Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 19, 2021, 10:55 a.m.	Nov. 19, 2021, 11:08 a.m.

Size	295.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`00f6b12eb5e9f063938b604f05a71a5a`
SHA256	`99e25501d1c736865e766fe4e347cda8817f4005be1d7b0c336451b89be71ed2`
CRC32	`990949E4`
ssdeep	`6144:rGiNdUPTGkn+FFyQKadQZV4AXUHfay8jt8mEN2o8ld57rQZJSOI:hdUPTn+FTKzZGAXUHfCjt8H8ld5IZJSn`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

maxf.exe "C:\Users\test22\AppData\Local\Temp\maxf.exe"
2876
- maxf.exe "C:\Users\test22\AppData\Local\Temp\maxf.exe"
  3004

Name	Response	Post-Analysis Lookup
www.mountaingirlbbq.com
www.44255.online	A 23.225.171.178 CNAME thcedf78-u.mfycdn.com A 23.225.171.179 CNAME gtm-cn-zvp2b68zj0t.gtm-a2b4.com CNAME 2vtrypbc.n.mfycdn.com	23.225.171.179
www.carlosmorgan.com	A 136.0.144.52	136.0.144.52
www.guizhouhl.top
www.okulsepette.info	A 185.106.208.3 CNAME okulsepette.info	185.106.208.3

IP Address	Status	Action
136.0.144.52	Active	Moloch
164.124.101.2	Active	Moloch
185.106.208.3	Active	Moloch
23.225.171.178	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59417 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 23.225.171.178:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 23.225.171.178:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 23.225.171.178:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 185.106.208.3:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 185.106.208.3:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 185.106.208.3:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 136.0.144.52:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 136.0.144.52:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 136.0.144.52:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2021, 10:55 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.carlosmorgan.com/dyh6/?rV0DUb=3ACj/876Iue/e8ON8sSJfhN8fXF1US+ej5D3rGFpnLA4NUaMO9+P0oT861hDlQeA3HJ8xKlg&uZiX=MXEL9
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.44255.online/dyh6/?rV0DUb=j61auN3oPpV+YV1VrFCgAk/5vWcxGznwyRAYsVX/wXCyaXurmtCnvmV0lC7tGgAO0jZoAmJH&uZiX=MXEL9
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.okulsepette.info/dyh6/?rV0DUb=Wm4wBF+rv62DpqAArqorW1ww5+15iMAwZ5JIqX54ionAHScRIdeTf+feE4cws9aQyFP2uR0T&uZiX=MXEL9

Performs some HTTP requests (3 events)

request	GET http://www.carlosmorgan.com/dyh6/?rV0DUb=3ACj/876Iue/e8ON8sSJfhN8fXF1US+ej5D3rGFpnLA4NUaMO9+P0oT861hDlQeA3HJ8xKlg&uZiX=MXEL9
request	GET http://www.44255.online/dyh6/?rV0DUb=j61auN3oPpV+YV1VrFCgAk/5vWcxGznwyRAYsVX/wXCyaXurmtCnvmV0lC7tGgAO0jZoAmJH&uZiX=MXEL9
request	GET http://www.okulsepette.info/dyh6/?rV0DUb=Wm4wBF+rv62DpqAArqorW1ww5+15iMAwZ5JIqX54ionAHScRIdeTf+feE4cws9aQyFP2uR0T&uZiX=MXEL9

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.guizhouhl.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 19, 2021, 10:55 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2021, 10:55 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74325000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 10:55 a.m.	process_identifier: 3004 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nspE7E0.tmp\qnzohkyqwni.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nspE7E0.tmp\qnzohkyqwni.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 19, 2021, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 19, 2021, 10:55 a.m.	process_identifier: 3004 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 called NtSetContextThread to modify thread in remote process 3004
NtSetContextThread Nov. 19, 2021, 10:55 a.m.	registers.eip: 2003108292 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321456 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 3004	1	0	0

Executed a process and injected code into it, probably while unpacking (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 19, 2021, 10:55 a.m.	thread_identifier: 3008 thread_handle: 0x0000021c process_identifier: 3004 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\maxf.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\maxf.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\maxf.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000220	1	1
NtGetContextThread Nov. 19, 2021, 10:55 a.m.	thread_handle: 0x0000021c	1	0
NtAllocateVirtualMemory Nov. 19, 2021, 10:55 a.m.	process_identifier: 3004 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
NtSetContextThread Nov. 19, 2021, 10:55 a.m.	registers.eip: 2003108292 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321456 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 3004	1	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

DrWeb	Trojan.Siggen15.43261
MicroWorld-eScan	Trojan.GenericKD.47419753
FireEye	Trojan.GenericKD.47419753
ALYac	Trojan.GenericKD.47419753
Malwarebytes	Trojan.Injector
Sangfor	Trojan.Win32.Injector.EQOG
K7AntiVirus	Trojan ( 0058a7df1 )
Alibaba	TrojanSpy:Win32/Injector.a732afc0
K7GW	Trojan ( 0058a7df1 )
Cybereason	malicious.eb5e9f
Cyren	W32/Injector.APR.gen!Eldorado
Symantec	Packed.Generic.606
ESET-NOD32	a variant of Win32/Injector.EQOG
TrendMicro-HouseCall	TROJ_FRS.VSNTKH21
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Trojan.GenericKD.47419753
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.47419753
Emsisoft	Trojan.GenericKD.47419753 (B)
Comodo	TrojWare.Win32.UMal.cvmty@0
TrendMicro	TROJ_FRS.VSNTKH21
McAfee-GW-Edition	RDN/Generic.cf
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Tnega
Avira	TR/Injector.mqxhe
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Tnega!ml
GData	Win32.Trojan-Stealer.FormBook.3N8TVB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4774724
McAfee	RDN/Generic.cf
MAX	malware (ai score=88)
APEX	Malicious
Ikarus	Trojan.Win32.Injector
Fortinet	W32/Injector.APR!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/CI.A

maxf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All