Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 18, 2023, 1:31 p.m.	April 18, 2023, 1:34 p.m.

Size	297.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`241b78d02640dea21e13c5bb27f3070c`
SHA256	`b32ed7458086ae3a05007a54d6660b9ce6382bd82af78c2c56f856ea6f2d95a3`
CRC32	`B2F4C273`
ssdeep	`6144:gYa6K+L5KsbfC1Rx67xdAhkmIG9OtkskBU2HJjteYwqQQcXt26:gYk+L5REx6tdAhf9ObUU2HwqQQcI6`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

locacem2.1.exe "C:\Users\test22\AppData\Local\Temp\locacem2.1.exe"
2992
- tgowi.exe "C:\Users\test22\AppData\Local\Temp\tgowi.exe" C:\Users\test22\AppData\Local\Temp\gdjujwf.xh
  964
  - tgowi.exe "C:\Users\test22\AppData\Local\Temp\tgowi.exe"
    2196

Name	Response	Post-Analysis Lookup
www.virgocxexdc.com	A 64.32.2.54 CNAME cdn03-wbvigrocx02.zjc1995.top	64.32.2.54
www.socialhundutbildning.com	A 85.132.152.254	85.132.152.254
www.bonniebathco.com	A 213.171.195.105	213.171.195.105
www.wormholeent.com	A 154.92.17.251	154.92.17.251
www.brownstone.marketing	A 208.91.197.39	208.91.197.39
www.whymart.info	A 162.0.228.125	162.0.228.125
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.293854.com	CNAME 2xin2.zhanghonghong.com A 122.10.13.104	122.10.13.104

IP Address	Status	Action
122.10.13.104	Active	Moloch
154.92.17.251	Active	Moloch
162.0.228.125	Active	Moloch
164.124.101.2	Active	Moloch
208.91.197.39	Active	Moloch
213.171.195.105	Active	Moloch
45.33.6.223	Active	Moloch
64.32.2.54	Active	Moloch
85.132.152.254	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 122.10.13.104:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 213.171.195.105:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 162.0.228.125:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 154.92.17.251:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 154.92.17.251:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 154.92.17.251:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 154.92.17.251:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 85.132.152.254:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 85.132.152.254:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 85.132.152.254:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 162.0.228.125:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 162.0.228.125:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 162.0.228.125:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49181 -> 208.91.197.39:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 213.171.195.105:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 213.171.195.105:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 213.171.195.105:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 208.91.197.39:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 208.91.197.39:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 208.91.197.39:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 122.10.13.104:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 122.10.13.104:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 122.10.13.104:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 18, 2023, 1:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.socialhundutbildning.com/3ri5/?47c8A=6fyh8NvGOALu1WTna1arX7cRTcJCaVezDnAB3SRdKno18i/IpLBv249NcS6xMQ5eVQU4L0x/+9B8EC80MEZinUr1wfqFxLl/6VdFhjA=&Ix=-ol_d8ABE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wormholeent.com/3ri5/?47c8A=GAeB9SO66wCu7XeOxUWjwQ3IXqr33QahFXqmZDAHjMk4F3Cn5yc7ZixTmnMJeZduFMM5t3USTT/RsQKU/fMUECl8s6zVBxGU3NlUJkM=&Ix=-ol_d8ABE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.293854.com/3ri5/?47c8A=8VfWc3I9T0q8uLWt5vMA8t/NaJjt99H5WpUIa33bhFXaN7+r5efgDAaDSWZ+OfLFop0DNHorEURjgXjwxWmjSn88pL4ptwdkA3+hAeE=&Ix=-ol_d8ABE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bonniebathco.com/3ri5/?47c8A=m+9EiGOaRuotdr7HR1ai1gdt1GNDw1TmEpGkjtFtzc/dlwOBWFwqBGIyHAmZ6oV7v4zUEyUjENgsJ6+uFn07ZXodw4yIovvs9zaIw1Y=&Ix=-ol_d8ABE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.whymart.info/3ri5/?47c8A=gg0WwMZJut98Pb9POX8BsR2tb4GvDHep0vhbybEGdeWO1wRcOh+rgMaB6OW+qqHzEPN/5qYCuQhy7THlnR0IkhmSzx7meYhwBzxXGxM=&Ix=-ol_d8ABE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.brownstone.marketing/3ri5/?47c8A=v1a+ZoEzcRh50q2tDj03ofuTuK6dEashxWLebDlTotVYA45flfV1EPZtnjLTp8wtzJObZuW2CufgECU/vSOjQIa0l3HPVQyXyXUaHkE=&Ix=-ol_d8ABE

Performs some HTTP requests (12 events)

request	GET http://www.socialhundutbildning.com/3ri5/?47c8A=6fyh8NvGOALu1WTna1arX7cRTcJCaVezDnAB3SRdKno18i/IpLBv249NcS6xMQ5eVQU4L0x/+9B8EC80MEZinUr1wfqFxLl/6VdFhjA=&Ix=-ol_d8ABE
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
request	POST http://www.wormholeent.com/3ri5/
request	GET http://www.wormholeent.com/3ri5/?47c8A=GAeB9SO66wCu7XeOxUWjwQ3IXqr33QahFXqmZDAHjMk4F3Cn5yc7ZixTmnMJeZduFMM5t3USTT/RsQKU/fMUECl8s6zVBxGU3NlUJkM=&Ix=-ol_d8ABE
request	POST http://www.293854.com/3ri5/
request	GET http://www.293854.com/3ri5/?47c8A=8VfWc3I9T0q8uLWt5vMA8t/NaJjt99H5WpUIa33bhFXaN7+r5efgDAaDSWZ+OfLFop0DNHorEURjgXjwxWmjSn88pL4ptwdkA3+hAeE=&Ix=-ol_d8ABE
request	POST http://www.bonniebathco.com/3ri5/
request	GET http://www.bonniebathco.com/3ri5/?47c8A=m+9EiGOaRuotdr7HR1ai1gdt1GNDw1TmEpGkjtFtzc/dlwOBWFwqBGIyHAmZ6oV7v4zUEyUjENgsJ6+uFn07ZXodw4yIovvs9zaIw1Y=&Ix=-ol_d8ABE
request	POST http://www.whymart.info/3ri5/
request	GET http://www.whymart.info/3ri5/?47c8A=gg0WwMZJut98Pb9POX8BsR2tb4GvDHep0vhbybEGdeWO1wRcOh+rgMaB6OW+qqHzEPN/5qYCuQhy7THlnR0IkhmSzx7meYhwBzxXGxM=&Ix=-ol_d8ABE
request	POST http://www.brownstone.marketing/3ri5/
request	GET http://www.brownstone.marketing/3ri5/?47c8A=v1a+ZoEzcRh50q2tDj03ofuTuK6dEashxWLebDlTotVYA45flfV1EPZtnjLTp8wtzJObZuW2CufgECU/vSOjQIa0l3HPVQyXyXUaHkE=&Ix=-ol_d8ABE

Sends data using the HTTP POST Method (5 events)

request	POST http://www.wormholeent.com/3ri5/
request	POST http://www.293854.com/3ri5/
request	POST http://www.bonniebathco.com/3ri5/
request	POST http://www.whymart.info/3ri5/
request	POST http://www.brownstone.marketing/3ri5/

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 18, 2023, 1:31 p.m.	process_identifier: 2992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 1:31 p.m.	process_identifier: 964 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 1:31 p.m.	process_identifier: 964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 1:31 p.m.	process_identifier: 2196 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\tgowi.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 18, 2023, 1:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 964 called NtSetContextThread to modify thread in remote process 2196
NtSetContextThread April 18, 2023, 1:31 p.m.	registers.eip: 2001207748 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000d4 process_identifier: 2196	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

64.32.2.54:80

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Trojan.Generic.33454444
FireEye	Generic.mg.241b78d02640dea2
ALYac	Trojan.Generic.33454444
Malwarebytes	Malware.AI.3995303870
VIPRE	Trojan.Generic.33454444
Sangfor	Spyware.Win32.Injector.V08a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:Win32/Injector.220f04f2
K7AntiVirus	Trojan ( 005a37e21 )
VirIT	Trojan.Win32.GenusT.EGFI
Symantec	Packed.NSISPacker!g14
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ESWF
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
BitDefender	Trojan.Generic.33454444
Sophos	Mal/Generic-S
Avira	HEUR/AGEN.1337959
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.Injector
Gridinsoft	Trojan.Win32.Downloader.sa
Arcabit	Trojan.Generic.D1FE796C
ZoneAlarm	HEUR:Trojan-Spy.Win32.Noon.gen
Google	Detected
AhnLab-V3	Trojan/Win.NSISInject.R495658
McAfee	RDN/Generic.dx
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CDF23
Tencent	Win32.Trojan-Spy.Noon.Bplw
Ikarus	Trojan-Spy.FormBook
Fortinet	W32/Injector.ESVZ!tr
DeepInstinct	MALICIOUS

locacem2.1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All