.73:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 103.56.98.73:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 103.56.98.73:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.18.27.58:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.18.27.58:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.18.27.58:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 185.210.145.38:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 185.210.145.38:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 185.210.145.38:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 34.98.99.30:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 34.98.99.30:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 34.98.99.30:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 143.95.1.174:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 143.95.1.174:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 188.166.46.127:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 143.95.1.174:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 188.166.46.127:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 188.166.46.127:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 52.37.245.235:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 52.37.245.235:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 52.37.245.235:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 209.99.40.222:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 209.99.40.222:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 209.99.40.222:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 88.214.207.96:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 88.214.207.96:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 88.214.207.96:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 88.214.207.96:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 34.251.91.168:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 34.251.91.168:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 34.251.91.168:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 35.213.169.61:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 35.213.169.61:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 35.213.169.61:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.garageair.agency/ga6b/?DVEl=d08S4xcN/NMsorWpXwRlyCCH66HZh3etKhFBY5TZ8MkBXXhOwsqcJfUvANfm4lRK3xvcJJRx&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.5559913.win/ga6b/?DVEl=BsLI4B+bmIypp6VG9i1mvBr3FbP6MnOeaOpeEVRsQMY9+2loXlkdnmFwfncWgaUkhHBh2x3h&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.necesryaou.com/ga6b/?DVEl=Z3o6N93v6CU4m7XtA/lbT1e4xE/jsIueflbFRezDyVtxMYEukOv94ScBegi/ZpW+oVO0nzHV&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.egyptian-museum.com/ga6b/?DVEl=CYKd0A9ffzzmh+HMixfnmJt+Ibe3PgwQT1IowcrJSMkSzDwRXwABXy8G05QumwrEDOfj2gVO&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.onlinewritingjobs.net/ga6b/?DVEl=PI3t5I/vLPjLEXSAiMassyghn8jG+EohIXjBFkJ1Bgr3IKLvgafQ0xYRNHrG7F5KwDP0G4jF&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.tangerineinit.com/ga6b/?DVEl=CgQkCL4kNOXVaMWaW+W+7tG2VuScNWe1RIrYKb/ikW2Nwi/NJBz1hnm9GQ2J2lMDdzGUFZgw&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.digitaldreamcloud.net/ga6b/?DVEl=5WGPHl4VPD01j8M9M+tOINDYD63xyRqqO/w0s3LW3P/Qu5xC80vS+vfuMtj60mCVXiqL9STg&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.baohiemtv24h.com/ga6b/?DVEl=6dQVu8UHcZgaj0y03GzvAhfNwH0MHXa5ZY8rhbUdbCaY8PlbGz89x08imuD5bjryCUUXVHy+&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.ara7z.com/ga6b/?DVEl=f8p3ixvuysstkVkbxkSLsyQ08m5iiUSHUSQ+dEucd72/naUGjvA4vd8t8r7qlazlF5SpiXNT&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.nobodybutgod.com/ga6b/?DVEl=BS+Mkr60hnaz2VUqn6F4jElENEwbATWztr1txOlCDy4YTJ8rldrX7GuvTHEqc04l9LT0WVoV&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.corvusexpeditii.xyz/ga6b/?DVEl=7T8vebYEf2GnHvqeOh/0TgFFgNzfckxTcBNzZeSGzjlNLlbJ9NDPNSTqSdLNqh5j9wLWy4Dd&1bO8Ax=pFNTGZ90snzLa4C0
suspicious_features GET method with no useragent header suspicious_request GET http://www.smartgadgetscompare.com/ga6b/?DVEl=vDaGXYd6gjLCQTqwOPGPy5LvomfttahAahHE85Q1VhlijdJF30llx7sZQyFNH9wmHXEWSldG&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.garageair.agency/ga6b/?DVEl=d08S4xcN/NMsorWpXwRlyCCH66HZh3etKhFBY5TZ8MkBXXhOwsqcJfUvANfm4lRK3xvcJJRx&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.5559913.win/ga6b/?DVEl=BsLI4B+bmIypp6VG9i1mvBr3FbP6MnOeaOpeEVRsQMY9+2loXlkdnmFwfncWgaUkhHBh2x3h&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.necesryaou.com/ga6b/?DVEl=Z3o6N93v6CU4m7XtA/lbT1e4xE/jsIueflbFRezDyVtxMYEukOv94ScBegi/ZpW+oVO0nzHV&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.egyptian-museum.com/ga6b/?DVEl=CYKd0A9ffzzmh+HMixfnmJt+Ibe3PgwQT1IowcrJSMkSzDwRXwABXy8G05QumwrEDOfj2gVO&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.onlinewritingjobs.net/ga6b/?DVEl=PI3t5I/vLPjLEXSAiMassyghn8jG+EohIXjBFkJ1Bgr3IKLvgafQ0xYRNHrG7F5KwDP0G4jF&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.tangerineinit.com/ga6b/?DVEl=CgQkCL4kNOXVaMWaW+W+7tG2VuScNWe1RIrYKb/ikW2Nwi/NJBz1hnm9GQ2J2lMDdzGUFZgw&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.digitaldreamcloud.net/ga6b/?DVEl=5WGPHl4VPD01j8M9M+tOINDYD63xyRqqO/w0s3LW3P/Qu5xC80vS+vfuMtj60mCVXiqL9STg&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.baohiemtv24h.com/ga6b/?DVEl=6dQVu8UHcZgaj0y03GzvAhfNwH0MHXa5ZY8rhbUdbCaY8PlbGz89x08imuD5bjryCUUXVHy+&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.ara7z.com/ga6b/?DVEl=f8p3ixvuysstkVkbxkSLsyQ08m5iiUSHUSQ+dEucd72/naUGjvA4vd8t8r7qlazlF5SpiXNT&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.nobodybutgod.com/ga6b/?DVEl=BS+Mkr60hnaz2VUqn6F4jElENEwbATWztr1txOlCDy4YTJ8rldrX7GuvTHEqc04l9LT0WVoV&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.corvusexpeditii.xyz/ga6b/?DVEl=7T8vebYEf2GnHvqeOh/0TgFFgNzfckxTcBNzZeSGzjlNLlbJ9NDPNSTqSdLNqh5j9wLWy4Dd&1bO8Ax=pFNTGZ90snzLa4C0
request GET http://www.smartgadgetscompare.com/ga6b/?DVEl=vDaGXYd6gjLCQTqwOPGPy5LvomfttahAahHE85Q1VhlijdJF30llx7sZQyFNH9wmHXEWSldG&1bO8Ax=pFNTGZ90snzLa4C0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a12000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74326000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2888
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsfDF54.tmp\xnuko.dll
file C:\Users\test22\AppData\Local\Temp\nsfDF54.tmp\xnuko.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2888
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001f8
1 0 0
Process injection Process 2780 called NtSetContextThread to modify thread in remote process 2888
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2003108292
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f4
process_identifier: 2888
1 0 0
dead_host 165.32.109.217:80
Time & API Arguments Status Return Repeated

CreateProcessInternalW

thread_identifier: 2892
thread_handle: 0x000001f4
process_identifier: 2888
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\loader1.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\loader1.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\loader1.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001f8
1 1 0

NtGetContextThread

thread_handle: 0x000001f4
1 0 0

NtAllocateVirtualMemory

process_identifier: 2888
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001f8
1 0 0

NtSetContextThread

registers.eip: 2003108292
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f4
process_identifier: 2888
1 0 0
MicroWorld-eScan Trojan.GenericKD.38008516
FireEye Trojan.GenericKD.38008516
McAfee Artemis!18208AA1787D
Cylance Unsafe
Alibaba Backdoor:Win32/Remcos.8fffc4c2
K7GW Trojan ( 0058a4701 )
Cybereason malicious.1787da
Cyren W32/Injector.APR.gen!Eldorado
Symantec Packed.Generic.606
ESET-NOD32 a variant of Win32/Injector.EQNK
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
BitDefender Trojan.GenericKD.38008516
Avast Win32:InjectorX-gen [Trj]
Tencent Win32.Backdoor.Remcos.Dwtc
Ad-Aware Trojan.GenericKD.38008516
Sophos Mal/Generic-S
Comodo fls.noname@0
DrWeb Trojan.Siggen15.40274
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
SentinelOne Static AI - Suspicious PE
GData Win32.Trojan.PSE.1V3MF1E
Kingsoft Win32.Hack.Undef.(kcloud)
ViRobot Trojan.Win32.Z.Injector.302070
Microsoft Trojan:Win32/Formbook!MTB
ALYac Trojan.GenericKD.38008516
MAX malware (ai score=100)
TrendMicro-HouseCall TROJ_GEN.R002H0CKC21
Ikarus Win32.Outbreak
Fortinet W32/Injector.APR!tr
Webroot W32.Injector.Gen
AVG Win32:InjectorX-gen [Trj]
Panda Trj/CI.A