Summary | ZeroBOX

parmashdy3.1.exe

Malicious Library UPX PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6403_us March 16, 2023, 10:27 a.m. March 16, 2023, 10:29 a.m.
Size 290.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 bdfb2c5a346d6684824b78499b36b88d
SHA256 c81c83ab1925106c70d6393edc0fcc117a4cb12ac96383ad28ceabe54c12fb4f
CRC32 14C23E97
ssdeep 6144:gYa6UBDpK8wWcKzqFLK5qfHiPyG+91dL7es3hV1yU+z:gYKBjwWc6fuHGy11dDVx+z
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

IP Address Status Action
104.247.82.91 Active Moloch
154.85.239.101 Active Moloch
164.124.101.2 Active Moloch
31.184.217.9 Active Moloch
91.184.0.100 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 104.247.82.91:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 104.247.82.91:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 31.184.217.9:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 104.247.82.91:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 31.184.217.9:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 31.184.217.9:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 91.184.0.100:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 91.184.0.100:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 91.184.0.100:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 154.85.239.101:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 154.85.239.101:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 154.85.239.101:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.hatterascharters.com/s26y/?xVJtG4Th=cvNALa4IK27Ro6rtXOeXYUfpmrm3HoImnwXbSTSK6JETCyzPBx85LajqaSCh8zKc7b3z2v0K&1bw=L6Adp0nXjfjLdR2p
suspicious_features GET method with no useragent header suspicious_request GET http://www.nikol-beauty.ru/s26y/?xVJtG4Th=zNa4SwDr0KBpy31l5KYIDaXbaS4SRxFhmO4CadMaCoCUEqg240jhfCVWHeE/FLPBCdnN9g63&1bw=L6Adp0nXjfjLdR2p
suspicious_features GET method with no useragent header suspicious_request GET http://www.drain-pipe-cleaning-81784.com/s26y/?xVJtG4Th=xifof8+AcnXYXdMQ3P6+Gp6nTFK1K7BHbiRnlOZOb5nZkb3/gR0wuwfXLP1X2cmFaGUzIp/v&1bw=L6Adp0nXjfjLdR2p
suspicious_features GET method with no useragent header suspicious_request GET http://www.thereallifeguild.app/s26y/?xVJtG4Th=ztcHOa7slkLvMVmIwFVD+MxqaM7ohUfwpwKohan9eDFMAOiKstevJtoFNxACBjZ48g0ugAFk&1bw=L6Adp0nXjfjLdR2p
request GET http://www.hatterascharters.com/s26y/?xVJtG4Th=cvNALa4IK27Ro6rtXOeXYUfpmrm3HoImnwXbSTSK6JETCyzPBx85LajqaSCh8zKc7b3z2v0K&1bw=L6Adp0nXjfjLdR2p
request GET http://www.nikol-beauty.ru/s26y/?xVJtG4Th=zNa4SwDr0KBpy31l5KYIDaXbaS4SRxFhmO4CadMaCoCUEqg240jhfCVWHeE/FLPBCdnN9g63&1bw=L6Adp0nXjfjLdR2p
request GET http://www.drain-pipe-cleaning-81784.com/s26y/?xVJtG4Th=xifof8+AcnXYXdMQ3P6+Gp6nTFK1K7BHbiRnlOZOb5nZkb3/gR0wuwfXLP1X2cmFaGUzIp/v&1bw=L6Adp0nXjfjLdR2p
request GET http://www.thereallifeguild.app/s26y/?xVJtG4Th=ztcHOa7slkLvMVmIwFVD+MxqaM7ohUfwpwKohan9eDFMAOiKstevJtoFNxACBjZ48g0ugAFk&1bw=L6Adp0nXjfjLdR2p
domain www.nikol-beauty.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2120
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00560000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2212
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\jfobqpadsl.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2120 called NtSetContextThread to modify thread in remote process 2212
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2005598660
registers.esp: 2424296
registers.edi: 0
registers.eax: 4321744
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f0
process_identifier: 2212
1 0 0
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Nemesis.17811
FireEye Generic.mg.bdfb2c5a346d6684
McAfee RDN/Formbook
Malwarebytes Trojan.Injector
Sangfor Trojan.Win32.Injector.V47t
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Nemesis.D4593 [many]
BitDefenderTheta Gen:NN.ZexaCO.36344.dqW@aaJ6vBf
Cyren W32/Injector.SZDO-0098
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Injector.ESUJ
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Nemesis.17811
Avast Win32:InjectorX-gen [Trj]
Emsisoft Gen:Variant.Nemesis.17811 (B)
DrWeb Trojan.Loader.1342
VIPRE Gen:Variant.Nemesis.17811
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Ikarus Trojan-Spy.FormBook
Webroot W32.Injector.Gen
MAX malware (ai score=87)
Antiy-AVL Trojan/Win32.Injector
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/Woreflint.A!cl
GData Gen:Variant.Babar.172047
Google Detected
ALYac Gen:Variant.Babar.172047
TrendMicro-HouseCall TROJ_GEN.R002H0DCF23
Rising Trojan.Generic@AI.87 (RDML:BlpMf0/pa79IWI8d/dofCA)
Fortinet W32/Injector.ESTE!tr
AVG Win32:InjectorX-gen [Trj]
Panda Trj/GdSda.A