Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 4, 2023, 11:19 a.m.	July 4, 2023, 11:21 a.m.

Size	238.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`abf89b932e8ef30a751c9b989549ec89`
SHA256	`011765b154e93fd26afc6331fa7330996162cd8b9ae00c938a630e6bcca2cc0f`
CRC32	`47FEDC61`
ssdeep	`6144:PYa6/RSn8Dy+MAUfNi65ScnbuxVugNFXzX6xfpEvlb:PYV0n83EfHYibuCgNFjX6xfGh`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

RFx - NRSB-SPCI_QHK_NRSB_SPCI_115R1_023.exe "C:\Users\test22\AppData\Local\Temp\RFx - NRSB-SPCI_QHK_NRSB_SPCI_115R1_023.exe"
2556
- RFx - NRSB-SPCI_QHK_NRSB_SPCI_115R1_023.exe "C:\Users\test22\AppData\Local\Temp\RFx - NRSB-SPCI_QHK_NRSB_SPCI_115R1_023.exe"
  2656

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 216.239.36.21:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 216.239.36.21:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 216.239.36.21:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 107.189.12.132:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 107.189.12.132:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 107.189.12.132:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 107.189.12.132:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 107.189.12.132:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 4, 2023, 11:19 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.houtsang.top/rx63/?v2=VlLW2NhVMZmXG6hxgxx+thcWCdrS7CDKDh6B3GCUCKxG9hmZpyr5p1bEfW5L7SHmGF/9Avel&CZ=7nExZbW
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.benelu-duodefils.com/rx63/?v2=HUcnflQOG9YonvR2sjKjIWzCjLqpPnJ337/kiqXUxo4WVewSax/Nv6lIXYu4jtofiMzSrpEZ&CZ=7nExZbW

request	GET http://www.houtsang.top/rx63/?v2=VlLW2NhVMZmXG6hxgxx+thcWCdrS7CDKDh6B3GCUCKxG9hmZpyr5p1bEfW5L7SHmGF/9Avel&CZ=7nExZbW
request	GET http://www.benelu-duodefils.com/rx63/?v2=HUcnflQOG9YonvR2sjKjIWzCjLqpPnJ337/kiqXUxo4WVewSax/Nv6lIXYu4jtofiMzSrpEZ&CZ=7nExZbW

domain

www.houtsang.top

description

Generic top level domain TLD

Time & API	Arguments	Status
NtProtectVirtualMemory July 4, 2023, 11:19 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2023, 11:19 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2023, 11:19 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2023, 11:19 a.m.	process_identifier: 2656 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nsnF00F.tmp\etgactg.dll

file	C:\Users\test22\AppData\Local\Temp\nsnF00F.tmp\etgactg.dll

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 4, 2023, 11:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2656
NtSetContextThread July 4, 2023, 11:19 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321488 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 2656	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
Cynet	Malicious (score: 100)
Cylance	unsafe
Sangfor	Trojan.Win32.Formbook.V63v
K7AntiVirus	Trojan ( 0052eef11 )
K7GW	Trojan ( 0052eef11 )
Cybereason	malicious.32e8ef
Cyren	W32/Injector.BYKD-4018
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Formbook.AA
APEX	Malicious
Kaspersky	Trojan.Win32.Inject.aoztc
BitDefender	Gen:Variant.Nemesis.22777
MicroWorld-eScan	Gen:Variant.Nemesis.22777
Avast	Win32:InjectorX-gen [Trj]
Emsisoft	Gen:Variant.Nemesis.22777 (B)
F-Secure	Heuristic.HEUR/AGEN.1300673
DrWeb	Trojan.Siggen9.48175
VIPRE	Gen:Variant.Nemesis.22777
TrendMicro	Ransom.Win32.FORMBOOK.USPAXFS23
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.abf89b932e8ef30a
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
GData	Win32.Trojan-Stealer.FormBook.IY5V7X
Webroot	W32.Strab.Gen
Avira	HEUR/AGEN.1300673
Gridinsoft	Trojan.Win32.FormBook.bot
Arcabit	Trojan.Nemesis.D58F9 [many]
Microsoft	Trojan:Win32/FormBook.KA!MTB
Google	Detected
AhnLab-V3	Trojan/Win.NSISInject.R587856
McAfee	RDN/Formbook
MAX	malware (ai score=85)
VBA32	Trojan.NSIS.Agent
Malwarebytes	Trojan.Injector.NSIS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Ransom.Win32.FORMBOOK.USPAXFS23
Rising	Trojan.Injector!8.C4 (TFE:5:M3LTeDoVIzU)
Ikarus	Win32.Outbreak
Fortinet	NSIS/Agent.DCAC!tr
AVG	Win32:InjectorX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

RFx - NRSB-SPCI_QHK_NRSB_SPCI_115R1_023.exe