Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2023, 10:18 a.m.	March 27, 2023, 10:33 a.m.

Size	266.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c1b465d96c0541a5dc8e95a7bfd96e15`
SHA256	`db70988416dd0d9af06715f9f9c6cf77be3f6bf629cba4bed9be82ea4fbf46c1`
CRC32	`CF922E55`
ssdeep	`6144:/Ya6uOn/kwfhxmhDcnV6/VMBob43AsvyPggixmLTOG:/YQOMwOWI/VMmbavhmXb`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

FRI.exe "C:\Users\test22\AppData\Local\Temp\FRI.exe"
1532
- wqtgp.exe "C:\Users\test22\AppData\Local\Temp\wqtgp.exe" C:\Users\test22\AppData\Local\Temp\euqgzstcbcz.w
  2076
  - wqtgp.exe "C:\Users\test22\AppData\Local\Temp\wqtgp.exe"
    2140

Name	Response	Post-Analysis Lookup
www.crusadia.net	A 212.192.29.71 CNAME crusadia.net	212.192.29.71
www.577hcc.com	A 34.117.26.57 A 34.149.198.43	34.117.26.57
www.pmtj013.xyz
www.edfitzgerald.org	A 193.32.208.67	193.32.208.67
www.kurodamisato.com	A 199.59.243.222	199.59.243.222
www.drzjup.space	A 172.255.33.179	172.255.33.179
www.ppparadise.xyz	CNAME ppparadise.xyz A 133.167.73.73	133.167.73.73
www.bekansas.com	A 154.64.92.27	154.64.92.27
www.naver-io.com
www.tokendownload.space	A 67.21.71.208	67.21.71.208
www.peiphitan.com	A 82.180.130.211	82.180.130.211
www.kcgjz.top	A 104.21.33.97 A 172.67.189.130	172.67.189.130
www.asu4tqr.icu	A 38.85.254.111	38.85.254.111

IP Address	Status	Action
104.21.33.97	Active	Moloch
133.167.73.73	Active	Moloch
154.64.92.27	Active	Moloch
164.124.101.2	Active	Moloch
172.255.33.179	Active	Moloch
193.32.208.67	Active	Moloch
199.59.243.222	Active	Moloch
212.192.29.71	Active	Moloch
34.117.26.57	Active	Moloch
38.85.254.111	Active	Moloch
67.21.71.208	Active	Moloch
82.180.130.211	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 199.59.243.222:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 199.59.243.222:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.21.33.97:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 199.59.243.222:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.21.33.97:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.21.33.97:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.21.33.97:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.21.33.97:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 212.192.29.71:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 212.192.29.71:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 212.192.29.71:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 193.32.208.67:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 193.32.208.67:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2026888	ET INFO DNS Query for Suspicious .icu Domain	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 193.32.208.67:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 154.64.92.27:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 154.64.92.27:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 154.64.92.27:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 38.85.254.111:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 38.85.254.111:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 38.85.254.111:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 172.255.33.179:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 172.255.33.179:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 82.180.130.211:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 172.255.33.179:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 82.180.130.211:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 82.180.130.211:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 133.167.73.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 133.167.73.73:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 133.167.73.73:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 133.167.73.73:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 27, 2023, 10:18 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kurodamisato.com/poub/?URihc=pzUirgwcC8ZpUBJr+A0RncrQCBC5BD7ORQWA7LzWHhCGPilCbFeR5IDOxd+JD96H8p3TlQQD&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.edfitzgerald.org/poub/?URihc=QVBI8lnr7lJPqe8zZjldHkvXw89c/iSzMuEXgZLKqCpuoCkUYVUB7rTOcZCo9GOBqMOIvt9n&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bekansas.com/poub/?URihc=ik78GElzcTPK51jxwI7ODOjVUTh6arreOcAO6JZZFiJW++RN8P/8RIGVM8jA8ec1Ygwfy9iv&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.drzjup.space/poub/?URihc=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kcgjz.top/poub/?URihc=FfiSjh2CtBpF3CrFZO/zKMlUrmL7FaiyKpfrvTrGvt9QCH6w6Rg7EpGJxpSWT1DMVUaM39xc&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.crusadia.net/poub/?URihc=BYWI1ybJrJc11tuYbuPv66f3H3Cr5zuGlkVqrCbrO2SRjMGFR+aqTisH+sImtYdY9S5ZKg1z&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ppparadise.xyz/poub/?URihc=i6ZHXvJJgvAHiqvTYC5qSpD7hgu0rSUqSG8Zc0xosq5TTXlRT+6NyQltuj8FIZG0zF3lAY7M&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.asu4tqr.icu/poub/?URihc=hHEijVrY0zBLr3JvSJmcy3GyPiWWfZaI2s16j7nKHpxVgJKtjZbonCFGp4fNRYCDH6FUX0AO&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.577hcc.com/poub/?URihc=+hZRLA5mezg8QGtKPd8YzpNrIKXVB9ucHjeJAdH+TFhtM6TJX5/L40TNomU2z2juM0GLcBEZ&UfrDQp=0nMpq42x5z-hI250
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.peiphitan.com/poub/?URihc=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&UfrDQp=0nMpq42x5z-hI250

Performs some HTTP requests (10 events)

request	GET http://www.kurodamisato.com/poub/?URihc=pzUirgwcC8ZpUBJr+A0RncrQCBC5BD7ORQWA7LzWHhCGPilCbFeR5IDOxd+JD96H8p3TlQQD&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.edfitzgerald.org/poub/?URihc=QVBI8lnr7lJPqe8zZjldHkvXw89c/iSzMuEXgZLKqCpuoCkUYVUB7rTOcZCo9GOBqMOIvt9n&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.bekansas.com/poub/?URihc=ik78GElzcTPK51jxwI7ODOjVUTh6arreOcAO6JZZFiJW++RN8P/8RIGVM8jA8ec1Ygwfy9iv&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.drzjup.space/poub/?URihc=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.kcgjz.top/poub/?URihc=FfiSjh2CtBpF3CrFZO/zKMlUrmL7FaiyKpfrvTrGvt9QCH6w6Rg7EpGJxpSWT1DMVUaM39xc&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.crusadia.net/poub/?URihc=BYWI1ybJrJc11tuYbuPv66f3H3Cr5zuGlkVqrCbrO2SRjMGFR+aqTisH+sImtYdY9S5ZKg1z&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.ppparadise.xyz/poub/?URihc=i6ZHXvJJgvAHiqvTYC5qSpD7hgu0rSUqSG8Zc0xosq5TTXlRT+6NyQltuj8FIZG0zF3lAY7M&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.asu4tqr.icu/poub/?URihc=hHEijVrY0zBLr3JvSJmcy3GyPiWWfZaI2s16j7nKHpxVgJKtjZbonCFGp4fNRYCDH6FUX0AO&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.577hcc.com/poub/?URihc=+hZRLA5mezg8QGtKPd8YzpNrIKXVB9ucHjeJAdH+TFhtM6TJX5/L40TNomU2z2juM0GLcBEZ&UfrDQp=0nMpq42x5z-hI250
request	GET http://www.peiphitan.com/poub/?URihc=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&UfrDQp=0nMpq42x5z-hI250

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.kcgjz.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 27, 2023, 10:18 a.m.	process_identifier: 2076 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2023, 10:18 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2023, 10:18 a.m.	process_identifier: 2140 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\wqtgp.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 27, 2023, 10:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2076 called NtSetContextThread to modify thread in remote process 2140
NtSetContextThread March 27, 2023, 10:18 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4325136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000dc process_identifier: 2140	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

67.21.71.208:80

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Gen:Variant.Nemesis.1976
FireEye	Generic.mg.c1b465d96c0541a5
ALYac	Gen:Variant.Lazy.264429
Malwarebytes	Generic.Malware/Suspicious
Sangfor	Suspicious.Win32.Save.ins
Alibaba	TrojanSpy:Application/ObfusInjector.53f438d6
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.Nemesis.D7B8 [many]
BitDefenderTheta	Gen:NN.ZexaF.36344.fmW@aqiWmff
Symantec	Packed.NSISPacker!g14
Elastic	malicious (high confidence)
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Nemesis.1976
Avast	FileRepMalware [Pws]
Sophos	Mal/Generic-S
F-Secure	Heuristic.HEUR/AGEN.1363367
VIPRE	Gen:Variant.Nemesis.1976
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.Nemesis.1976 (B)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1337962
MAX	malware (ai score=87)
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Lazy.264429
Google	Detected
McAfee	Artemis!C1B465D96C05
Cylance	unsafe
Ikarus	Trojan-Spy.FormBook
Fortinet	W32/Injector.NSBE!tr
AVG	FileRepMalware [Pws]
Panda	Trj/GdSda.A

FRI.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All