Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 20, 2023, 5:54 p.m.	Sept. 20, 2023, 5:56 p.m.

Size	186.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9809924a1fb0082898813c23dbc84b24`
SHA256	`8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55`
CRC32	`1D85A28E`
ssdeep	`3072:OPUq+jL3rWh716RfGYSeK95YWX2PaAlN4eT0FNaP0hBUxY3rC8XG4t7hXs+cCk3X:4K/3rUJYSx95YBfSrF8OaiusG6hXs/H`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

TiWorker.exe "C:\Users\test22\AppData\Local\Temp\TiWorker.exe"
2528

Name	Response	Post-Analysis Lookup
www.poultry-symposium.com	A 85.128.134.237	85.128.134.237
www.palatepursuits.cfd	A 104.21.21.57 A 172.67.196.133	104.21.21.57
www.frefire.top	A 67.223.117.37	67.223.117.37
www.8956kjw1.com	CNAME cname.bf723.com A 103.71.154.244	103.71.154.244
www.tsygy.com	A 23.104.137.185	23.104.137.185
www.pengeloladata.click
www.siteapp.fun	A 81.171.28.43	23.82.12.35
www.theartboxslidell.com	A 199.59.243.224	199.59.243.224
www.xxkxcfkujyeft.xyz	A 216.240.130.67 CNAME xxkxcfkujyeft.xyz	216.240.130.67
www.prosourcegraniteinc.com	A 216.239.34.21 A 216.239.36.21 A 216.239.38.21 A 216.239.32.21	216.239.38.21
www.flyingfoxnb.com	A 216.40.34.41	216.40.34.41
www.onlyleona.com	A 104.21.13.143 A 172.67.132.228	172.67.132.228
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
103.71.154.244	Active	Moloch
104.21.13.143	Active	Moloch
104.21.21.57	Active	Moloch
164.124.101.2	Active	Moloch
199.59.243.224	Active	Moloch
216.239.36.21	Active	Moloch
216.240.130.67	Active	Moloch
216.40.34.41	Active	Moloch
23.104.137.185	Active	Moloch
45.33.6.223	Active	Moloch
67.223.117.37	Active	Moloch
81.171.28.43	Active	Moloch
85.128.134.237	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 103.71.154.244:80 -> 192.168.56.101:49176	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 103.71.154.244:80 -> 192.168.56.101:49177	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 67.223.117.37:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 67.223.117.37:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 67.223.117.37:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 216.40.34.41:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 104.21.21.57:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 216.239.36.21:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 81.171.28.43:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 216.240.130.67:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 216.240.130.67:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 104.21.13.143:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 85.128.134.237:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 23.104.137.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 199.59.243.224:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.prosourcegraniteinc.com/kniu/?zM2u=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.theartboxslidell.com/kniu/?zM2u=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xxkxcfkujyeft.xyz/kniu/?zM2u=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.onlyleona.com/kniu/?zM2u=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tsygy.com/kniu/?zM2u=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.poultry-symposium.com/kniu/?zM2u=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.frefire.top/kniu/?zM2u=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.siteapp.fun/kniu/?zM2u=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.flyingfoxnb.com/kniu/?zM2u=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&r8LF=ldF1y4FXSVpJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.palatepursuits.cfd/kniu/?zM2u=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&r8LF=ldF1y4FXSVpJ

Performs some HTTP requests (21 events)

request	POST http://www.prosourcegraniteinc.com/kniu/
request	GET http://www.prosourcegraniteinc.com/kniu/?zM2u=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&r8LF=ldF1y4FXSVpJ
request	GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
request	POST http://www.theartboxslidell.com/kniu/
request	GET http://www.theartboxslidell.com/kniu/?zM2u=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&r8LF=ldF1y4FXSVpJ
request	POST http://www.xxkxcfkujyeft.xyz/kniu/
request	GET http://www.xxkxcfkujyeft.xyz/kniu/?zM2u=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&r8LF=ldF1y4FXSVpJ
request	POST http://www.onlyleona.com/kniu/
request	GET http://www.onlyleona.com/kniu/?zM2u=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&r8LF=ldF1y4FXSVpJ
request	POST http://www.tsygy.com/kniu/
request	GET http://www.tsygy.com/kniu/?zM2u=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&r8LF=ldF1y4FXSVpJ
request	POST http://www.poultry-symposium.com/kniu/
request	GET http://www.poultry-symposium.com/kniu/?zM2u=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&r8LF=ldF1y4FXSVpJ
request	POST http://www.frefire.top/kniu/
request	GET http://www.frefire.top/kniu/?zM2u=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&r8LF=ldF1y4FXSVpJ
request	POST http://www.siteapp.fun/kniu/
request	GET http://www.siteapp.fun/kniu/?zM2u=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&r8LF=ldF1y4FXSVpJ
request	POST http://www.flyingfoxnb.com/kniu/
request	GET http://www.flyingfoxnb.com/kniu/?zM2u=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&r8LF=ldF1y4FXSVpJ
request	POST http://www.palatepursuits.cfd/kniu/
request	GET http://www.palatepursuits.cfd/kniu/?zM2u=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&r8LF=ldF1y4FXSVpJ

Sends data using the HTTP POST Method (10 events)

request	POST http://www.prosourcegraniteinc.com/kniu/
request	POST http://www.theartboxslidell.com/kniu/
request	POST http://www.xxkxcfkujyeft.xyz/kniu/
request	POST http://www.onlyleona.com/kniu/
request	POST http://www.tsygy.com/kniu/
request	POST http://www.poultry-symposium.com/kniu/
request	POST http://www.frefire.top/kniu/
request	POST http://www.siteapp.fun/kniu/
request	POST http://www.flyingfoxnb.com/kniu/
request	POST http://www.palatepursuits.cfd/kniu/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.frefire.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 20, 2023, 5:54 p.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 20, 2023, 5:54 p.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00151000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 5:54 p.m.	process_identifier: 2528 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002d600', u'virtual_address': u'0x00001000', u'entropy': 7.996844157192147, u'name': u'.text', u'virtual_size': u'0x0002d504'}

entropy

7.99684415719

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 20, 2023, 5:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.Common.B4759783
Lionic	Trojan.Win32.Noon.4!c
MicroWorld-eScan	Gen:Variant.Ser.Razy.7042
FireEye	Generic.mg.9809924a1fb00828
ALYac	Gen:Variant.Ser.Razy.7042
Malwarebytes	Trojan.Crypt
Sangfor	Trojan.Win32.Formbook.Vt2t
K7AntiVirus	Trojan ( 00536d121 )
Alibaba	Trojan:Win32/Formbook.2c18bffa
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Ser.Razy.D1B82
VirIT	Trojan.Win32.GenusT.DRMH
Cyren	W32/Formbook.N.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Formbook.AK
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Ser.Razy.7042
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan.Generic.Fajl
Sophos	Troj/Formbook-A
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
DrWeb	Trojan.Packed2.45325
VIPRE	Gen:Variant.Ser.Razy.7042
TrendMicro	TROJ_GEN.R002C0DIH23
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	malicious.high.ml.score
Emsisoft	Gen:Variant.Ser.Razy.7042 (B)
SentinelOne	Static AI - Malicious PE
Avira	TR/Crypt.ZPACK.Gen
MAX	malware (ai score=89)
Antiy-AVL	GrayWare/Win32.Formbook.A
Gridinsoft	Trojan.Win32.Packed.sa
Microsoft	Trojan:Win32/Formbook.RG!MTB
ViRobot	Trojan.Win.Z.Formbook.190464.S
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Ser.Razy.7042
AhnLab-V3	Trojan/Win.Formbook.X2184
McAfee	GenericRXVJ-YP!9809924A1FB0
VBA32	Malware-Cryptor.General.3
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DIH23
Rising	Ransom.Digitala!8.305 (TFE:3:4bkQNC3KfED)
Ikarus	Trojan.Win32.Formbook
Fortinet	W32/Formbook.AK!tr
BitDefenderTheta	AI:Packer.428E21B61E

TiWorker.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All