Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 23, 2023, 1:02 p.m.	March 23, 2023, 1:12 p.m.

Size	286.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`78a95a8cb18e37d6565520be5e8013c4`
SHA256	`85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510`
CRC32	`2AECCDEA`
ssdeep	`6144:AYa66rPn6SbiaFiPvZNU2tpErTwf4ceMXIECWoqgruCRnMti4oZQ:AYsrPn6Mia4PXU2tpswfx4WvCRwoZQ`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
www.carolinacastro.uk	A 198.49.23.145 A 198.185.159.145 A 198.185.159.144 CNAME ext-sq.squarespace.com A 198.49.23.144	198.49.23.144
www.learningworldtech.com	CNAME learningworldtech.com A 54.89.140.129	54.89.140.129
www.fi-fo.info	A 217.70.184.50 CNAME webredir.vip.gandi.net	217.70.184.50
www.draanabellrojas.com	CNAME draanabellrojas.com A 50.116.93.86	50.116.93.86

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 198.49.23.144:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 198.49.23.144:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 198.49.23.144:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 50.116.93.86:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 50.116.93.86:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 50.116.93.86:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 217.70.184.50:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 217.70.184.50:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 217.70.184.50:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 23, 2023, 1:02 p.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.draanabellrojas.com/bn26/?w0G=ESz42sT8rW+LnCOJPKI1BJmLgCAvIFLMdXoy7GKn7503Ilkw0GN90OeerSesb3Sbb4UaqWko&tFQh=YP7HHZXh
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.carolinacastro.uk/bn26/?w0G=hJDTMYE2GEFk2vLkfbgsg1PPurnvpoPYEW+56x2KxKDBxbbX/o7VJ0uzxLcMBINsrcDMERzF&tFQh=YP7HHZXh

request	GET http://www.draanabellrojas.com/bn26/?w0G=ESz42sT8rW+LnCOJPKI1BJmLgCAvIFLMdXoy7GKn7503Ilkw0GN90OeerSesb3Sbb4UaqWko&tFQh=YP7HHZXh
request	GET http://www.carolinacastro.uk/bn26/?w0G=hJDTMYE2GEFk2vLkfbgsg1PPurnvpoPYEW+56x2KxKDBxbbX/o7VJ0uzxLcMBINsrcDMERzF&tFQh=YP7HHZXh

Time & API	Arguments	Status
NtAllocateVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2128 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2232 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\jswyhdinmg.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 23, 2023, 1:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 called NtSetContextThread to modify thread in remote process 2232
NtSetContextThread March 23, 2023, 1:02 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321696 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f4 process_identifier: 2232	1	0	0

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.78a95a8cb18e37d6
ALYac	Gen:Variant.Jaik.124214
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.Jaik.D1E536
Symantec	Packed.NSISPacker!g14
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Jaik.124214
MicroWorld-eScan	Gen:Variant.Jaik.124214
VIPRE	Gen:Variant.Jaik.124214
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Emsisoft	Gen:Variant.Jaik.124214 (B)
Ikarus	Trojan-Spy.FormBook
Avira	HEUR/AGEN.1337962
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Jaik.124214
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.C5395778
MAX	malware (ai score=80)
Cylance	unsafe
Rising	Trojan.Generic@AI.83 (RDMK:cmRtazpFaW8NzYVZL8Lv/QSLdpw5)
Fortinet	W32/ShellcodeRunner.CA!tr

dead_host

54.89.140.129:80

rocheleb4.1.exe