Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 3, 2023, 10:13 a.m.	Aug. 3, 2023, 10:16 a.m.

Size	285.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`4ef341e4b9c3229fe2281ddece402c22`
SHA256	`010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77`
CRC32	`3D59567B`
ssdeep	`6144:AYa6uorMGf7Qu02GM2K8vn6lsOqbG3rC8AJ9u1T:AYA2MM7dEvv6lszbG3rCS`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

IB_iso.exe "C:\Users\test22\AppData\Local\Temp\IB_iso.exe"
2640
- IB_iso.exe "C:\Users\test22\AppData\Local\Temp\IB_iso.exe"
  2740

Name	Response	Post-Analysis Lookup
www.weinbrenner-stiftung.org	A 46.30.213.165	46.30.213.165
www.expelledclothing.com	A 96.126.123.244 A 198.58.118.167 A 45.33.30.197 A 45.33.23.183 A 45.79.19.196 A 72.14.185.43 A 72.14.178.174 A 45.33.20.235 A 45.56.79.23 A 45.33.2.79 A 45.33.18.44 A 173.255.194.134	198.58.118.167
www.help-hair.info	A 172.67.181.247 A 104.21.83.214	104.21.83.214
www.ceravolt.life	A 203.161.53.83	203.161.53.83
www.aquatic-organisms.info	A 199.59.243.224	199.59.243.224
www.eventz9.com	A 35.241.18.84	35.241.18.84
www.brownie.rest	A 202.172.26.52	202.172.26.52
www.ridonestore.shop	CNAME ridonestore.shop A 84.32.84.32	84.32.84.32
www.hncovnyyra.best	A 172.67.145.145 A 104.21.73.140	172.67.145.145
www.rva.info	A 3.64.163.50	3.64.163.50
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.potent-tech.com	A 119.28.69.86	119.28.69.86

IP Address	Status	Action
104.21.83.214	Active	Moloch
119.28.69.86	Active	Moloch
164.124.101.2	Active	Moloch
172.67.145.145	Active	Moloch
199.59.243.224	Active	Moloch
202.172.26.52	Active	Moloch
203.161.53.83	Active	Moloch
3.64.163.50	Active	Moloch
35.241.18.84	Active	Moloch
45.33.30.197	Active	Moloch
45.33.6.223	Active	Moloch
46.30.213.165	Active	Moloch
84.32.84.32	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49176 -> 203.161.53.83:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 203.161.53.83:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 3, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 3, 2023, 10:13 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (23 events)

request	POST http://www.hncovnyyra.best/mv9h/
request	GET http://www.hncovnyyra.best/mv9h/?U4Qv-=HcykeIqVbXhfppJwoSsM/lzOWEv/63sUc26l9Pyzi/RiJWpkCKG7rYCg+zEFiCvlKsq6aaTMW0S7wU6+gIahRGdD6ziJ49MY8t7Y4AU=&cimW=lS77a8
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
request	POST http://www.rva.info/mv9h/
request	GET http://www.rva.info/mv9h/?U4Qv-=VRRqi/ql977uvieqYsG4fOrDt8dXLrN86EfRdYcOQNSbko9uA8lJYMBA/4W5F4bPxRFvp/KzmV+IiXK6fR3lqPQiRqLY9cobKkCJQRY=&cimW=lS77a8
request	POST http://www.expelledclothing.com/mv9h/
request	GET http://www.expelledclothing.com/mv9h/?U4Qv-=9a4cyonTP0e6NuzSlLJ27FO37WvMSZ0WaVw1AMtOxtaCv+m5JRKGBAYKzIKL0anZ1A3e1EfBSBxBW9/OLTmFzaHtcxx2Mn8hsStbcMw=&cimW=lS77a8
request	POST http://www.brownie.rest/mv9h/
request	GET http://www.brownie.rest/mv9h/?U4Qv-=vmn/PMHMKvttZlwOVZyOjTJZ+WpUZFfmH6ozGnWYHclktmcXFHgsldQI8V2t6yLP30Sy4KtKyocnDpxwpleQA38uNlwzTJH7fcDgzks=&cimW=lS77a8
request	POST http://www.ceravolt.life/mv9h/
request	GET http://www.ceravolt.life/mv9h/?U4Qv-=9IeKlzzeiCBmV6GZneJqnhQdGcMOrN2zpJl1PcRdXHgPlBFjKoUh2wO5Xuu1XzrnlBtm9u1a/Ow39lO36+F22xQtyEIwfDBXWZJ5lHc=&cimW=lS77a8
request	POST http://www.eventz9.com/mv9h/
request	GET http://www.eventz9.com/mv9h/?U4Qv-=DhN/pfZhMnl4HQr18JX+oR8+aYaT8DsUwwvwmuFtuqFZv8xoKl2cv7n6clvWh1ER01rwIDgQIfjRcGmRjQxyMnOEIFklWxiWmR0afZM=&cimW=lS77a8
request	POST http://www.weinbrenner-stiftung.org/mv9h/
request	GET http://www.weinbrenner-stiftung.org/mv9h/?U4Qv-=KriJDkyr9ZSDK5SncDruUH89KQPsZisyljIEVA7ACCuqryEISDWc4fIbxiwjaj9YllKMJ4K263YcXqSukN/9eRkxhZw6ZQvhn0MgKpA=&cimW=lS77a8
request	POST http://www.aquatic-organisms.info/mv9h/
request	GET http://www.aquatic-organisms.info/mv9h/?U4Qv-=iptoip7pWRsS9xKJtuuMpZ3pZju1uspYTD6Awsn8x9vJeBkpaHApDsxm5SKYRJmJIPm4Br1em9F8LnG0RKBgEpAwWbXUGUe5zk5WzmM=&cimW=lS77a8
request	POST http://www.help-hair.info/mv9h/
request	GET http://www.help-hair.info/mv9h/?U4Qv-=GNz0FM0e5ScvNElU2Hu2om6Rqm4e+67FZh9yl10aFczOUMs8DWUv0BGRHOdPh5hc0CAdyJzRrvN/qShJrEMPe4vi0TNirV+929KqINs=&cimW=lS77a8
request	POST http://www.ridonestore.shop/mv9h/
request	GET http://www.ridonestore.shop/mv9h/?U4Qv-=9VxnjTCqrqAAIhZwG9PoTS29kvYV+Vsyiu2Fvyx7VLgNyAFzPPwxiPtN8AaY7yAV9hQiJzLhpdoSmgIbJxvhNzuKboEGgwYKJo7uw1I=&cimW=lS77a8
request	POST http://www.potent-tech.com/mv9h/

Sends data using the HTTP POST Method (11 events)

request	POST http://www.hncovnyyra.best/mv9h/
request	POST http://www.rva.info/mv9h/
request	POST http://www.expelledclothing.com/mv9h/
request	POST http://www.brownie.rest/mv9h/
request	POST http://www.ceravolt.life/mv9h/
request	POST http://www.eventz9.com/mv9h/
request	POST http://www.weinbrenner-stiftung.org/mv9h/
request	POST http://www.aquatic-organisms.info/mv9h/
request	POST http://www.help-hair.info/mv9h/
request	POST http://www.ridonestore.shop/mv9h/
request	POST http://www.potent-tech.com/mv9h/

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 3, 2023, 10:13 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2023, 10:13 a.m.	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2023, 10:13 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031a0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2023, 10:13 a.m.	process_identifier: 2740 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nslEFC1.tmp\cddhbytci.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nslEFC1.tmp\cddhbytci.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 3, 2023, 10:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 called NtSetContextThread to modify thread in remote process 2740
NtSetContextThread Aug. 3, 2023, 10:13 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199520 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2740	1	0	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
FireEye	Generic.mg.4ef341e4b9c3229f
ALYac	Trojan.NSISX.Spy.Gen.24
Cylance	unsafe
Cyren	W32/ABRisk.ZUFH-1649
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ETEC
APEX	Malicious
Cynet	Malicious (score: 100)
BitDefender	Trojan.NSISX.Spy.Gen.24
Sophos	Mal/Generic-S
VIPRE	Trojan.NSISX.Spy.Gen.24
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
Ikarus	Trojan-Spy.Agent
Avira	TR/AD.GenShell.lsfum
Arcabit	Trojan.NSISX.Spy.Gen.24
ZoneAlarm	UDS:Trojan.Win32.Strab.gen
GData	Win32.Trojan.Agent.JBBFB4
Google	Detected
MAX	malware (ai score=89)
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1493217770
Rising	Trojan.Formbook!8.F858 (TFE:5:jvQUkku5PbO)
Fortinet	NSIS/Agent.DCAC!tr
Panda	Trj/Chgt.AD
CrowdStrike	win/malicious_confidence_100% (W)

IB_iso.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All