Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 10:33 a.m.	May 20, 2022, 10:38 a.m.

Size	210.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`0d5c12ef90391b5bfc0dedeca59476b6`
SHA256	`4a03cbfeb260c4c92a31e3c5e9d2ef539122ee9b7dc087a9d4db6073959de557`
CRC32	`71098B43`
ssdeep	`6144:LOtIOydsR5FNFhzLOftltWIFaL++X7tlP+5:LOLFXhzLOFxavhl25`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2784
- mujjgudfsx.exe C:\Users\test22\AppData\Local\Temp\mujjgudfsx.exe C:\Users\test22\AppData\Local\Temp\btdkhlgyim
  2880
  - mujjgudfsx.exe C:\Users\test22\AppData\Local\Temp\mujjgudfsx.exe C:\Users\test22\AppData\Local\Temp\btdkhlgyim
    2952

Name	Response	Post-Analysis Lookup
www.hayatseventeknoloji.com	CNAME hayatseventeknoloji.com A 5.2.84.81	5.2.84.81
www.mydiga-angststoerung.com	A 89.31.143.1	89.31.143.1
www.topings33.com	A 162.0.230.89	162.0.230.89
www.spaceokara.com	A 210.188.240.5	210.188.240.5
www.beam-birds.com	A 173.201.181.53 CNAME beam-birds.com	173.201.181.53
www.animefnix.com	A 103.224.182.210	103.224.182.210
www.daskocleaning.com	A 185.220.172.4	185.220.172.4
www.dadagrin.com	A 76.164.193.180	76.164.193.180
www.zkf-lawyer.com

IP Address	Status	Action
103.224.182.210	Active	Moloch
162.0.230.89	Active	Moloch
164.124.101.2	Active	Moloch
173.201.181.53	Active	Moloch
185.220.172.4	Active	Moloch
210.188.240.5	Active	Moloch
5.2.84.81	Active	Moloch
76.164.193.180	Active	Moloch
89.31.143.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 89.31.143.1:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 89.31.143.1:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 89.31.143.1:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 185.220.172.4:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 185.220.172.4:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 185.220.172.4:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 162.0.230.89:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 162.0.230.89:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 162.0.230.89:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.224.182.210:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.224.182.210:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.224.182.210:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 10:32 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mydiga-angststoerung.com/ud5f/?9r4l2=yFld/JCYBPTDUSphYl1JLHShpmZQOPshqMvqWwFpBif6fy+DcW5/J/qkCYyqtkAAagEMdzHX&EjU4Np=gdM0vL4XuL
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.daskocleaning.com/ud5f/?9r4l2=lK6R7JSYqhab7fserO2ud0UFIeUwIzn6U4Z0uinaNEONfhE6Adu4jwyhJ99+Ck6Dq2P67LuP&EjU4Np=gdM0vL4XuL
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.animefnix.com/ud5f/?9r4l2=pYnsP4TjgnW1+o0bXQyX3o5D0burLT7omwvH8WaVCOfXXYLrtXboQfHSoV7j4k06LzvKDu0l&EjU4Np=gdM0vL4XuL
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.topings33.com/ud5f/?9r4l2=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&EjU4Np=gdM0vL4XuL
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.beam-birds.com/ud5f/?9r4l2=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&EjU4Np=gdM0vL4XuL&Ab0L=K0DLsD1x
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.spaceokara.com/ud5f/?9r4l2=9CmrMn0GGtbXxXIdiJK6yWXZmlYii/OvswjFNfGMD5AzzaTP0I9tRoOX3ga04w9g87gTygof&EjU4Np=gdM0vL4XuL&JwlX=-ZAhxrdx
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hayatseventeknoloji.com/ud5f/?9r4l2=ojvd2QNoKu4P+or54/aphicVJQ+jWOoKwd10hVUKozBMe5J4PPzzrG2+L/bESfR8P0zdxkWw&EjU4Np=gdM0vL4XuL&GhUR=r0GdcTaP

Performs some HTTP requests (10 events)

request	GET http://www.mydiga-angststoerung.com/ud5f/?9r4l2=yFld/JCYBPTDUSphYl1JLHShpmZQOPshqMvqWwFpBif6fy+DcW5/J/qkCYyqtkAAagEMdzHX&EjU4Np=gdM0vL4XuL
request	GET http://www.daskocleaning.com/ud5f/?9r4l2=lK6R7JSYqhab7fserO2ud0UFIeUwIzn6U4Z0uinaNEONfhE6Adu4jwyhJ99+Ck6Dq2P67LuP&EjU4Np=gdM0vL4XuL
request	GET http://www.animefnix.com/ud5f/?9r4l2=pYnsP4TjgnW1+o0bXQyX3o5D0burLT7omwvH8WaVCOfXXYLrtXboQfHSoV7j4k06LzvKDu0l&EjU4Np=gdM0vL4XuL
request	GET http://www.topings33.com/ud5f/?9r4l2=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&EjU4Np=gdM0vL4XuL
request	POST http://www.beam-birds.com/ud5f/
request	GET http://www.beam-birds.com/ud5f/?9r4l2=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&EjU4Np=gdM0vL4XuL&Ab0L=K0DLsD1x
request	POST http://www.spaceokara.com/ud5f/
request	GET http://www.spaceokara.com/ud5f/?9r4l2=9CmrMn0GGtbXxXIdiJK6yWXZmlYii/OvswjFNfGMD5AzzaTP0I9tRoOX3ga04w9g87gTygof&EjU4Np=gdM0vL4XuL&JwlX=-ZAhxrdx
request	POST http://www.hayatseventeknoloji.com/ud5f/
request	GET http://www.hayatseventeknoloji.com/ud5f/?9r4l2=ojvd2QNoKu4P+or54/aphicVJQ+jWOoKwd10hVUKozBMe5J4PPzzrG2+L/bESfR8P0zdxkWw&EjU4Np=gdM0vL4XuL&GhUR=r0GdcTaP

Sends data using the HTTP POST Method (3 events)

request	POST http://www.beam-birds.com/ud5f/
request	POST http://www.spaceokara.com/ud5f/
request	POST http://www.hayatseventeknoloji.com/ud5f/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2952 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\mujjgudfsx.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2952 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2880 called NtSetContextThread to modify thread in remote process 2952
NtSetContextThread May 20, 2022, 10:32 a.m.	registers.eip: 2003108292 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321872 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b8 process_identifier: 2952	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

76.164.193.180:80

Executed a process and injected code into it, probably while unpacking (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 20, 2022, 10:32 a.m.	thread_identifier: 2884 thread_handle: 0x000001f0 process_identifier: 2880 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\mujjgudfsx.exe C:\Users\test22\AppData\Local\Temp\btdkhlgyim filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x000001f8	1	1
CreateProcessInternalW May 20, 2022, 10:32 a.m.	thread_identifier: 2956 thread_handle: 0x000000b8 process_identifier: 2952 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\mujjgudfsx.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\mujjgudfsx.exe C:\Users\test22\AppData\Local\Temp\btdkhlgyim filepath_r: C:\Users\test22\AppData\Local\Temp\mujjgudfsx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000bc	1	1
NtGetContextThread May 20, 2022, 10:32 a.m.	thread_handle: 0x000000b8	1	0
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2952 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0
NtSetContextThread May 20, 2022, 10:32 a.m.	registers.eip: 2003108292 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321872 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b8 process_identifier: 2952	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Injexa.4!c
MicroWorld-eScan	Gen:Variant.Jaik.72878
FireEye	Generic.mg.0d5c12ef90391b5b
McAfee	RDN/XLoader
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005930091 )
Alibaba	Trojan:Win32/Lokibot.08d2c1e4
K7GW	Trojan ( 005930091 )
Cybereason	malicious.471aee
Cyren	W32/Ninjector.BB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ERQU
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Injexa.gen
BitDefender	Gen:Variant.Jaik.72878
Avast	Win32:InjectorX-gen [Trj]
Tencent	Win32.Trojan.Injexa.Gvs
Ad-Aware	Gen:Variant.Jaik.72878
Sophos	Mal/Generic-S
DrWeb	Trojan.Siggen17.52903
TrendMicro	TROJ_FRS.0NA103EJ22
McAfee-GW-Edition	BehavesLike.Win32.Vopak.dc
Emsisoft	Gen:Variant.Jaik.72878 (B)
Ikarus	Trojan.NSIS.Agent
Jiangmin	Trojan.Fsysna.niy
Avira	TR/AD.Swotter.hfluw
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Ransom.Win32.Sabsik.oa!s1
Microsoft	Trojan:Win32/Lokibot.ANRF!MTB
GData	Win32.Trojan.Agent.17YGXX
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.NSISInject.R491618
BitDefenderTheta	Gen:NN.ZexaF.34682.amW@aePGp@d
ALYac	Gen:Variant.Jaik.72878
MAX	malware (ai score=83)
VBA32	BScope.Trojan.Winlock
Malwarebytes	Trojan.Dropper
TrendMicro-HouseCall	TROJ_FRS.0NA103EJ22
Rising	Trojan.Generic@AI.87 (RDML:1BtgFgBRbwvFU4WhzVnVmw)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.ERQU!tr
AVG	Win32:InjectorX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All