popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

hkcmd.exe

Formbook NSIS UPX Malicious Library PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 15, 2023, 5:26 p.m. Sept. 15, 2023, 5:36 p.m.
Size 303.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 3950dff062247d4ac80e50a52313f198
SHA256 8f17f8b8946c0aa9f92bd114a1501e9109a3acd84b865d352d043a04e474c2b5
CRC32 21E56507
ssdeep 6144:PYa6nATH/VOoublRM4zFy82brOmBAdotodFDGD6hA43kU4cHVZ:PY9IHHuPOHOBo+jGYVkUrb
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 119.18.49.69:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 71.33.149.60:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 91.195.240.109:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 167.172.228.26:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.zhperviepixie.com/sy22/?8pM0A2PH=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&Cda4=inCHhv7P
suspicious_features GET method with no useragent header suspicious_request GET http://www.sarthaksrishticreation.com/sy22/?8pM0A2PH=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&Cda4=inCHhv7P
suspicious_features GET method with no useragent header suspicious_request GET http://www.docomo-mobileconsulting.com/sy22/?8pM0A2PH=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&Cda4=inCHhv7P
suspicious_features GET method with no useragent header suspicious_request GET http://www.vaskaworldairways.com/sy22/?8pM0A2PH=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&Cda4=inCHhv7P
request GET http://www.zhperviepixie.com/sy22/?8pM0A2PH=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&Cda4=inCHhv7P
request GET http://www.sarthaksrishticreation.com/sy22/?8pM0A2PH=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&Cda4=inCHhv7P
request GET http://www.docomo-mobileconsulting.com/sy22/?8pM0A2PH=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&Cda4=inCHhv7P
request GET http://www.vaskaworldairways.com/sy22/?8pM0A2PH=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&Cda4=inCHhv7P
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2664
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2664
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\wombiziksy.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2664 called NtSetContextThread to modify thread in remote process 2716
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2095952
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000a0
process_identifier: 2716
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Garf.Gen.10
FireEye Generic.mg.3950dff062247d4a
ALYac Trojan.NSISX.Spy.Gen.24
Malwarebytes Generic.Malware/Suspicious
Sangfor Suspicious.Win32.Save.ins
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Garf.Gen.10 [many]
BitDefenderTheta Gen:NN.ZexaF.36662.kuW@ayeFc0di
Cyren W32/Ninjector.JO.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector_AGen.ACN
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.Garf.Gen.10
Avast Win32:TrojanX-gen [Trj]
Emsisoft Trojan.Garf.Gen.10 (B)
VIPRE Trojan.Garf.Gen.10
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Injector
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.NSISX.Spy.Gen.24
Google Detected
AhnLab-V3 Trojan/Win.NSISInject.R587856
McAfee Artemis!3950DFF06224
MAX malware (ai score=83)
VBA32 BScope.Trojan.Injector
Cylance unsafe
Rising Trojan.Convagent!8.12323 (TFE:5:EbkO1syneSG)
SentinelOne Static AI - Suspicious PE
Fortinet NSIS/Injector.ETGJ!tr
AVG Win32:TrojanX-gen [Trj]
Cybereason malicious.dd28f3
DeepInstinct MALICIOUS