Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 21, 2023, 6:09 p.m.	Sept. 21, 2023, 6:12 p.m.

Size	327.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`5c6c71c7d5550896ed29fceb19e76649`
SHA256	`2ef0bca062416bb4b30fe880508050fbf92c3f5e4669ce151f91b5a146e84d66`
CRC32	`D5CB73BF`
ssdeep	`6144:/Ya65vmwSVdKEaI9PANPca/Fycpcr1xWVvMZG1O9WvS9DG:/YL6VdjlVANPh/Fycur+Vvp1in6`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
www.sarthaksrishticreation.com	CNAME sarthaksrishticreation.com A 119.18.49.69	119.18.49.69
www.gk84.com	CNAME gk84.com A 107.148.223.82	107.148.223.82
www.gracefullytouchedartistry.com	CNAME cdn1.wixdns.net CNAME td-ccm-neg-87-45.wixdns.net A 34.149.87.45	34.149.87.45
www.giallozafferrano.com	CNAME giallozafferrano.com A 62.149.128.45	62.149.128.45

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 107.148.223.82:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.149.87.45:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 119.18.49.69:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 62.149.128.45:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 21, 2023, 6:09 p.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sarthaksrishticreation.com/sy22/?kDHl=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gracefullytouchedartistry.com/sy22/?kDHl=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&KtxD=PnCTGx9Pf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.giallozafferrano.com/sy22/?kDHl=e3Wc7AYKmxnABbA5XplRDASPAW2hX0g2E4j6p3U7Sf2osunLtU3wLL64mGQYR58Cg+KdkSKM&KtxD=PnCTGx9Pf

request	GET http://www.sarthaksrishticreation.com/sy22/?kDHl=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&KtxD=PnCTGx9Pf
request	GET http://www.gracefullytouchedartistry.com/sy22/?kDHl=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&KtxD=PnCTGx9Pf
request	GET http://www.giallozafferrano.com/sy22/?kDHl=e3Wc7AYKmxnABbA5XplRDASPAW2hX0g2E4j6p3U7Sf2osunLtU3wLL64mGQYR58Cg+KdkSKM&KtxD=PnCTGx9Pf

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2023, 6:09 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:09 p.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:09 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:09 p.m.	process_identifier: 2700 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\molua.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 21, 2023, 6:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 called NtSetContextThread to modify thread in remote process 2700
NtSetContextThread Sept. 21, 2023, 6:09 p.m.	registers.eip: 1995571652 registers.esp: 1439820 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000009c process_identifier: 2700	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Strab.4!c
MicroWorld-eScan	Gen:Variant.Fragtor.365975
FireEye	Generic.mg.5c6c71c7d5550896
McAfee	Artemis!5C6C71C7D555
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.ins
Arcabit	Trojan.Fragtor.D59597
BitDefenderTheta	Gen:NN.ZexaF.36722.muW@a8mWE!ci
Cyren	W32/Injector.BRB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETHU
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Fragtor.365975
Avast	FileRepMalware [Pws]
Emsisoft	Gen:Variant.Fragtor.365975 (B)
VIPRE	Gen:Variant.Fragtor.365975
McAfee-GW-Edition	BehavesLike.Win32.Downloader.fc
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Injector
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Fragtor.365975
Google	Detected
AhnLab-V3	Malware/Win.Generic.C4960464
VBA32	BScope.Trojan.Injector
ALYac	Gen:Variant.Fragtor.365975
MAX	malware (ai score=80)
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/GdSda.A
Rising	Trojan.Generic@AI.100 (RDML:U8iYSeUSHrVyjod1styS8Q)
SentinelOne	Static AI - Suspicious PE
Fortinet	NSIS/Injector.ETGJ!tr
AVG	FileRepMalware [Pws]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

TiWorker.exe