Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 31, 2023, 7:33 a.m.	July 31, 2023, 7:37 a.m.

Size	313.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`732d840080e5382a366afe1ffd3e7aa3`
SHA256	`9ddf04a263108c79a27edc11dcb0314a9d4101e222a4c1406c6e556c3f8bebbd`
CRC32	`3E8433B2`
ssdeep	`6144:AYa6dsjR46ug3MbE1eChVNQPzeR/efcGIVZBCiM:AYbyKZCpAeZezIVZBM`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

vvlio7wypLsHed.exe "C:\Users\test22\AppData\Local\Temp\vvlio7wypLsHed.exe"
2544
- vvlio7wypLsHed.exe "C:\Users\test22\AppData\Local\Temp\vvlio7wypLsHed.exe"
  2648

Name	Response	Post-Analysis Lookup
www.truthistanbul.xyz	CNAME truthistanbul.xyz A 31.186.11.254	31.186.11.254
www.leaffonly.com	CNAME leaffonly.com A 15.197.142.173 A 3.33.152.147	3.33.152.147
www.flippinyourbusiness.com	A 34.102.136.180 CNAME flippinyourbusiness.com	34.102.136.180
www.happyhedgehogpress.com	CNAME happyhedgehogpress.com A 34.102.136.180	34.102.136.180
www.foreverenamored.com	A 185.181.104.242	185.181.104.242

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 31.186.11.254:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 31.186.11.254:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 185.181.104.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 3.33.152.147:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2023, 7:33 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.foreverenamored.com/s27k/?mzr4=K0JmOqXr9HCtj2qTWz3wm1ISclVIfppkL5EMoSSMyzeFhY/mEgvox6BxsSrLYXaYq3j87tFB&Ulm=1bVHT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.leaffonly.com/s27k/?mzr4=pW37V/wDdSqrMpF5ldchVc6r7Ddh2sY8bFEqKAvZO/A4bpL2AchokubKXEqi/NpFzOeyX4rN&Ulm=1bVHT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.happyhedgehogpress.com/s27k/?mzr4=a2nlmsvFJPfX3VFlu+jfFNID+dUFrRaa9nceP0cgqTTsgglWoa+YQxHQjSPpl/c00euLIa3j&Ulm=1bVHT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.flippinyourbusiness.com/s27k/?mzr4=Xi7F+l4Lb4Vq+ZnK/97dtmej1UbPO7AQVB5jWoV3FA39X8wswabFceq/socQVQQl0jUSsZ5z&Ulm=1bVHT

request	GET http://www.foreverenamored.com/s27k/?mzr4=K0JmOqXr9HCtj2qTWz3wm1ISclVIfppkL5EMoSSMyzeFhY/mEgvox6BxsSrLYXaYq3j87tFB&Ulm=1bVHT
request	GET http://www.leaffonly.com/s27k/?mzr4=pW37V/wDdSqrMpF5ldchVc6r7Ddh2sY8bFEqKAvZO/A4bpL2AchokubKXEqi/NpFzOeyX4rN&Ulm=1bVHT
request	GET http://www.happyhedgehogpress.com/s27k/?mzr4=a2nlmsvFJPfX3VFlu+jfFNID+dUFrRaa9nceP0cgqTTsgglWoa+YQxHQjSPpl/c00euLIa3j&Ulm=1bVHT
request	GET http://www.flippinyourbusiness.com/s27k/?mzr4=Xi7F+l4Lb4Vq+ZnK/97dtmej1UbPO7AQVB5jWoV3FA39X8wswabFceq/socQVQQl0jUSsZ5z&Ulm=1bVHT

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2023, 7:33 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 7:33 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 7:33 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 7:33 a.m.	process_identifier: 2648 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nsyED7E.tmp\gtfsfx.dll

file	C:\Users\test22\AppData\Local\Temp\nsyED7E.tmp\gtfsfx.dll

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 31, 2023, 7:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 called NtSetContextThread to modify thread in remote process 2648
NtSetContextThread July 31, 2023, 7:33 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321696 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 2648	1	0	0

Bkav	W32.Common.1B33A2C0
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.68407028
ALYac	Trojan.GenericKD.68407028
Malwarebytes	Trojan.Injector
VIPRE	Trojan.GenericKD.68407028
Sangfor	Trojan.Win32.Strab.Vx3f
K7AntiVirus	Trojan ( 005a945c1 )
Alibaba	Trojan:Win32/Strab.2073ace9
K7GW	Trojan ( 005a945c1 )
Arcabit	Trojan.Generic.D413CEF4
Cyren	W32/Ninjector.JU.gen!Eldorado
Symantec	Trojan Horse
ESET-NOD32	a variant of Win32/Injector.ETDU
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan.Win32.Strab.cbo
BitDefender	Trojan.GenericKD.68407028
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan.Strab.Snkl
Emsisoft	Trojan.GenericKD.68407028 (B)
DrWeb	Trojan.Siggen21.12983
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
FireEye	Generic.mg.732d840080e5382a
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Avira	TR/AD.GenShell.cllse
Antiy-AVL	Trojan/Win32.Lokibot
Gridinsoft	Trojan.Win32.FormBook.bot
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	Trojan.Win.Z.Spy.320954
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Trojan.GenericKD.68407028
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.C5395778
McAfee	Artemis!732D840080E5
MAX	malware (ai score=84)
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Trojan.Lokibot!8.F1B5 (TFE:5:lQY4QMl2gVH)
Fortinet	NSIS/Agent.DCAC!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

vvlio7wypLsHed.exe