popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ChromeSetup.exe

Formbook NSIS Malicious Library UPX PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 8, 2023, 7:37 a.m. Sept. 8, 2023, 7:39 a.m.
Size 360.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 b2aff4034e70921c51bc334135e61887
SHA256 3adb8aeb7691dc238ebd6c61ae7a0f7bdac303f547d02109d5d23bf096403733
CRC32 0D72377A
ssdeep 6144:/Ya6vFF6nNvLN2DD4IV1ExJzavbbHaFxruTWqrAVSguuRuRn:/YNqnNTN2nyb2vbbHcxraWVueu9
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 167.172.228.26:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 43.154.67.170:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.149.87.45:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.mysticheightstrail.com/sy22/?EDK8gDR=Q5FfiwTKAQAoPcoP4e5kySmJcOUQtYy/n0X88F5fBW8bclPVBZXpMCw8fqRp6JUwXvQoTE+1&BZ=E2M4oNPx_Ln
suspicious_features GET method with no useragent header suspicious_request GET http://www.zhperviepixie.com/sy22/?EDK8gDR=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&BZ=E2M4oNPx_Ln
suspicious_features GET method with no useragent header suspicious_request GET http://www.gracefullytouchedartistry.com/sy22/?EDK8gDR=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&BZ=E2M4oNPx_Ln
suspicious_features GET method with no useragent header suspicious_request GET http://www.thwmlohr.click/sy22/?EDK8gDR=MgkfgN3fpomwP7fWV5mTPmG15nWdJlegbQggwbe1T0jMd3AI1ruzVKLfVQH9NXyhXYV15IAt&BZ=E2M4oNPx_Ln
request GET http://www.mysticheightstrail.com/sy22/?EDK8gDR=Q5FfiwTKAQAoPcoP4e5kySmJcOUQtYy/n0X88F5fBW8bclPVBZXpMCw8fqRp6JUwXvQoTE+1&BZ=E2M4oNPx_Ln
request GET http://www.zhperviepixie.com/sy22/?EDK8gDR=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&BZ=E2M4oNPx_Ln
request GET http://www.gracefullytouchedartistry.com/sy22/?EDK8gDR=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&BZ=E2M4oNPx_Ln
request GET http://www.thwmlohr.click/sy22/?EDK8gDR=MgkfgN3fpomwP7fWV5mTPmG15nWdJlegbQggwbe1T0jMd3AI1ruzVKLfVQH9NXyhXYV15IAt&BZ=E2M4oNPx_Ln
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2660
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2660
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00460000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00990000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\mifeajgx.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2660 called NtSetContextThread to modify thread in remote process 2716
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3014612
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d4
process_identifier: 2716
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
MicroWorld-eScan Gen:Variant.Ransom.Loki.17507
FireEye Generic.mg.b2aff4034e70921c
ALYac Gen:Trojan.Heur.KT.5.sCW@aWyWV@pi
Sangfor Suspicious.Win32.Save.ins
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Ransom.Loki.D4463 [many]
BitDefenderTheta AI:Packer.0FDC35B621
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETGW
Cynet Malicious (score: 100)
APEX Malicious
BitDefender Gen:Variant.Ransom.Loki.17507
Avast Win32:PWSX-gen [Trj]
Sophos Mal/Generic-S
VIPRE Gen:Variant.Ransom.Loki.17507
McAfee-GW-Edition BehavesLike.Win32.Dropper.fc
Trapmine malicious.moderate.ml.score
Emsisoft Gen:Variant.Ransom.Loki.17507 (B)
Ikarus Trojan.Win32.Injector
Webroot W32.Malware.Gen
MAX malware (ai score=85)
Gridinsoft Trojan.Win32.FormBook.bot
Microsoft Trojan:Win32/Lokibot.SIS!MTB
GData Gen:Variant.Ransom.Loki.17507
Google Detected
AhnLab-V3 Trojan/Win.Generic.R585815
McAfee Artemis!B2AFF4034E70
VBA32 BScope.Trojan.Strab
Cylance unsafe
Rising Trojan.Generic@AI.85 (RDML:0oAToU6fRWMk2etjLnLNyA)
SentinelOne Static AI - Suspicious PE
Fortinet NSIS/Injector.ETGJ!tr
AVG Win32:PWSX-gen [Trj]
DeepInstinct MALICIOUS