Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 1:16 p.m.	May 20, 2022, 1:24 p.m.

Size	345.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c3d24ca1d36fa354df3de6ca57a979d4`
SHA256	`b01852366a757d7a668950fe78fe78113c184d24db59aefe7dd52c44eaed2c77`
CRC32	`9E8EC52F`
ssdeep	`6144:NOtI3tqcunMdjbslhkm6TCHp+ZwlRTmQBb/JWqCHX8aVExS:NOybsl3poqTmUiCA`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2784
- ycgth.exe C:\Users\test22\AppData\Local\Temp\ycgth.exe C:\Users\test22\AppData\Local\Temp\bpsrwnq
  2860
  - ycgth.exe C:\Users\test22\AppData\Local\Temp\ycgth.exe C:\Users\test22\AppData\Local\Temp\bpsrwnq
    2964

Name	Response	Post-Analysis Lookup
www.tjkt8.com	A 23.235.165.144	23.235.165.144
www.exilings.com	A 162.0.223.36	162.0.223.36
www.modelofindia.com	A 3.64.163.50	3.64.163.50
www.allyouneedstore.xyz	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.co1l7o8vy.com	A 54.248.8.29	54.248.8.29
www.allowdrops.xyz	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.217
www.cryptomnis.com	A 34.102.136.180 CNAME cryptomnis.com	34.102.136.180
www.claris-studio.cloud	A 213.186.33.5	213.186.33.5
www.beamaster.info	CNAME beamaster.info A 109.234.164.72	109.234.164.72
www.alaskanwave.net
www.yustunning.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.nft-id.net
www.hidinginplainsight.digital	CNAME hidinginplainsight.digital A 34.102.136.180	34.102.136.180
www.xiangqinmao.com
www.unleashingyou-lifecoaching.com	CNAME unleashingyou-lifecoaching.com A 34.102.136.180	34.102.136.180

IP Address	Status	Action
109.234.164.72	Active	Moloch
162.0.223.36	Active	Moloch
164.124.101.2	Active	Moloch
198.54.117.211	Active	Moloch
213.186.33.5	Active	Moloch
23.227.38.74	Active	Moloch
23.235.165.144	Active	Moloch
3.64.163.50	Active	Moloch
34.102.136.180	Active	Moloch
54.248.8.29	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 23.227.38.74:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
UDP 192.168.56.101:54098 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 213.186.33.5:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 213.186.33.5:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 213.186.33.5:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 213.186.33.5:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 198.54.117.211:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 162.0.223.36:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 162.0.223.36:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 162.0.223.36:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 1:16 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.exilings.com/p0ip/?ndlLiZV=yl/dFwJMdSceaWRi0W0NnKfJF9+pX0fjdtGqu/bS1X0jBltUbF2fKROpu7SUx2G3hqZy3uP/&v4at-=1bGdx4LxDxtLS0Up
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.allyouneedstore.xyz/p0ip/?ndlLiZV=CDhfe6DaxWKDNWY2qb2gtTZFP733Xb+Qcka5A5JsfNJiWRSRTH/LqA/CqBIEVVfG4QqIeoQk&v4at-=1bGdx4LxDxtLS0Up&Tj1h=2dmH-tAh
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.allowdrops.xyz/p0ip/?ndlLiZV=bA8/18/o/0iGirBzmXDhFL/OUmmykOiZm3SEC++o+RtQ7W5jFCo6ZADpOn30oLvPwzRp+Tpl&v4at-=1bGdx4LxDxtLS0Up&xABS=FVExIJeH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hidinginplainsight.digital/p0ip/?ndlLiZV=qukW209GbqUzJ3O6Nt6aMZtsyRSJCKw2PVXi+aAmtwOxY2LUOvtsctYoEUZb5ik+2Z5jFPyL&v4at-=1bGdx4LxDxtLS0Up&jm8e=dzrXEJ20
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.co1l7o8vy.com/p0ip/?ndlLiZV=6TOoXCUBEI00OLJ2v0IkqEYP8Ak7kvqc5z3P/jb0y5Nd3/OUQgmnUWJin0pZyBjcN7Aa6ULf&v4at-=1bGdx4LxDxtLS0Up&SHfH=yVDtERPP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.beamaster.info/p0ip/?ndlLiZV=qxrnwwIJiftwK0JhBIX6gKsCcuRe0nZ8C0jtfWZwP3QVk5QIEhmdc2JROB7F/SAUCcQeAWX+&v4at-=1bGdx4LxDxtLS0Up&hjmJ=GT0PC280
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cryptomnis.com/p0ip/?ndlLiZV=afYEiXLcgNxv5urPpopWNOSFMUQuzsk1Gi9ko/kZj91YZQe5VTOSuQVdM+qBwUR/OVRTLbsh&v4at-=1bGdx4LxDxtLS0Up&jYkL=4hlti0Jp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tjkt8.com/p0ip/?ndlLiZV=/nGvWTz6DV0e/9gpebojwxydOIry15ThwqcEi0r2QdeZ756mjvubiiGf9XIzpvaeRq/0Os6U&v4at-=1bGdx4LxDxtLS0Up&wLOT=-ZvPMplP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.modelofindia.com/p0ip/?ndlLiZV=jTnPppuaMZ1HoZ6KzD1Iip5jj11YrkS86uCN+cQfi5Hp16rqQ2XNIby0ZfJ3d8J/Ac2KA5et&v4at-=1bGdx4LxDxtLS0Up&xQGV=0T3lvHfX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.claris-studio.cloud/p0ip/?ndlLiZV=ZGnBy5Z0ttcTRq4htgRCrece1m8F9IuBR3JJANp8NpQMtcgccah7Tn8PHKe5ox5u+dYNNI9j&v4at-=1bGdx4LxDxtLS0Up&B0lc=t8eT0PpX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.unleashingyou-lifecoaching.com/p0ip/?ndlLiZV=19lq8R7h13lfkSAyCUuAmCqzZXWAStdmJc/tI8v9Q6E9O8G0co7M14/yVJDsEplNLDGL06UW&v4at-=1bGdx4LxDxtLS0Up&tvLg=gbtx6bZH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yustunning.com/p0ip/?ndlLiZV=3yWzJACcMRxJ7LW6h/fS39XU15hbhguZ/2QvZyzEvkBMJuj3zWBbm4/rdT02hE/fbh6NSYxA&v4at-=1bGdx4LxDxtLS0Up&tujX=cbRld0AP

Performs some HTTP requests (22 events)

request	GET http://www.exilings.com/p0ip/?ndlLiZV=yl/dFwJMdSceaWRi0W0NnKfJF9+pX0fjdtGqu/bS1X0jBltUbF2fKROpu7SUx2G3hqZy3uP/&v4at-=1bGdx4LxDxtLS0Up
request	POST http://www.allyouneedstore.xyz/p0ip/
request	GET http://www.allyouneedstore.xyz/p0ip/?ndlLiZV=CDhfe6DaxWKDNWY2qb2gtTZFP733Xb+Qcka5A5JsfNJiWRSRTH/LqA/CqBIEVVfG4QqIeoQk&v4at-=1bGdx4LxDxtLS0Up&Tj1h=2dmH-tAh
request	GET http://www.allowdrops.xyz/p0ip/?ndlLiZV=bA8/18/o/0iGirBzmXDhFL/OUmmykOiZm3SEC++o+RtQ7W5jFCo6ZADpOn30oLvPwzRp+Tpl&v4at-=1bGdx4LxDxtLS0Up&xABS=FVExIJeH
request	POST http://www.hidinginplainsight.digital/p0ip/
request	GET http://www.hidinginplainsight.digital/p0ip/?ndlLiZV=qukW209GbqUzJ3O6Nt6aMZtsyRSJCKw2PVXi+aAmtwOxY2LUOvtsctYoEUZb5ik+2Z5jFPyL&v4at-=1bGdx4LxDxtLS0Up&jm8e=dzrXEJ20
request	POST http://www.co1l7o8vy.com/p0ip/
request	GET http://www.co1l7o8vy.com/p0ip/?ndlLiZV=6TOoXCUBEI00OLJ2v0IkqEYP8Ak7kvqc5z3P/jb0y5Nd3/OUQgmnUWJin0pZyBjcN7Aa6ULf&v4at-=1bGdx4LxDxtLS0Up&SHfH=yVDtERPP
request	POST http://www.beamaster.info/p0ip/
request	GET http://www.beamaster.info/p0ip/?ndlLiZV=qxrnwwIJiftwK0JhBIX6gKsCcuRe0nZ8C0jtfWZwP3QVk5QIEhmdc2JROB7F/SAUCcQeAWX+&v4at-=1bGdx4LxDxtLS0Up&hjmJ=GT0PC280
request	POST http://www.cryptomnis.com/p0ip/
request	GET http://www.cryptomnis.com/p0ip/?ndlLiZV=afYEiXLcgNxv5urPpopWNOSFMUQuzsk1Gi9ko/kZj91YZQe5VTOSuQVdM+qBwUR/OVRTLbsh&v4at-=1bGdx4LxDxtLS0Up&jYkL=4hlti0Jp
request	POST http://www.tjkt8.com/p0ip/
request	GET http://www.tjkt8.com/p0ip/?ndlLiZV=/nGvWTz6DV0e/9gpebojwxydOIry15ThwqcEi0r2QdeZ756mjvubiiGf9XIzpvaeRq/0Os6U&v4at-=1bGdx4LxDxtLS0Up&wLOT=-ZvPMplP
request	POST http://www.modelofindia.com/p0ip/
request	GET http://www.modelofindia.com/p0ip/?ndlLiZV=jTnPppuaMZ1HoZ6KzD1Iip5jj11YrkS86uCN+cQfi5Hp16rqQ2XNIby0ZfJ3d8J/Ac2KA5et&v4at-=1bGdx4LxDxtLS0Up&xQGV=0T3lvHfX
request	POST http://www.claris-studio.cloud/p0ip/
request	GET http://www.claris-studio.cloud/p0ip/?ndlLiZV=ZGnBy5Z0ttcTRq4htgRCrece1m8F9IuBR3JJANp8NpQMtcgccah7Tn8PHKe5ox5u+dYNNI9j&v4at-=1bGdx4LxDxtLS0Up&B0lc=t8eT0PpX
request	POST http://www.unleashingyou-lifecoaching.com/p0ip/
request	GET http://www.unleashingyou-lifecoaching.com/p0ip/?ndlLiZV=19lq8R7h13lfkSAyCUuAmCqzZXWAStdmJc/tI8v9Q6E9O8G0co7M14/yVJDsEplNLDGL06UW&v4at-=1bGdx4LxDxtLS0Up&tvLg=gbtx6bZH
request	POST http://www.yustunning.com/p0ip/
request	GET http://www.yustunning.com/p0ip/?ndlLiZV=3yWzJACcMRxJ7LW6h/fS39XU15hbhguZ/2QvZyzEvkBMJuj3zWBbm4/rdT02hE/fbh6NSYxA&v4at-=1bGdx4LxDxtLS0Up&tujX=cbRld0AP

Sends data using the HTTP POST Method (10 events)

request	POST http://www.allyouneedstore.xyz/p0ip/
request	POST http://www.hidinginplainsight.digital/p0ip/
request	POST http://www.co1l7o8vy.com/p0ip/
request	POST http://www.beamaster.info/p0ip/
request	POST http://www.cryptomnis.com/p0ip/
request	POST http://www.tjkt8.com/p0ip/
request	POST http://www.modelofindia.com/p0ip/
request	POST http://www.claris-studio.cloud/p0ip/
request	POST http://www.unleashingyou-lifecoaching.com/p0ip/
request	POST http://www.yustunning.com/p0ip/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2860 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x19ab0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2964 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\ycgth.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 1:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2964 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2860 called NtSetContextThread to modify thread in remote process 2964
NtSetContextThread May 20, 2022, 1:16 p.m.	registers.eip: 2003108292 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321872 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b8 process_identifier: 2964	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.101:49180

Executed a process and injected code into it, probably while unpacking (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 20, 2022, 1:16 p.m.	thread_identifier: 2864 thread_handle: 0x000001f0 process_identifier: 2860 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ycgth.exe C:\Users\test22\AppData\Local\Temp\bpsrwnq filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x000001f8	1	1
CreateProcessInternalW May 20, 2022, 1:16 p.m.	thread_identifier: 2968 thread_handle: 0x000000b8 process_identifier: 2964 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ycgth.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ycgth.exe C:\Users\test22\AppData\Local\Temp\bpsrwnq filepath_r: C:\Users\test22\AppData\Local\Temp\ycgth.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000bc	1	1
NtGetContextThread May 20, 2022, 1:16 p.m.	thread_handle: 0x000000b8	1	0
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2964 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000bc	1	0
NtSetContextThread May 20, 2022, 1:16 p.m.	registers.eip: 2003108292 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321872 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b8 process_identifier: 2964	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
MicroWorld-eScan	Gen:Variant.Jaik.72878
FireEye	Generic.mg.c3d24ca1d36fa354
ALYac	Gen:Variant.Jaik.72878
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005930c31 )
Alibaba	TrojanSpy:Win32/Lokibot.0b3a872c
K7GW	Trojan ( 005930c31 )
Cybereason	malicious.0558ad
BitDefenderTheta	Gen:NN.ZexaF.34682.amW@a47h99n
Cyren	W32/Ninjector.BB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ERQU
TrendMicro-HouseCall	TROJ_GEN.R002H01EI22
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Gen:Variant.Jaik.72878
Avast	Win32:InjectorX-gen [Trj]
Tencent	Win32.Trojan-spy.Noon.Szla
Ad-Aware	Gen:Variant.Jaik.72878
Emsisoft	Gen:Variant.Jaik.72878 (B)
DrWeb	Trojan.Siggen17.52991
McAfee-GW-Edition	BehavesLike.Win32.Dropper.fc
Sophos	Mal/Generic-S
APEX	Malicious
Jiangmin	Trojan.Fsysna.niy
Avira	TR/AD.Swotter.ocnfn
MAX	malware (ai score=99)
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Ransom.Win32.Sabsik.oa!s1
Microsoft	Trojan:Win32/Lokibot.ANRI!MTB
GData	Win32.Trojan.Agent.5DOBUH
McAfee	RDN/Generic.tfr
VBA32	BScope.Trojan.Winlock
Malwarebytes	Spyware.FormBook
Rising	Trojan.Generic@AI.87 (RDML:uB/HMISO/kAlEKStPXElHA)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ERQU!tr
AVG	Win32:InjectorX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All