Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 25, 2023, 10:10 a.m.	April 25, 2023, 10:13 a.m.

Size	279.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c2193488994db0c99893eb8d336874e3`
SHA256	`e492e308b1967fc1dcd6cef3ad6f20d1a77ca5953460162d1d1ee71b000d66f7`
CRC32	`32C3436B`
ssdeep	`6144:/Ya6kZ/qTiW9GQW+e6YmWInO3PXE9hnAK620WIQsNAFF1iEhXvD0P9baR:/YSZ/qOWUrIOf09R90IsNAFF13D0PIR`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

Name	Response	Post-Analysis Lookup
www.lincornellah.africa
www.copywriters.agency
www.liberix.se
www.billydeluca.com	A 198.49.23.145 CNAME ext-cust.squarespace.com A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.185.159.145

IP Address	Status	Action
164.124.101.2	Active	Moloch
198.49.23.144	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 198.49.23.144:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.49.23.144:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.49.23.144:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 25, 2023, 10:10 a.m.		1	1	0

section

.ndata

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.billydeluca.com/sd03/?jBZ4=bwn3WNXG1QkKkY/peZjHiiVfFEeZEuNxgxDQNfmA0NAm5QlqR0e5861NDsuhGMHW1ZdwAArQ&P0D=Abs0IXf

request

GET http://www.billydeluca.com/sd03/?jBZ4=bwn3WNXG1QkKkY/peZjHiiVfFEeZEuNxgxDQNfmA0NAm5QlqR0e5861NDsuhGMHW1ZdwAArQ&P0D=Abs0IXf

Time & API	Arguments	Status
NtAllocateVirtualMemory April 25, 2023, 10:10 a.m.	process_identifier: 2088 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 10:10 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c70000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 10:10 a.m.	process_identifier: 2160 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\onzqy.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 25, 2023, 10:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 called NtSetContextThread to modify thread in remote process 2160
NtSetContextThread April 25, 2023, 10:10 a.m.	registers.eip: 2005598660 registers.esp: 3735056 registers.edi: 0 registers.eax: 4321472 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c4 process_identifier: 2160	1	0	0

Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
FireEye	Generic.mg.c2193488994db0c9
ALYac	Trojan.NSISX.Spy.Gen.24
Malwarebytes	Trojan.Injector
VIPRE	Trojan.NSISX.Spy.Gen.24
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta	Gen:NN.ZexaF.36164.fuW@aOfFC2ai
Cyren	W32/Injector.BMM.gen!Eldorado
Symantec	Packed.NSISPacker!g14
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ESWZ
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.NSISX.Spy.Gen.24
Avast	Win32:TrojanX-gen [Trj]
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
F-Secure	Heuristic.HEUR/AGEN.1319135
McAfee-GW-Edition	BehavesLike.Win32.Trojan.dc
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.FormBook
Avira	HEUR/AGEN.1319135
MAX	malware (ai score=80)
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/VecStealer.LK!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Fragtor.267099
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.R563828
Acronis	suspicious
McAfee	Artemis!C2193488994D
Cylance	unsafe
Rising	Trojan.VecStealer!8.180E7 (TFE:5:fMtsFeBi6KP)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.ESWY!tr
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

shedume2.1.exe