popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

po# 348839.exe

Formbook NSIS UPX Malicious Library PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 18, 2023, 1:36 p.m. Sept. 18, 2023, 1:38 p.m.
Size 370.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 4a7a9da9b5d246c23e12315e4eac1fcd
SHA256 f5d798da1badf02fe91c0a25702a09036570cc883128c676ba1cbc00a5381fdd
CRC32 0BDBF2F0
ssdeep 6144:FYa606Qa9cP9uuG74TcI03yjX+XPkW+FNshLQ6etKBwLEGHtzRMt8n3xi4NL:FYGt5lg4V0gX+sLN2e0BwLVzmMo4NL
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
request POST http://www.houtaijiaju.com/stcf/
request GET http://www.houtaijiaju.com/stcf/?el=1dqEu7FqG0Fk44M2SsORztBhqeVPz5dcffezXnqN6lUv5lMi6TOQp3fd1b+R5p9IBvl5i/IMrCH65j4DnfcQMtwjHinribTwYdLVWxQ=&isnBX=nywdxOY_N7CAIHs
request GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
request POST http://www.saintprojetdesalers.com/stcf/
request GET http://www.saintprojetdesalers.com/stcf/?el=+e/LxL8BCb5JT2mwgKzbp1bNGh3lgePyU3D6l90SLvlYtUAerZBoaAu+StBCYI+EmdbaVLlpQ9qQs+tY0i0hLe/6ntyVXpS6CIyxXlk=&isnBX=nywdxOY_N7CAIHs
request POST http://www.ronikonmet.online/stcf/
request GET http://www.ronikonmet.online/stcf/?el=uecC1YIjKds5pfO1EToES15TCdBTvi7vIYoUJgTFy6qDYT2nEUgo5MyoghBmj6FTuqUN6uVJE1bE0H4aXubCPUG1zI5pjeamkbBuCmA=&isnBX=nywdxOY_N7CAIHs
request POST http://www.hummall.com/stcf/
request GET http://www.hummall.com/stcf/?el=Nk5K1Xbn5LNktyygdQF3BnmJ+burJ+ny2OkZcNPXdwEtJdOtq79vPWmp/B6BaLcWj3tVzmTo+5PqGZIC/UTM1vSFnsb91g1hVUGRl4c=&isnBX=nywdxOY_N7CAIHs
request POST http://www.admiralx-qjff.buzz/stcf/
request GET http://www.admiralx-qjff.buzz/stcf/?el=/cN5NAnYyQNGkv6VI4g5hCl6zLANo+Uxyk0R0Gf4W9JvbRZK1NaF3DJOi9LLfoZAma38Eec3ft5h7udphOb57G+0pUhbPZipWhAdHO0=&isnBX=nywdxOY_N7CAIHs
request POST http://www.innovativefewsustra.com/stcf/
request GET http://www.innovativefewsustra.com/stcf/?el=KMOD9sTNx2YSpovUrRJUEzn1Yx0Z43DK6JEh/zvUzYRR0vvq/o2vdjVBrU8HPW3QMgYOZkgxf1P3X+8HybL4wtlflHnPghnD15Ngsf8=&isnBX=nywdxOY_N7CAIHs
request POST http://www.houtaijiaju.com/stcf/
request POST http://www.saintprojetdesalers.com/stcf/
request POST http://www.ronikonmet.online/stcf/
request POST http://www.hummall.com/stcf/
request POST http://www.admiralx-qjff.buzz/stcf/
request POST http://www.innovativefewsustra.com/stcf/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2208
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1776
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ibwae.exe
file C:\Users\test22\AppData\Local\Temp\ibwae.exe
file C:\Users\test22\AppData\Local\Temp\ibwae.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2208 called NtSetContextThread to modify thread in remote process 1776
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2001207748
registers.esp: 3538092
registers.edi: 0
registers.eax: 4199904
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000cc
process_identifier: 1776
1 0 0
dead_host 66.29.149.4:80
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Jaik.176091
VIPRE Gen:Variant.Jaik.176091
Arcabit Trojan.Jaik.D2AFDB
Symantec ML.Attribute.HighConfidence
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:Trojan.Win32.Strab.gen
BitDefender Gen:Variant.Jaik.176091
Avast FileRepMalware [Pws]
Rising Trojan.Generic@AI.100 (RDML:DV3tXntYoEhifx99XQ/rhA)
Emsisoft Gen:Variant.Jaik.176091 (B)
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine suspicious.low.ml.score
FireEye Generic.mg.4a7a9da9b5d246c2
Sophos Generic ML PUA (PUA)
Ikarus Trojan.Win32.Injector
MAX malware (ai score=89)
Microsoft Trojan:Win32/Formbook!ml
ZoneAlarm UDS:Trojan.Win32.Strab.gen
GData Gen:Variant.Jaik.176091
Google Detected
AhnLab-V3 Trojan/Win.Generic.C4978068
VBA32 BScope.Trojan.Injector
ALYac Gen:Variant.Jaik.176091
SentinelOne Static AI - Suspicious PE
Fortinet NSIS/Injector.ETGJ!tr
BitDefenderTheta Gen:NN.ZexaF.36662.muW@aO03DRpi
AVG FileRepMalware [Pws]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (D)