Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 26, 2023, 7:42 a.m.	July 26, 2023, 7:51 a.m.

Size	252.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`22866422e864635234b55a5d84fae10c`
SHA256	`ab81345f141fa4d777d142a4f8367c53e9840897bc2b4c3299a4f6696a46296d`
CRC32	`854A4FDB`
ssdeep	`6144:gYa6nprGpvOubvUthOXdcxzvqIC1KSm5L2JeF8/Uc:gYtodTbvC/NSm5L2JeKUc`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

ChromeSetup.exe "C:\Users\test22\AppData\Local\Temp\ChromeSetup.exe"
1984
- ChromeSetup.exe "C:\Users\test22\AppData\Local\Temp\ChromeSetup.exe"
  2056

Name	Response	Post-Analysis Lookup
www.trishpintar.com	CNAME cdn1.wixdns.net CNAME td-ccm-neg-87-45.wixdns.net A 34.149.87.45	34.149.87.45
www.hbiwhwr.shop	CNAME hbiwhwr.shop A 34.102.136.180	34.102.136.180
www.sx15k.com

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 34.149.87.45:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 34.149.87.45:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 34.149.87.45:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2023, 7:42 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.trishpintar.com/sy22/?XPc=ZcWCyggxITiff9Ntu8frHWICLZ17JBNS5H8XzpbFosEL7RS7W4YHICi5HEs8XFn8+eU3rAdd&Hpq=V6ALd0OhqlATeV
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.hbiwhwr.shop/sy22/?XPc=yd0bSXVZUXdU8qKTRdtZDhtRbXCT/uJkAzwFnTNcMl5wHiXF5PZYexVTbwnTO0CSyNbsU44F&Hpq=V6ALd0OhqlATeV

request	GET http://www.trishpintar.com/sy22/?XPc=ZcWCyggxITiff9Ntu8frHWICLZ17JBNS5H8XzpbFosEL7RS7W4YHICi5HEs8XFn8+eU3rAdd&Hpq=V6ALd0OhqlATeV
request	GET http://www.hbiwhwr.shop/sy22/?XPc=yd0bSXVZUXdU8qKTRdtZDhtRbXCT/uJkAzwFnTNcMl5wHiXF5PZYexVTbwnTO0CSyNbsU44F&Hpq=V6ALd0OhqlATeV

Time & API	Arguments	Status
NtAllocateVirtualMemory July 26, 2023, 7:42 a.m.	process_identifier: 1984 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2023, 7:42 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2023, 7:42 a.m.	process_identifier: 2056 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nsgBE8A.tmp\fiowin.dll

file	C:\Users\test22\AppData\Local\Temp\nsgBE8A.tmp\fiowin.dll

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 26, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1984 called NtSetContextThread to modify thread in remote process 2056
NtSetContextThread July 26, 2023, 7:42 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 2056	1	0	0

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Trojan.Garf.Gen.14
Malwarebytes	Malware.AI.1493217770
Cybereason	malicious.2e8646
Arcabit	Trojan.Garf.Gen.14 [many]
Cyren	W32/Injector.AHD.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
BitDefender	Trojan.Garf.Gen.14
Avast	FileRepMalware [Trj]
VIPRE	Trojan.Garf.Gen.14
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
FireEye	Generic.mg.22866422e8646352
Emsisoft	Trojan.Garf.Gen.14 (B)
Ikarus	Trojan.NSIS.Guloader
Microsoft	Trojan:Win32/Sabsik.TE.A!ml
ZoneAlarm	UDS:Trojan.Win32.Strab.gen
GData	Zum.Androm.1
Google	Detected
Acronis	suspicious
McAfee	Trojan-FVKZ!2D38A6217FBA
MAX	malware (ai score=86)
Rising	Trojan.Strab!8.12D03 (TFE:6:YIqdF1It4v)
Fortinet	NSIS/Agent.DCAC!tr
AVG	FileRepMalware [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (D)

ChromeSetup.exe