Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 17, 2023, 9 a.m.	May 17, 2023, 9:02 a.m.

Size	249.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d35fc5185c8a58731cc0b8c4371e6c9c`
SHA256	`642b58aecd23773984d262d3ec75346a5ed4f5409ef9aaa5babc4dcd0619b427`
CRC32	`8647A57C`
ssdeep	`6144:PYa6xhzbisGPq9rYlK9Tnb2hF2HWxp7+yOyXe:PYLhzbZyE8OjbsU4p7+TyXe`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

jenns.exe "C:\Users\test22\AppData\Local\Temp\jenns.exe"
508
- jenns.exe "C:\Users\test22\AppData\Local\Temp\jenns.exe"
  2124

Name	Response	Post-Analysis Lookup
www.879-21.review	A 38.177.159.165	38.177.159.165
www.shpmig.xyz
www.maniapetlovers.online
www.estherxpena.com	A 127.0.0.1
www.lgys174.top	A 107.148.25.134	107.148.25.134
www.cryptohere.net	A 104.21.33.161 A 172.67.164.202	104.21.33.161
www.memshaconsultancy.com	CNAME memshaconsultancy.com A 149.255.62.50	149.255.62.50
www.nescotopp.shop	A 84.32.84.32 CNAME nescotopp.shop	84.32.84.32
www.1waif.top	A 23.234.28.124	23.234.28.124
www.ascents.info	A 162.0.225.178	162.0.225.178
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
107.148.25.134	Active	Moloch
149.255.62.50	Active	Moloch
162.0.225.178	Active	Moloch
164.124.101.2	Active	Moloch
172.67.164.202	Active	Moloch
23.234.28.124	Active	Moloch
38.177.159.165	Active	Moloch
45.33.6.223	Active	Moloch
84.32.84.32	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 23.234.28.124:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 107.148.25.134:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 84.32.84.32:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 162.0.225.178:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 149.255.62.50:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 107.148.25.134:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 107.148.25.134:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 107.148.25.134:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 107.148.25.134:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 172.67.164.202:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 172.67.164.202:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 172.67.164.202:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 172.67.164.202:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 162.0.225.178:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 149.255.62.50:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 162.0.225.178:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 149.255.62.50:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 162.0.225.178:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 23.234.28.124:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 149.255.62.50:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 23.234.28.124:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 23.234.28.124:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 23.234.28.124:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 84.32.84.32:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 84.32.84.32:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 84.32.84.32:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 17, 2023, 9 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.1waif.top/hk38/?YmI=zzkZuzLAoma85XiX7lxIbQG/EJHsOO2+Q6oiR8OLkS/KwAhRwr9lPadDsgBC/R6Ehz+P4CWVVfJwNXurykV5FbLn1BWKF7Aw1kgOiys=&vVMKMC=JtlMqX9aXUH6E
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.memshaconsultancy.com/hk38/?YmI=ylcRdOeQ8XQ4MBe6+o+woVrTwHnafctqX6zKfONVwMcCeye0booFMTvbXdYSGzr1oUKVttZ5cokf78mxnXYdaQyvIAyyJB6YSbiDTd4=&vVMKMC=JtlMqX9aXUH6E
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lgys174.top/hk38/?YmI=C7+QLmlVH+QiRxI6PBDl5AOYi+WV4kkm2HpNG2cJ9XVlHr0M8Q0IkKn366y7kv3boAdk3F4dVuwUlUtIJQk6NWa3tLVuPdH+n5rm7/w=&vVMKMC=JtlMqX9aXUH6E
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cryptohere.net/hk38/?YmI=ueolYRFMqDgL2w2WSyY2ND5otMaXj9PSMr4D1l6DUAw2kT04GXN59A0oGKPjQT9+3NvvA9XVQSpCofUlgfc89cVHCNXt6Tw+bOwl+vU=&vVMKMC=JtlMqX9aXUH6E
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ascents.info/hk38/?YmI=KrPc6+l/LbhA4QqNRpcmhen1wfbyqFB9qWau7oi8GuhJrnImuTvqwBhjinANrYUid0CBNXiHItrEvn/DOgRkhYxcfTTricRTxtRtwg8=&vVMKMC=JtlMqX9aXUH6E
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.nescotopp.shop/hk38/?YmI=DrtU8bnbnXpbNShePnwsRj13bS+UCxOuZvzH6bEjmv010pTnm4zit6bh6EVUeYhYrTCAEppr9rHC6Bu3VgZaW+HjzX/PpsxeO8UHktE=&vVMKMC=JtlMqX9aXUH6E

Performs some HTTP requests (13 events)

request	POST http://www.1waif.top/hk38/
request	GET http://www.1waif.top/hk38/?YmI=zzkZuzLAoma85XiX7lxIbQG/EJHsOO2+Q6oiR8OLkS/KwAhRwr9lPadDsgBC/R6Ehz+P4CWVVfJwNXurykV5FbLn1BWKF7Aw1kgOiys=&vVMKMC=JtlMqX9aXUH6E
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
request	POST http://www.memshaconsultancy.com/hk38/
request	GET http://www.memshaconsultancy.com/hk38/?YmI=ylcRdOeQ8XQ4MBe6+o+woVrTwHnafctqX6zKfONVwMcCeye0booFMTvbXdYSGzr1oUKVttZ5cokf78mxnXYdaQyvIAyyJB6YSbiDTd4=&vVMKMC=JtlMqX9aXUH6E
request	POST http://www.lgys174.top/hk38/
request	GET http://www.lgys174.top/hk38/?YmI=C7+QLmlVH+QiRxI6PBDl5AOYi+WV4kkm2HpNG2cJ9XVlHr0M8Q0IkKn366y7kv3boAdk3F4dVuwUlUtIJQk6NWa3tLVuPdH+n5rm7/w=&vVMKMC=JtlMqX9aXUH6E
request	POST http://www.cryptohere.net/hk38/
request	GET http://www.cryptohere.net/hk38/?YmI=ueolYRFMqDgL2w2WSyY2ND5otMaXj9PSMr4D1l6DUAw2kT04GXN59A0oGKPjQT9+3NvvA9XVQSpCofUlgfc89cVHCNXt6Tw+bOwl+vU=&vVMKMC=JtlMqX9aXUH6E
request	POST http://www.ascents.info/hk38/
request	GET http://www.ascents.info/hk38/?YmI=KrPc6+l/LbhA4QqNRpcmhen1wfbyqFB9qWau7oi8GuhJrnImuTvqwBhjinANrYUid0CBNXiHItrEvn/DOgRkhYxcfTTricRTxtRtwg8=&vVMKMC=JtlMqX9aXUH6E
request	POST http://www.nescotopp.shop/hk38/
request	GET http://www.nescotopp.shop/hk38/?YmI=DrtU8bnbnXpbNShePnwsRj13bS+UCxOuZvzH6bEjmv010pTnm4zit6bh6EVUeYhYrTCAEppr9rHC6Bu3VgZaW+HjzX/PpsxeO8UHktE=&vVMKMC=JtlMqX9aXUH6E

Sends data using the HTTP POST Method (6 events)

request	POST http://www.1waif.top/hk38/
request	POST http://www.memshaconsultancy.com/hk38/
request	POST http://www.lgys174.top/hk38/
request	POST http://www.cryptohere.net/hk38/
request	POST http://www.ascents.info/hk38/
request	POST http://www.nescotopp.shop/hk38/

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	www.1waif.top				description	Generic top level domain TLD
domain	www.lgys174.top				description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 17, 2023, 9 a.m.	process_identifier: 508 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 9 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 9 a.m.	process_identifier: 2124 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nshC0BD.tmp\qgsul.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nshC0BD.tmp\qgsul.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 17, 2023, 9 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 508 called NtSetContextThread to modify thread in remote process 2124
NtSetContextThread May 17, 2023, 9 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 2124	1	0	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Variant.Nemesis.22806
FireEye	Generic.mg.d35fc5185c8a5873
Malwarebytes	Generic.Malware/Suspicious
VIPRE	Gen:Variant.Nemesis.22806
Sangfor	Trojan.Win32.Injector.V7t9
Alibaba	Trojan:Win32/Injector.6a7d447b
K7GW	Trojan ( 005a58ae1 )
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.Nemesis.D5916 [many]
Cyren	W32/Injector.BNC.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector_AGen.WS
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Nemesis.22806
Avast	FileRepMalware [Pws]
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.GenShell.csjup
DrWeb	Trojan.Loader.1495
TrendMicro	TROJ_GEN.R002C0DEG23
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.Nemesis.22806 (B)
Ikarus	Trojan-Spy.FormBook
Avira	TR/AD.GenShell.csjup
MAX	malware (ai score=87)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Formbook.AT!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Zum.Androm.1
Cynet	Malicious (score: 100)
McAfee	Artemis!D35FC5185C8A
Cylance	unsafe
Panda	Trj/Agent.SR
Rising	Trojan.VecStealer!8.180E7 (TFE:5:0fwdvnBwiGN)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.ESYG!tr
AVG	FileRepMalware [Pws]
Cybereason	malicious.85c8a5
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	38.177.159.165:80
dead_host	192.168.56.103:49185

jenns.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All