Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 8, 2023, 5:31 p.m.	June 8, 2023, 5:41 p.m.

Size	187.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4c46bfbd4f6224963065eede69e80f7d`
SHA256	`9f649df261b4acb42fd9bef068c1ec6dab2728b4cc351f10abe779776c57903b`
CRC32	`7E600B80`
ssdeep	`3072:KM0EfxEL+nQslvNqn93DqLaPazjL3q2BiwX1fCtPzSJ/wzKJuwmT6yO:K1L+nzA9TqLw4jLfidPzlzKJo6`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
1648

Name	Response	Post-Analysis Lookup
www.uchbfm.cfd	A 47.57.240.200 CNAME cdn-c06.anchorcdn.com CNAME gtm-sg-5va2ky07m01.gtm-i2d1.com	47.57.240.200
www.winchespullers.store
www.luxeconcept.net	A 216.40.34.41	216.40.34.41
www.kakekgirang5.shop	CNAME kakekgirang5.shop A 198.252.98.107	198.252.98.107
www.gardinalplace.life	A 162.254.37.64	162.254.37.64
www.new-balkon-otdelka.site
www.rosifariasestetica.online	A 127.0.0.1
www.69573.xyz	A 122.10.50.92	122.10.50.92
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.montanasapphires.online	A 208.91.197.27	208.91.197.27
www.seseapk.com	A 156.237.242.36	156.237.242.36

IP Address	Status	Action
122.10.50.92	Active	Moloch
156.237.242.36	Active	Moloch
162.254.37.64	Active	Moloch
164.124.101.2	Active	Moloch
198.252.98.107	Active	Moloch
208.91.197.27	Active	Moloch
216.40.34.41	Active	Moloch
45.33.6.223	Active	Moloch
47.57.240.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 216.40.34.41:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 162.254.37.64:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 162.254.37.64:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 162.254.37.64:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 162.254.37.64:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 162.254.37.64:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 162.254.37.64:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 122.10.50.92:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 156.237.242.36:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 47.57.240.200:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 47.57.240.200:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 47.57.240.200:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 208.91.197.27:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 208.91.197.27:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 162.254.37.64:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 208.91.197.27:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 162.254.37.64:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 162.254.37.64:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 162.254.37.64:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 198.252.98.107:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 216.40.34.41:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 216.40.34.41:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 216.40.34.41:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 156.237.242.36:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 198.252.98.107:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 156.237.242.36:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 198.252.98.107:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 156.237.242.36:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 198.252.98.107:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 122.10.50.92:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 122.10.50.92:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 122.10.50.92:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 122.10.50.92:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.uchbfm.cfd/hqny/?m40HnJIf=m+ybVjvh7agWR9kwIW90wxm7xw0mVpAKZ7IrFeQzPIYANX32/SKYYL1eEsf44L+W0nPEXXXW2Q2sM9/iZhRVCXL5a7JofqeU46QhEqQ=&k-I=dHgK57WfpMAIaF9c
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kakekgirang5.shop/hqny/?m40HnJIf=CXlbuvDGPZkDZuVIC7pN9bWZtfAlmQpQeGiqx6WAcwFRIivK0QTPVQRfBJCVm9sX5H1lJ3DwQtgXkv6CkHLTc1MyWUNY9q0X0o/sl2U=&k-I=dHgK57WfpMAIaF9c
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.montanasapphires.online/hqny/?m40HnJIf=n1CdPpzxYwqEjsG0Qgxc3fK1e+R7zylx10dE7UARUo2qmYQZkuFozCTNAjLX4OweHcopEvO11zC7KH5OIbyIbW6BPXRJsCk2YfaTf38=&k-I=dHgK57WfpMAIaF9c
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.luxeconcept.net/hqny/?m40HnJIf=Hsr+FS3aUC3v5cYG2kJwTz2Fiv05Ac/D2GVn4rP2+cnf/CEwXrKsow638/CQaZGhQs+ww4P4gMYs+x3Lc8BNJT7QU85Ww4GHlJMw20s=&k-I=dHgK57WfpMAIaF9c
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gardinalplace.life/hqny/?m40HnJIf=dCEp+0m3P0JUSbGijBo/RSr8kaN/Z3sSlC8vhR/5CqloiAn9JexI0t5iKqyAv6gMC40bfRj5WBEr7LlDi1AuUeAMNiBwlcnzOqfFvew=&k-I=dHgK57WfpMAIaF9c
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.seseapk.com/hqny/?m40HnJIf=mJH9W27z8cbsc7vpY+E6DLxpKObOQHn2HvWQb9G1AeaU7CpO/W7NVY91S6OxE3LAXZsPh7Ioc7rkgvN9xJr9EVPP8ghUoovlGQYiqlI=&k-I=dHgK57WfpMAIaF9c
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.69573.xyz/hqny/?m40HnJIf=LuFWF9Ua84RDJQoWRjdHaxOOJGr2k3CF/TnoVcaYxo8S6F7pRCZMbcZzZdCEfatU6D3gOhGC0lLUMqABcFj4if2qqDICpO2nO8eNe9I=&k-I=dHgK57WfpMAIaF9c

Performs some HTTP requests (16 events)

request	POST http://www.uchbfm.cfd/hqny/
request	GET http://www.uchbfm.cfd/hqny/?m40HnJIf=m+ybVjvh7agWR9kwIW90wxm7xw0mVpAKZ7IrFeQzPIYANX32/SKYYL1eEsf44L+W0nPEXXXW2Q2sM9/iZhRVCXL5a7JofqeU46QhEqQ=&k-I=dHgK57WfpMAIaF9c
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
request	POST http://www.kakekgirang5.shop/hqny/
request	GET http://www.kakekgirang5.shop/hqny/?m40HnJIf=CXlbuvDGPZkDZuVIC7pN9bWZtfAlmQpQeGiqx6WAcwFRIivK0QTPVQRfBJCVm9sX5H1lJ3DwQtgXkv6CkHLTc1MyWUNY9q0X0o/sl2U=&k-I=dHgK57WfpMAIaF9c
request	POST http://www.montanasapphires.online/hqny/
request	GET http://www.montanasapphires.online/hqny/?m40HnJIf=n1CdPpzxYwqEjsG0Qgxc3fK1e+R7zylx10dE7UARUo2qmYQZkuFozCTNAjLX4OweHcopEvO11zC7KH5OIbyIbW6BPXRJsCk2YfaTf38=&k-I=dHgK57WfpMAIaF9c
request	POST http://www.luxeconcept.net/hqny/
request	GET http://www.luxeconcept.net/hqny/?m40HnJIf=Hsr+FS3aUC3v5cYG2kJwTz2Fiv05Ac/D2GVn4rP2+cnf/CEwXrKsow638/CQaZGhQs+ww4P4gMYs+x3Lc8BNJT7QU85Ww4GHlJMw20s=&k-I=dHgK57WfpMAIaF9c
request	POST http://www.gardinalplace.life/hqny/
request	GET http://www.gardinalplace.life/hqny/?m40HnJIf=dCEp+0m3P0JUSbGijBo/RSr8kaN/Z3sSlC8vhR/5CqloiAn9JexI0t5iKqyAv6gMC40bfRj5WBEr7LlDi1AuUeAMNiBwlcnzOqfFvew=&k-I=dHgK57WfpMAIaF9c
request	POST http://www.seseapk.com/hqny/
request	GET http://www.seseapk.com/hqny/?m40HnJIf=mJH9W27z8cbsc7vpY+E6DLxpKObOQHn2HvWQb9G1AeaU7CpO/W7NVY91S6OxE3LAXZsPh7Ioc7rkgvN9xJr9EVPP8ghUoovlGQYiqlI=&k-I=dHgK57WfpMAIaF9c
request	POST http://www.69573.xyz/hqny/
request	GET http://www.69573.xyz/hqny/?m40HnJIf=LuFWF9Ua84RDJQoWRjdHaxOOJGr2k3CF/TnoVcaYxo8S6F7pRCZMbcZzZdCEfatU6D3gOhGC0lLUMqABcFj4if2qqDICpO2nO8eNe9I=&k-I=dHgK57WfpMAIaF9c

Sends data using the HTTP POST Method (7 events)

request	POST http://www.uchbfm.cfd/hqny/
request	POST http://www.kakekgirang5.shop/hqny/
request	POST http://www.montanasapphires.online/hqny/
request	POST http://www.luxeconcept.net/hqny/
request	POST http://www.gardinalplace.life/hqny/
request	POST http://www.seseapk.com/hqny/
request	POST http://www.69573.xyz/hqny/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 8, 2023, 5:31 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 8, 2023, 5:31 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 5:31 p.m.	process_identifier: 1648 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002da00', u'virtual_address': u'0x00001000', u'entropy': 7.996883983804276, u'name': u'.text', u'virtual_size': u'0x0002d8e4'}

entropy

7.9968839838

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 8, 2023, 5:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ser.Razy.7042
McAfee	GenericRXVJ-YP!4C46BFBD4F62
Malwarebytes	Trojan.Crypt
VIPRE	Gen:Variant.Ser.Razy.7042
Sangfor	Trojan.Win32.Formbook.V8zk
K7AntiVirus	Trojan ( 00536d121 )
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.d4f622
Arcabit	Trojan.Ser.Razy.D1B82
Cyren	W32/Formbook.N.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Formbook.AK
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Generic
BitDefender	Gen:Variant.Ser.Razy.7042
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan.Generic.Unkl
Sophos	Troj/Formbook-A
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
DrWeb	Trojan.Packed2.45325
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.4c46bfbd4f622496
Emsisoft	Gen:Variant.Ser.Razy.7042 (B)
Ikarus	Trojan.Win32.Formbook
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	GrayWare/Win32.Formbook.A
Microsoft	Trojan:Win32/Formbook.RG!MTB
ZoneAlarm	UDS:Trojan.Win32.Generic
GData	Gen:Variant.Ser.Razy.7042
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Formbook.X2184
VBA32	Malware-Cryptor.General.3
ALYac	Gen:Variant.Ser.Razy.7042
MAX	malware (ai score=88)
Cylance	unsafe
Rising	Ransom.Digitala!8.305 (TFE:3:4bkQNC3KfED)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Formbook.AK!tr
BitDefenderTheta	AI:Packer.1BAFC5191E
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

wininit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All