popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

processing.exe

Formbook NSIS Malicious Library UPX PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 4, 2023, 7:40 a.m. Oct. 4, 2023, 7:55 a.m.
Size 309.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 5b4cde02e2552a6c3d5f4c96e61a9e4b
SHA256 f3c99b21d43e967be5b3e53e70050b9d6dce181fe5415f9825b512850ecb0b52
CRC32 1F601E33
ssdeep 6144:LnPdudwDzsIduV5l234RUyxsM/TxFmrmBHzL7jbsTFv2ys15HguJPm8idQQrS:LnPdvsIwV5BUySCxhzL7jbsTwnLHgVdM
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 3.33.130.190:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 3.33.130.190:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 39.101.169.136:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.mysticheightstrail.com/sy22/?5j=Q5FfiwTKAQAoPcoP4e5kySmJcOUQtYy/n0X88F5fBW8bclPVBZXpMCw8fqRp6JUwXvQoTE+1&vTdDK=LJBx
suspicious_features GET method with no useragent header suspicious_request GET http://www.jizihao1.com/sy22/?5j=3PKlaCPIzU4vEpSTCliM62U/p7q8/wgFKC2xum1ddk3IfpDEo7oK1Mr0Jaw/Go0sFzx2J7Yb&vTdDK=LJBx
suspicious_features GET method with no useragent header suspicious_request GET http://www.johnnystintshop.com/sy22/?5j=lBpndDaiazzaPDz8oVvNWLtjY8ASY3krgNLZx/nYs7DN6Z9ubRKrMqHrK8vEE3FEQDB+295P&vTdDK=LJBx
request GET http://www.mysticheightstrail.com/sy22/?5j=Q5FfiwTKAQAoPcoP4e5kySmJcOUQtYy/n0X88F5fBW8bclPVBZXpMCw8fqRp6JUwXvQoTE+1&vTdDK=LJBx
request GET http://www.jizihao1.com/sy22/?5j=3PKlaCPIzU4vEpSTCliM62U/p7q8/wgFKC2xum1ddk3IfpDEo7oK1Mr0Jaw/Go0sFzx2J7Yb&vTdDK=LJBx
request GET http://www.johnnystintshop.com/sy22/?5j=lBpndDaiazzaPDz8oVvNWLtjY8ASY3krgNLZx/nYs7DN6Z9ubRKrMqHrK8vEE3FEQDB+295P&vTdDK=LJBx
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 808
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00510000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2092
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00870000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\vzhywqyw.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 808 called NtSetContextThread to modify thread in remote process 2092
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2096424
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000098
process_identifier: 2092
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
ALYac Gen:Variant.Jaik.182440
Malwarebytes Malware.AI.2921465108
VIPRE Trojan.NSISX.Spy.Gen.24
Sangfor Spyware.Win32.Agent.Va6g
CrowdStrike win/malicious_confidence_100% (W)
K7GW Trojan ( 005abde11 )
K7AntiVirus Trojan ( 005abde11 )
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ETIQ
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Strab.gen
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:AdwareX-gen [Adw]
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
F-Secure Heuristic.HEUR/AGEN.1337940
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.5b4cde02e2552a6c
Sophos Mal/Generic-S
GData Trojan.NSISX.Spy.Gen.24
Jiangmin Trojan.Fsysna.pez
Avira HEUR/AGEN.1337940
MAX malware (ai score=84)
Gridinsoft Trojan.Win32.Kryptik.oa!s1
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
Microsoft Trojan:Win32/Wacatac.B!ml
AhnLab-V3 Win-Trojan/Gandcrab08.Exp
McAfee Artemis!5B4CDE02E255
Cylance unsafe
Rising Trojan.Generic@AI.87 (RDML:B76BXeXG8QuGEmMnvDyCqA)
SentinelOne Static AI - Suspicious PE
BitDefenderTheta Gen:NN.ZexaE.36738.kuW@aKMWGOii
AVG Win32:AdwareX-gen [Adw]
Cybereason malicious.719a6b
DeepInstinct MALICIOUS