Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 30, 2023, 1:02 p.m.	Sept. 30, 2023, 1:46 p.m.

Size	298.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`b51f67297d5dd494ed1acecf85c989f8`
SHA256	`c121eae871db09a878d790146f551a88f652fa3c0b56627674dc5ba9f05e04bc`
CRC32	`AABB0BE4`
ssdeep	`6144:/Ya6PK+Suas+y4T/TS6c31TiGRMx5rKX4u18Z4ekSiIGEBqeffdgvy6mUao:/YRK+SRsT4TMd1RgG4i8Z4elGEY2WsU1`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
www.funwarsztat.com	A 185.253.212.22	185.253.212.22
www.03ss.vip	CNAME 63a4ffed.mycdn.online
www.alcmcyu.com	A 45.196.82.124	45.196.82.124
www.sarthaksrishticreation.com	CNAME sarthaksrishticreation.com A 119.18.49.69	119.18.49.69
www.dryadai.com	A 3.64.163.50	3.64.163.50

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 45.196.82.124:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 119.18.49.69:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.253.212.22:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 3.64.163.50:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2023, 1:02 p.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.alcmcyu.com/sy22/?x4rXkXCP=HJcnt9shjuyeuMnZ8QWG9PRz+SaAKZLp97hCM6mnnpBn/SSeG+yBNrNPh/yBSnbTf5L809Cn&CdTHh=Cj6t
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.funwarsztat.com/sy22/?x4rXkXCP=CDtdPYcE26NN/Lh6rpX6TL7KDn7jwiiUYTi0Hy7RVwWXAZEPuz0NUNjW/3QemKZGBVrgMz80&CdTHh=Cj6t
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sarthaksrishticreation.com/sy22/?x4rXkXCP=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&CdTHh=Cj6t
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dryadai.com/sy22/?x4rXkXCP=T4nku/U6fUoiT4V699ActYtDMjyavvK02m+fxEC1q0+DSMs1WUMajGSqA4Kum2DGC179VQvP&CdTHh=Cj6t

request	GET http://www.alcmcyu.com/sy22/?x4rXkXCP=HJcnt9shjuyeuMnZ8QWG9PRz+SaAKZLp97hCM6mnnpBn/SSeG+yBNrNPh/yBSnbTf5L809Cn&CdTHh=Cj6t
request	GET http://www.funwarsztat.com/sy22/?x4rXkXCP=CDtdPYcE26NN/Lh6rpX6TL7KDn7jwiiUYTi0Hy7RVwWXAZEPuz0NUNjW/3QemKZGBVrgMz80&CdTHh=Cj6t
request	GET http://www.sarthaksrishticreation.com/sy22/?x4rXkXCP=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&CdTHh=Cj6t
request	GET http://www.dryadai.com/sy22/?x4rXkXCP=T4nku/U6fUoiT4V699ActYtDMjyavvK02m+fxEC1q0+DSMs1WUMajGSqA4Kum2DGC179VQvP&CdTHh=Cj6t

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2023, 1:02 p.m.	process_identifier: 2052 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:02 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:02 p.m.	process_identifier: 2104 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\wirybscjwh.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 30, 2023, 1:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 called NtSetContextThread to modify thread in remote process 2104
NtSetContextThread Sept. 30, 2023, 1:02 p.m.	registers.eip: 2005598660 registers.esp: 5701480 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000ec process_identifier: 2104	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Androm.4!c
MicroWorld-eScan	Trojan.GenericKD.69402967
FireEye	Generic.mg.b51f67297d5dd494
CAT-QuickHeal	Trojan.Strab
ALYac	Trojan.GenericKD.69402967
Malwarebytes	Malware.AI.4017603973
VIPRE	Trojan.GenericKD.69402967
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 005ab8641 )
Alibaba	Trojan:Win32/Strab.8084d0e9
K7GW	Trojan ( 005ab8641 )
Cybereason	malicious.ab8077
Arcabit	Trojan.Generic.D4230157
Cyren	W32/ABRisk.DXSF-3788
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Formbook.AA
APEX	Malicious
Kaspersky	Trojan.Win32.Strab.cwz
BitDefender	Trojan.GenericKD.69402967
NANO-Antivirus	Trojan.Win32.Strab.kbadwm
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Strab.Vylw
Emsisoft	Trojan.GenericKD.69402967 (B)
F-Secure	Trojan.TR/LokiBot.ngeno
DrWeb	Trojan.Siggen21.31079
TrendMicro	TROJ_GEN.R002C0DIL23
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/LokiBot.ngeno
Antiy-AVL	Trojan/Win32.Lokibot
Kingsoft	malware.kb.a.986
Gridinsoft	Trojan.Win32.FormBook.bot
Xcitium	Malware@#3tm9m0ci4e2yq
Microsoft	TrojanSpy:Win32/Swotter.A!bit
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Trojan.GenericKD.69402967
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.LokiBot.R606814
McAfee	Artemis!B51F67297D5D
MAX	malware (ai score=86)
VBA32	BScope.Trojan.Injector
Cylance	unsafe
Panda	Trj/Genetic.gen
Rising	Trojan.Lokibot!8.F1B5 (TFE:5:DTASO9KxBJQ)

tiworker.exe