Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 23, 2022, 7:38 a.m.	May 23, 2022, 8:10 a.m.

Size	26.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`61d8380734dab62afb07e2d12cb746af`
SHA256	`bfb973a2a005029171ef58cc29552235909ffffeeed05f5c5d469cdd6d8424cc`
CRC32	`0C4F301F`
ssdeep	`384:u1aHgufUU9Wkef2n7tlYw5p0HKKOBhryiiiiiiiiiiiiiiiiiElgaaaaf5JVN89:l3nczllgaaas5J389`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 2
2516
- timeout.exe timeout 2
  2576
MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2620

Flow	SID	Signature	Category
UDP 192.168.56.103:60117 -> 164.124.101.2:53	2025106	ET INFO DNS Query for Suspicious .ml Domain	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 192.185.174.178:80	2030384	ET HUNTING Suspicious Terse Request for .bmp	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 192.185.174.178:80	2031091	ET HUNTING Request to .ML Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 192.185.174.178:80	2032988	ET INFO HTTP Request to a *.ml domain	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 38.26.152.100:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 38.26.152.100:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 38.26.152.100:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 217.160.0.127:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 217.160.0.127:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 217.160.0.127:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 23, 2022, 7:38 a.m.	buffer: Waiting for 2 console_handle: 0x00000007	1	1	0
WriteConsoleW May 23, 2022, 7:38 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

suspicious_features	GET method with no useragent header	suspicious_request	GET http://darley.ml/h/Zzrfmn_Kyaogqlh.bmp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.seementor.com/sn12/?9rJtvBQ=RtVC6loscM06usO/YI21fDXq59XBLcz9umfGdy2oQXWdI6QalDB8sFa/aIWAp2MtXDbGM+xQ&2d54=eT8xe2NpddJ86tL
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.euromarketinfinity.com/sn12/?9rJtvBQ=/wE2iff+KL+/ERRZNsMlaCyYzWgq8VOttP75WoZBJ+TwHPTujVyF9hPb5PrQrqya+LxTGX7m&2d54=eT8xe2NpddJ86tL

request	GET http://darley.ml/h/Zzrfmn_Kyaogqlh.bmp
request	GET http://www.seementor.com/sn12/?9rJtvBQ=RtVC6loscM06usO/YI21fDXq59XBLcz9umfGdy2oQXWdI6QalDB8sFa/aIWAp2MtXDbGM+xQ&2d54=eT8xe2NpddJ86tL
request	GET http://www.euromarketinfinity.com/sn12/?9rJtvBQ=/wE2iff+KL+/ERRZNsMlaCyYzWgq8VOttP75WoZBJ+TwHPTujVyF9hPb5PrQrqya+LxTGX7m&2d54=eT8xe2NpddJ86tL

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 23, 2022, 7:38 a.m.	process_identifier: 2620 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 23, 2022, 7:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen17.54626
MicroWorld-eScan	Trojan.GenericKD.50316481
ALYac	Trojan.GenericKD.50316481
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:MSIL/Keylogger.36fc5a1a
K7GW	Trojan-Downloader ( 005931bb1 )
K7AntiVirus	Trojan-Downloader ( 005931bb1 )
Arcabit	Trojan.Generic.D2FFC4C1
Cyren	W32/MSIL_Kryptik.HHG.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.LWL
TrendMicro-HouseCall	TROJ_GEN.R002H0DEK22
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.50316481
Avast	Win32:DropperX-gen [Drp]
Tencent	Msil.Trojan-downloader.Agent.Wozw
Ad-Aware	Trojan.GenericKD.50316481
Emsisoft	Trojan.GenericKD.50316481 (B)
McAfee-GW-Edition	RDN/Formbook
FireEye	Generic.mg.61d8380734dab62a
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1249297
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Agent.GQY2F0
Cynet	Malicious (score: 100)
AhnLab-V3	Dropper/Win.DropperX-gen.C5137801
McAfee	RDN/Formbook
MAX	malware (ai score=85)
Malwarebytes	Spyware.FormBook
APEX	Malicious
Ikarus	Trojan-Spy.Keylogger.AgentTesla
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.LWL!tr.dldr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.e277e2

zmb.exe