popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

igfxCU.exe

Formbook NSIS Malicious Library UPX PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 9, 2023, 9:36 p.m. Sept. 9, 2023, 9:40 p.m.
Size 359.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 e99042bc75c1e7c4ae8803b59a817975
SHA256 21f03aa3cb1ce12b742fc78552681e20099f77f1aa347516a253e383eb5f3f11
CRC32 E4890E1E
ssdeep 6144:/Ya6iCvsI2IFe+EDoKiSvlzz+Gr86kjNI11UmDgOnjNc3TMA6Nz318Z9/d8+bP5:/YsUTjc+ED7f+cpfjnjNc3A3z3MI+d
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 34.149.87.45:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 107.148.223.82:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 34.117.168.233:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 211.149.249.34:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.gk84.com/sy22/?Mfg=EZXT1couL1SMJvG2qeg6eanykcNOwoSwRkeI+9JF3ekTKFJ8rStu/JDK0lzRposG9gxESXnb&D6h4=O2JdRpPP8
suspicious_features GET method with no useragent header suspicious_request GET http://www.sx15k.com/sy22/?Mfg=uDOmxGSZOI7byjRwM2VfDnyujtJEJ3PREhDiUuqfTZK7lE43sYjySeizw7LCJ3MdEZKjGoPp&D6h4=O2JdRpPP8
suspicious_features GET method with no useragent header suspicious_request GET http://www.gracefullytouchedartistry.com/sy22/?Mfg=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&D6h4=O2JdRpPP8
suspicious_features GET method with no useragent header suspicious_request GET http://www.omclaval.com/sy22/?Mfg=Vmf4Q5/zoPfldgruhOQLZP4+4m5gHfPs/jeCYPGlLiq5dZVswyzLC3uxqGOHhCLAF9vvj7E0&D6h4=O2JdRpPP8
request GET http://www.gk84.com/sy22/?Mfg=EZXT1couL1SMJvG2qeg6eanykcNOwoSwRkeI+9JF3ekTKFJ8rStu/JDK0lzRposG9gxESXnb&D6h4=O2JdRpPP8
request GET http://www.sx15k.com/sy22/?Mfg=uDOmxGSZOI7byjRwM2VfDnyujtJEJ3PREhDiUuqfTZK7lE43sYjySeizw7LCJ3MdEZKjGoPp&D6h4=O2JdRpPP8
request GET http://www.gracefullytouchedartistry.com/sy22/?Mfg=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&D6h4=O2JdRpPP8
request GET http://www.omclaval.com/sy22/?Mfg=Vmf4Q5/zoPfldgruhOQLZP4+4m5gHfPs/jeCYPGlLiq5dZVswyzLC3uxqGOHhCLAF9vvj7E0&D6h4=O2JdRpPP8
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00840000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00890000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2100
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00970000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\fzfyx.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2056 called NtSetContextThread to modify thread in remote process 2100
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1506136
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000c4
process_identifier: 2100
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
MicroWorld-eScan Trojan.GenericKD.69192829
FireEye Generic.mg.e99042bc75c1e7c4
ALYac Gen:Variant.Fragtor.357332
Malwarebytes Trojan.FormBook.NSIS
Sangfor Suspicious.Win32.Save.ins
K7AntiVirus Trojan ( 005aafd11 )
K7GW Trojan ( 005aafd11 )
Cybereason malicious.1d492b
Cyren W32/Injector.BQS.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETGY
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Strab.gen
BitDefender Trojan.GenericKD.69192829
Avast Win32:PWSX-gen [Trj]
Tencent Win32.Trojan.Strab.Dtgl
Emsisoft Trojan.GenericKD.69192829 (B)
F-Secure Trojan.TR/LokiBot.brbyg
DrWeb Trojan.Siggen21.27135
VIPRE Trojan.GenericKD.69192829
TrendMicro TROJ_GEN.R002C0DI823
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Avira TR/AD.Swotter.lckxb
MAX malware (ai score=85)
Microsoft Trojan:Win32/Formbook.AT!MTB
Gridinsoft Trojan.Win32.FormBook.bot
Xcitium Malware@#17ygr7vwur632
Arcabit Trojan.Generic.D41FCC7D
ViRobot Trojan.Win.Z.Strab.368282
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
GData Trojan.GenericKD.69192829
Google Detected
AhnLab-V3 Trojan/Win.Generic.R585815
McAfee Artemis!E99042BC75C1
VBA32 BScope.Trojan.Strab
Cylance unsafe
Panda Trj/Chgt.AD
Rising Trojan.Lokibot!8.F1B5 (TFE:5:2497Qq5krJT)
Ikarus Trojan.Win32.Injector
Fortinet NSIS/Injector.ETGJ!tr
BitDefenderTheta Gen:NN.ZexaF.36662.sCW@aG6h5Dhi
AVG Win32:PWSX-gen [Trj]
DeepInstinct MALICIOUS