Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2022, 9:36 a.m.	Dec. 14, 2022, 9:40 a.m.

Size	432.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`7624e6fc50195fa8bc4e5bd0da55bc78`
SHA256	`f309a5ac633edcbd01916f6bc4cfd10d90982f0443b57e19a5828fd70e83ce10`
CRC32	`6E03A8B7`
ssdeep	`6144:ukwkDeTURwgORE8KNAbcA/nVhSw+a6W54LRxW84+lYY0O79QQIGqqu01:PD8owgORE8KkVhSNa6jf4XwC73qj`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
www.ninideal.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.lawnforcement.com	CNAME hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com CNAME traff-2.hugedomains.com A 3.130.253.23 A 3.130.204.160	3.130.253.23
www.luxeeventsny.net
www.thetickettruth.com	CNAME thetickettruth.com A 34.102.136.180	34.102.136.180
www.fucktheenemy.com

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 3.130.204.160:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 3.130.204.160:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 3.130.204.160:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2022, 9:36 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.thetickettruth.com/h3ha/?rV0DUb=0N4LokR9uiCoW7aRFco7zu6jSnArZAq/LdT3uUKltClmieJVsMX6zSQ0xE4ZJOTIuweed6/v&LvyX=oPqLWR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ninideal.com/h3ha/?rV0DUb=l48G0yINaYxqgykaZFR0+o6y+2Gncfxsk7XllhJUaLsbGJX4pYEG8eHhbMKu/vO3tGLkH7iz&LvyX=oPqLWR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lawnforcement.com/h3ha/?rV0DUb=uxyndyQPaEDVD5l1zaL85Yr6gdU9jXMbCquiDZq5iAsqBDW/y4tuDCOehvkX+wxi0vATA7Ae&LvyX=oPqLWR

request	GET http://www.thetickettruth.com/h3ha/?rV0DUb=0N4LokR9uiCoW7aRFco7zu6jSnArZAq/LdT3uUKltClmieJVsMX6zSQ0xE4ZJOTIuweed6/v&LvyX=oPqLWR
request	GET http://www.ninideal.com/h3ha/?rV0DUb=l48G0yINaYxqgykaZFR0+o6y+2Gncfxsk7XllhJUaLsbGJX4pYEG8eHhbMKu/vO3tGLkH7iz&LvyX=oPqLWR
request	GET http://www.lawnforcement.com/h3ha/?rV0DUb=uxyndyQPaEDVD5l1zaL85Yr6gdU9jXMbCquiDZq5iAsqBDW/y4tuDCOehvkX+wxi0vATA7Ae&LvyX=oPqLWR

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2664 region_size: 4001792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2708 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\ebtgolb.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 14, 2022, 9:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2664 called NtSetContextThread to modify thread in remote process 2708
NtSetContextThread Dec. 14, 2022, 9:36 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321488 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2708	1	0	0

Lionic	Trojan.Win32.FormBook.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Jaik.77520
FireEye	Gen:Variant.Jaik.77520
McAfee	Artemis!7624E6FC5019
Cylance	Unsafe
VIPRE	Gen:Variant.Jaik.77520
Sangfor	Trojan.Win32.Agent.V2dk
CrowdStrike	win/malicious_confidence_90% (D)
Arcabit	Trojan.Jaik.D12ED0
Cyren	W32/Injector.BHD.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Formbook.gen
BitDefender	Gen:Variant.Jaik.77520
Avast	FileRepMalware [Pws]
Ad-Aware	Gen:Variant.Jaik.77520
Emsisoft	Gen:Variant.Jaik.77520 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
Sophos	Mal/Generic-S
Ikarus	Trojan.NSIS.Agent
Avira	HEUR/AGEN.1237753
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Gen:Variant.Jaik.77520
Google	Detected
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36106.dqW@aGdtY@di
ALYac	Gen:Variant.Jaik.77520
MAX	malware (ai score=89)
Rising	Trojan.FormBook!8.F858 (CLOUD)
Fortinet	W32/Injector.ESFO!tr
AVG	FileRepMalware [Pws]
Panda	Trj/Chgt.AD

contal2.1.exe