Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 27, 2023, 9:45 a.m.	April 27, 2023, 10:02 a.m.

Size	266.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c61c14e016aa835ade115c4e8463b20c`
SHA256	`a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c`
CRC32	`B1949DC7`
ssdeep	`6144:vYa68PxF+8OzEwYa/2CPFSjh9x2h316InaVE8tLs/W+EIjWRnNTq+5:vYapF+dP2C8tjAl6InaEy0WdkoNT35`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1372
- onaog.exe "C:\Users\test22\AppData\Local\Temp\onaog.exe" C:\Users\test22\AppData\Local\Temp\ygirsqwd.en
  2124
  - onaog.exe "C:\Users\test22\AppData\Local\Temp\onaog.exe"
    2176

Name	Response	Post-Analysis Lookup
www.zservers.xyz	A 103.42.108.46	103.42.108.46
www.moneyflowplant.com	CNAME moneyflowplant.com A 62.77.152.57	62.77.152.57
www.tugrow.top	A 66.29.131.66	66.29.131.66
www.xn--pdotrychler-l8a.ch	A 95.130.17.35	95.130.17.35
www.amateurshow.online	A 198.37.115.75	198.37.115.75
www.flamencovive.com	A 156.254.152.147	156.254.152.147
www.howtrue.info	CNAME howtrue.info A 184.168.113.29	184.168.113.29
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
103.42.108.46	Active	Moloch
156.254.152.147	Active	Moloch
164.124.101.2	Active	Moloch
184.168.113.29	Active	Moloch
198.37.115.75	Active	Moloch
45.33.6.223	Active	Moloch
62.77.152.57	Active	Moloch
66.29.131.66	Active	Moloch
95.130.17.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 66.29.131.66:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 95.130.17.35:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 66.29.131.66:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 156.254.152.147:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 62.77.152.57:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 184.168.113.29:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 103.42.108.46:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 103.42.108.46:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 103.42.108.46:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 103.42.108.46:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 66.29.131.66:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 66.29.131.66:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 66.29.131.66:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 66.29.131.66:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 95.130.17.35:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 95.130.17.35:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 95.130.17.35:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.37.115.75:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.37.115.75:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.37.115.75:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 156.254.152.147:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 156.254.152.147:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 156.254.152.147:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 184.168.113.29:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 184.168.113.29:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 184.168.113.29:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 103.42.108.46:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 27, 2023, 9:45 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.amateurshow.online/hjdr/?gyP=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&BpMI=3wJMt60D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.howtrue.info/hjdr/?gyP=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&BpMI=3wJMt60D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tugrow.top/hjdr/?gyP=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&BpMI=3wJMt60D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xn--pdotrychler-l8a.ch/hjdr/?gyP=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&BpMI=3wJMt60D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.flamencovive.com/hjdr/?gyP=Q2x1/2XRNaCoEddx6sOZXLnv+KSTv7bV7HgPZNHBedwlTMxlPFbGwRMmBJS9SGXxHbGdmLM+AbQONc8TzqislaZC5YkVHeeGUBH5s5w=&BpMI=3wJMt60D

Performs some HTTP requests (12 events)

request	GET http://www.amateurshow.online/hjdr/?gyP=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&BpMI=3wJMt60D
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
request	POST http://www.zservers.xyz/hjdr/
request	POST http://www.howtrue.info/hjdr/
request	GET http://www.howtrue.info/hjdr/?gyP=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&BpMI=3wJMt60D
request	POST http://www.tugrow.top/hjdr/
request	GET http://www.tugrow.top/hjdr/?gyP=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&BpMI=3wJMt60D
request	POST http://www.xn--pdotrychler-l8a.ch/hjdr/
request	GET http://www.xn--pdotrychler-l8a.ch/hjdr/?gyP=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&BpMI=3wJMt60D
request	POST http://www.flamencovive.com/hjdr/
request	GET http://www.flamencovive.com/hjdr/?gyP=Q2x1/2XRNaCoEddx6sOZXLnv+KSTv7bV7HgPZNHBedwlTMxlPFbGwRMmBJS9SGXxHbGdmLM+AbQONc8TzqislaZC5YkVHeeGUBH5s5w=&BpMI=3wJMt60D
request	POST http://www.moneyflowplant.com/hjdr/

Sends data using the HTTP POST Method (6 events)

request	POST http://www.zservers.xyz/hjdr/
request	POST http://www.howtrue.info/hjdr/
request	POST http://www.tugrow.top/hjdr/
request	POST http://www.xn--pdotrychler-l8a.ch/hjdr/
request	POST http://www.flamencovive.com/hjdr/
request	POST http://www.moneyflowplant.com/hjdr/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.tugrow.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2124 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2176 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\onaog.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 27, 2023, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2124 called NtSetContextThread to modify thread in remote process 2176
NtSetContextThread April 27, 2023, 9:45 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000dc process_identifier: 2176	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
ALYac	Trojan.NSISX.Spy.Gen.24
Cylance	unsafe
VIPRE	Trojan.NSISX.Spy.Gen.24
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.NSISX.Spy.Gen.24 [many]
Symantec	Packed.NSISPacker!g14
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan-Spy.Win32.Noon.gen
BitDefender	Trojan.NSISX.Spy.Gen.24
Avast	FileRepMalware [Trj]
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.c61c14e016aa835a
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan-Spy.FormBook
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/VecStealer.LK!MTB
ZoneAlarm	UDS:Trojan-Spy.Win32.Noon.gen
GData	Win32.Trojan.Agent.J89GD5
Google	Detected
Acronis	suspicious
McAfee	Artemis!C61C14E016AA
MAX	malware (ai score=84)
Malwarebytes	Generic.Malware/Suspicious
Rising	Trojan.Generic@AI.100 (RDML:c67CYzHlImTv2StaOifwmQ)
Yandex	Trojan.Slntscn24.bZ1KkA
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.ESXB!tr
AVG	FileRepMalware [Trj]
DeepInstinct	MALICIOUS

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All