Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 5, 2023, 8:41 a.m.	April 5, 2023, 8:46 a.m.

Size	289.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`07267fb4371d348b4acecd5ebfab5d48`
SHA256	`441b9e71d315dbc21471e1c3cf9824c4303ba40effa313c89345f399cf28cda2`
CRC32	`AB8F7374`
ssdeep	`6144:PYa6E1fCKW2rYT4SL+03K09Yeus7s6Zijbz2ZOIKQJmCHRq8PCXpe:PYKUKW2rYT4SLRaF6Z5ZONWxqO`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
www.xuanliuchushaqi.com	A 23.27.72.237	23.27.72.237
www.heguangxueyuan.com	A 116.62.236.73	116.62.236.73
www.tulipbaddie.com	CNAME tulipbaddie.myshopify.com CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.cloud-spartan.co.uk	A 35.227.197.36	35.227.197.36
www.youthexsa.africa

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 35.227.197.36:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 35.227.197.36:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 35.227.197.36:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 23.27.72.237:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 23.27.72.237:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 23.27.72.237:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 5, 2023, 8:41 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cloud-spartan.co.uk/sa79/?4hLpNJ=jkxHAd9GAbQei4M5qdOAezShFl0g6rfkBT3I54TzQtwvhmYtcfZekS4RyxImys3XUoylJySQ&nfutZl=xPJ4abP8
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xuanliuchushaqi.com/sa79/?4hLpNJ=hJPMgNc3YBeDgy1LAyMKDmqQClBR6GCiPVe6h48AlyqECVJTXctJUujDBwCm/5McqNpOK+X6&nfutZl=xPJ4abP8
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tulipbaddie.com/sa79/?4hLpNJ=Pi7Ey0iMJyKZwqp6iXhMyyYPxOpav9bJQmREjn+3V5ZaE+2+83fVcjQjlyYtQNMfHCjMn2RE&nfutZl=xPJ4abP8

request	GET http://www.cloud-spartan.co.uk/sa79/?4hLpNJ=jkxHAd9GAbQei4M5qdOAezShFl0g6rfkBT3I54TzQtwvhmYtcfZekS4RyxImys3XUoylJySQ&nfutZl=xPJ4abP8
request	GET http://www.xuanliuchushaqi.com/sa79/?4hLpNJ=hJPMgNc3YBeDgy1LAyMKDmqQClBR6GCiPVe6h48AlyqECVJTXctJUujDBwCm/5McqNpOK+X6&nfutZl=xPJ4abP8
request	GET http://www.tulipbaddie.com/sa79/?4hLpNJ=Pi7Ey0iMJyKZwqp6iXhMyyYPxOpav9bJQmREjn+3V5ZaE+2+83fVcjQjlyYtQNMfHCjMn2RE&nfutZl=xPJ4abP8

Time & API	Arguments	Status
NtAllocateVirtualMemory April 5, 2023, 8:41 a.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 8:41 a.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 8:41 a.m.	process_identifier: 2172 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\ifnznkgo.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 5, 2023, 8:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2120 called NtSetContextThread to modify thread in remote process 2172
NtSetContextThread April 5, 2023, 8:41 a.m.	registers.eip: 2005598660 registers.esp: 2029732 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2172	1	0	0

dead_host

116.62.236.73:80

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Garf.Gen.6
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (D)
Cyren	W32/Injector.BLJ.gen!Eldorado
Symantec	Packed.NSISPacker!g14
ESET-NOD32	a variant of Win32/Injector_AGen.UH
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
BitDefender	Trojan.Garf.Gen.6
Avast	Win32:AdwareX-gen [Adw]
Tencent	Win32.Trojan.Agen.Ymhl
Emsisoft	Trojan.Garf.Gen.6 (B)
F-Secure	Heuristic.HEUR/AGEN.1319136
DrWeb	Trojan.Loader.1389
VIPRE	Trojan.Garf.Gen.6
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.07267fb4371d348b
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan-Spy.FormBook
GData	Gen:Variant.Fragtor.246784
Avira	HEUR/AGEN.1337962
Arcabit	Trojan.Garf.Gen.6 [many]
ZoneAlarm	UDS:Trojan.Win32.Strab.gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Google	Detected
AhnLab-V3	Trojan/Win.NSISInject.R561060
BitDefenderTheta	Gen:NN.ZexaF.36132.guW@aGe@PWdi
ALYac	Gen:Variant.Fragtor.246784
MAX	malware (ai score=89)
Panda	Trj/Genetic.gen
Rising	Trojan.Generic@AI.93 (RDML:JtEdWiAvxNxcBm8w+zlubQ)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.PM!tr
AVG	Win32:AdwareX-gen [Adw]
DeepInstinct	MALICIOUS

vbc.exe