Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 14, 2023, 4:46 p.m.	July 14, 2023, 4:52 p.m.

Size	289.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d534b629964d561e1e0deccf08ff6687`
SHA256	`ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895`
CRC32	`DFAE04AB`
ssdeep	`6144:gYa6fWki9c0jscBBioNnP9+pW6slv+K3OKr0W/8i:gYxK9jscBYoNPSWflvD3br8i`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

maximan2.1.exe "C:\Users\test22\AppData\Local\Temp\maximan2.1.exe"
2560
- maximan2.1.exe "C:\Users\test22\AppData\Local\Temp\maximan2.1.exe"
  2664

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 104.21.8.182:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 104.21.8.182:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 104.21.8.182:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 216.40.34.41:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 216.40.34.41:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 216.40.34.41:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 14, 2023, 4:46 p.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 14, 2023, 4:46 p.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cabecompetency.com/dh08/?tZU4=6zMJpal1jELWyVXE7kHb6wwT7/dU/IFboNnwxgqTXGKMHLLlLHTleu9daJ1rUWDkLY7oYrRx&Ult8E=GTgP1na8nVYlWF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tgecosystem.com/dh08/?tZU4=A2V9+T/OcVJ+R/N/A9wtV6HjqQDkHgT/bH3QOw4mF+D+JFEk4yQjTLfggiip6Wi3+INi1Nnf&Ult8E=GTgP1na8nVYlWF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.futurefmexpo.com/dh08/?tZU4=5gv4dgY5t2k2OqiJ2pc959383q9hiAV1qWA1rKNuG9NjkIQrUUmCD9VJnBdN/x2t6vjHDOZQ&Ult8E=GTgP1na8nVYlWF

request	GET http://www.cabecompetency.com/dh08/?tZU4=6zMJpal1jELWyVXE7kHb6wwT7/dU/IFboNnwxgqTXGKMHLLlLHTleu9daJ1rUWDkLY7oYrRx&Ult8E=GTgP1na8nVYlWF
request	GET http://www.tgecosystem.com/dh08/?tZU4=A2V9+T/OcVJ+R/N/A9wtV6HjqQDkHgT/bH3QOw4mF+D+JFEk4yQjTLfggiip6Wi3+INi1Nnf&Ult8E=GTgP1na8nVYlWF
request	GET http://www.futurefmexpo.com/dh08/?tZU4=5gv4dgY5t2k2OqiJ2pc959383q9hiAV1qWA1rKNuG9NjkIQrUUmCD9VJnBdN/x2t6vjHDOZQ&Ult8E=GTgP1na8nVYlWF

Time & API	Arguments	Status
NtProtectVirtualMemory July 14, 2023, 4:46 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 14, 2023, 4:46 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7394f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2023, 4:46 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03070000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2023, 4:46 p.m.	process_identifier: 2664 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nsnF0E9.tmp\fzawrfns.dll

file	C:\Users\test22\AppData\Local\Temp\nsnF0E9.tmp\fzawrfns.dll

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 14, 2023, 4:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2664
NtSetContextThread July 14, 2023, 4:46 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321264 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000228 process_identifier: 2664	1	0	0

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Variant.Midie.125875
FireEye	Generic.mg.d534b629964d561e
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Zum.Androm.1
Cyren	W32/Injector.BOI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETCS
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Midie.125875
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Strab.Cwnw
VIPRE	Zum.Androm.1
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Emsisoft	Gen:Variant.Midie.125875 (B)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Spy.Win32.Noon.gen
GData	Zum.Androm.1
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.C5395778
MAX	malware (ai score=88)
Panda	Trj/GdSda.A
Rising	Trojan.Strab!8.12D03 (TFE:5:Hw8T7cRxNYL)
Ikarus	Trojan.NSIS.Guloader
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	NSIS/Agent.DCAC!tr
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

maximan2.1.exe