Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2023, 8:55 a.m.	Aug. 4, 2023, 9:01 a.m.

Size	242.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d27e13ce5271639c09cf59b9f6eaee10`
SHA256	`85176443ab1c87d4387378979a276b860b6306e6ae17749d0a1072111cc14a1b`
CRC32	`E6078EC8`
ssdeep	`6144:vYa6i7eW7rFk+v2RBxS537zBrw6v81rEJK1C+1WnQwTyvuXL1u5R:vYk1xNIxg9E6v81/CnQ6yvu71u5R`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

IB_iso.exe "C:\Users\test22\AppData\Local\Temp\IB_iso.exe"
2672
- IB_iso.exe "C:\Users\test22\AppData\Local\Temp\IB_iso.exe"
  2776

Name	Response	Post-Analysis Lookup
www.asgnelwin.com
www.03ss.vip	CNAME 63a4ffed.mycdn.online
www.mercardosupltda.shop	CNAME mercardosupltda.shop A 154.49.247.55	154.49.247.55
www.vinteligencia.com	A 172.67.198.50 A 104.21.52.110	104.21.52.110
www.sofbks.top

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 8.8.8.8:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 154.49.247.55:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 172.67.198.50:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2023, 8:55 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.mercardosupltda.shop/sy22/?EZX0sf=3bMgBYp3T8Et67riN3kA3/aeujAUMemYR9Y/JjuHDcyhHg+qjpOYOJGYEHV0e9MGAbxHoQdS&qL3=gjnL3zDh_r
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.vinteligencia.com/sy22/?EZX0sf=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&qL3=gjnL3zDh_r

request	GET http://www.mercardosupltda.shop/sy22/?EZX0sf=3bMgBYp3T8Et67riN3kA3/aeujAUMemYR9Y/JjuHDcyhHg+qjpOYOJGYEHV0e9MGAbxHoQdS&qL3=gjnL3zDh_r
request	GET http://www.vinteligencia.com/sy22/?EZX0sf=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&qL3=gjnL3zDh_r

domain

www.sofbks.top

description

Generic top level domain TLD

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 4, 2023, 8:55 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:55 a.m.	process_identifier: 2672 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:55 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:55 a.m.	process_identifier: 2776 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nsyF416.tmp\aulnizizac.dll

file	C:\Users\test22\AppData\Local\Temp\nsyF416.tmp\aulnizizac.dll

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 4, 2023, 8:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2672 called NtSetContextThread to modify thread in remote process 2776
NtSetContextThread Aug. 4, 2023, 8:55 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2776	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Nemesis.25866
FireEye	Generic.mg.d27e13ce5271639c
ALYac	Trojan.NSISX.Spy.Gen.24
Cylance	unsafe
Sangfor	Trojan.Win32.Formbook.Vti3
Cyren	W32/Ninjector.JO.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ETEF
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Nemesis.25866
ViRobot	Trojan.Win.Z.Nemesis.247940
Emsisoft	Gen:Variant.Nemesis.25866 (B)
F-Secure	Trojan.TR/AD.GenShell.illbf
DrWeb	Trojan.Loader.1668
VIPRE	Gen:Variant.Nemesis.25866
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Infostealer.Gen
Avira	TR/AD.GenShell.xdwes
Gridinsoft	Trojan.Win32.FormBook.bot
Arcabit	Trojan.Nemesis.D650A [many]
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Trojan.NSISX.Spy.Gen.24
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R587806
McAfee	Artemis!D27E13CE5271
MAX	malware (ai score=80)
Malwarebytes	Trojan.Injector
Rising	Trojan.FormBook!8.F858 (CLOUD)
Ikarus	Trojan-Spy.Agent
Fortinet	NSIS/Agent.DCAC!tr
BitDefenderTheta	Gen:NN.ZedlaF.36348.bm4@aiCNZ@l
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

IB_iso.exe