Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 7, 2023, 6:39 p.m.	July 7, 2023, 6:41 p.m.

Size	370.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`dc1ced16440c1685cfc2bfe7c9fda083`
SHA256	`75b39cc100daec7e9cb2d893a9f2f6b884686ae6eb68af1cead713f416764bd8`
CRC32	`4CE324B7`
ssdeep	`6144:gYa6MWtlljyUCysUFC3iWPzifvx/6ryKTz5+uukr3o8uGMpJZpCXS:gY+I3z0ZzSx/M13o8AncS`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

enstomc2.1.exe "C:\Users\test22\AppData\Local\Temp\enstomc2.1.exe"
2624
- enstomc2.1.exe "C:\Users\test22\AppData\Local\Temp\enstomc2.1.exe"
  2772

Name	Response	Post-Analysis Lookup
www.deliciasbethel.info	A 199.115.116.43	199.115.116.43
www.rastreosonline.lat	A 35.186.223.180	35.186.223.180
www.globalservice.fun	A 198.143.186.151 CNAME globalservice.fun	198.143.186.151
www.lawyercriminal.online	A 74.208.236.124	74.208.236.124

IP Address	Status	Action
164.124.101.2	Active	Moloch
198.143.186.151	Active	Moloch
199.115.116.43	Active	Moloch
35.186.223.180	Active	Moloch
74.208.236.124	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 74.208.236.124:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 74.208.236.124:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 74.208.236.124:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 198.143.186.151:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 198.143.186.151:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 198.143.186.151:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 35.186.223.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 35.186.223.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 35.186.223.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 199.115.116.43:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 199.115.116.43:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 199.115.116.43:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 7, 2023, 6:39 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lawyercriminal.online/c20s/?DVBX=OqT4TDZXX8n4nzhgSqDClvlTeNzDX736vbjdAvptvkJx+VGp3lprU3NJ1OqV6uSCFtdB5HHf&UbGD=qFNxA0YxDdFXnlHP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.deliciasbethel.info/c20s/?DVBX=0MD65XWqEGmfQ0385QOYLMWXUmbCICRz+ZxGu9aOkLt7+ZM+opJpio0/V1ouAxNLj4ViaBph&UbGD=qFNxA0YxDdFXnlHP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.globalservice.fun/c20s/?DVBX=8GjTKD1P5krVnnM+7bBe0gOYwBaMV8hxPnCdvjlSRTD5gVIx5fO8N6aCbhO/gOACPtm11bCQ&UbGD=qFNxA0YxDdFXnlHP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.rastreosonline.lat/c20s/?DVBX=3rfdN+WQ4K5ti9+PcEtUR+xxfPddEUd2ubj+kG8ODpULlQc0d7OahN6Fp1kUWJZerpn6yhMk&UbGD=qFNxA0YxDdFXnlHP

Performs some HTTP requests (4 events)

request	GET http://www.lawyercriminal.online/c20s/?DVBX=OqT4TDZXX8n4nzhgSqDClvlTeNzDX736vbjdAvptvkJx+VGp3lprU3NJ1OqV6uSCFtdB5HHf&UbGD=qFNxA0YxDdFXnlHP
request	GET http://www.deliciasbethel.info/c20s/?DVBX=0MD65XWqEGmfQ0385QOYLMWXUmbCICRz+ZxGu9aOkLt7+ZM+opJpio0/V1ouAxNLj4ViaBph&UbGD=qFNxA0YxDdFXnlHP
request	GET http://www.globalservice.fun/c20s/?DVBX=8GjTKD1P5krVnnM+7bBe0gOYwBaMV8hxPnCdvjlSRTD5gVIx5fO8N6aCbhO/gOACPtm11bCQ&UbGD=qFNxA0YxDdFXnlHP
request	GET http://www.rastreosonline.lat/c20s/?DVBX=3rfdN+WQ4K5ti9+PcEtUR+xxfPddEUd2ubj+kG8ODpULlQc0d7OahN6Fp1kUWJZerpn6yhMk&UbGD=qFNxA0YxDdFXnlHP

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 7, 2023, 6:39 p.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 6:39 p.m.	process_identifier: 2624 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 6:39 p.m.	process_identifier: 2624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 6:39 p.m.	process_identifier: 2772 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsyEED6.tmp\rqxiof.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsyEED6.tmp\rqxiof.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 7, 2023, 6:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2624 called NtSetContextThread to modify thread in remote process 2772
NtSetContextThread July 7, 2023, 6:39 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 2772	1	0	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
DrWeb	Trojan.Loader.1589
MicroWorld-eScan	Gen:Variant.Nemesis.22800
FireEye	Generic.mg.dc1ced16440c1685
ALYac	Trojan.NSISX.Spy.Gen.24
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Injector.BOI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETBX
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Nemesis.22800
Avast	FileRepMalware [Pws]
Emsisoft	Gen:Variant.Nemesis.22800 (B)
F-Secure	Trojan.TR/AD.Swotter.hswkb
VIPRE	Gen:Variant.Nemesis.22800
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Sophos	Mal/Generic-S
Avira	TR/AD.Swotter.hswkb
Arcabit	Trojan.Nemesis.D5910 [many]
ZoneAlarm	UDS:Trojan.Win32.Strab.gen
GData	Win32.Trojan-Stealer.FormBook.VLM839
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.C5395778
McAfee	Artemis!DC1CED16440C
MAX	malware (ai score=82)
Malwarebytes	Generic.Malware/Suspicious
Rising	Trojan.Injector!8.C4 (TFE:6:mGe17sBdx5E)
Ikarus	Trojan.NSIS.Guloader
Fortinet	NSIS/Agent.DCAC!tr
AVG	FileRepMalware [Pws]
DeepInstinct	MALICIOUS

enstomc2.1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All