Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 8, 2023, 10:40 a.m.	Oct. 8, 2023, 10:42 a.m.

Size	303.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`90f56eefb533c21d5a62577184244aa9`
SHA256	`180fce98cac3dd64109fcf09745194ced61a15c25ff1e698754105dde6586a58`
CRC32	`DD493AC9`
ssdeep	`6144:pXFKo5l8qf7SO9mj/WYpA2X+wIsT6P3rTwOiNxiM9orMhccGEV60:pXRlYjfRITPb0OqowSSM0`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

htmlc.exe "C:\Users\test22\AppData\Local\Temp\htmlc.exe"
2552
- dslwsx.exe "C:\Users\test22\AppData\Local\Temp\dslwsx.exe"
  2648
  - dslwsx.exe "C:\Users\test22\AppData\Local\Temp\dslwsx.exe"
    2708

Name	Response	Post-Analysis Lookup
www.kimgj.com	A 75.2.85.42 A 99.83.196.71 CNAME kimgj.com	99.83.196.71
www.kwamitikki.com	A 195.216.243.33	195.216.243.33
www.podplugca.com	A 198.49.23.145 CNAME ext-sq.squarespace.com A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.49.23.144
www.displayfridges.fun	A 64.225.91.73	64.225.91.73
www.qixservice.online	CNAME onstatic-pt.setupdns.net A 81.88.57.70	81.88.57.70

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.216.243.33	Active	Moloch
198.185.159.145	Active	Moloch
64.225.91.73	Active	Moloch
75.2.85.42	Active	Moloch
81.88.57.70	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 195.216.243.33:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 198.185.159.145:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 81.88.57.70:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 75.2.85.42:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 64.225.91.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 8, 2023, 10:40 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kwamitikki.com/sy22/?GFNl=ayc0h3zWsM+s/UZ3LUjJJuwK+un3y5jAnwaTGnQTjoBH3sQruTiuCMTcn690zSCGQsaDZ/V1&Rlj=YVFTx4dp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.displayfridges.fun/sy22/?GFNl=aXg/rmbVwlFwwtnhCbViqZ1yX+MILNYt2xJKgyzLKbDp+5cOMXOnKyz8SWn7ESolc4/lQPeb&Rlj=YVFTx4dp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kimgj.com/sy22/?GFNl=3SPsA2Ss8I6lJqBAUfWjnvopZUchcaiATf/poqfUwjZ4JN2yY1pEd2m56Et1bCNhcUG3dZ4S&Rlj=YVFTx4dp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.podplugca.com/sy22/?GFNl=1SbEEVOB0X5p51zw8Y9tIyj0s4wRGWDD/YTF5BQf3aGuyUlv8rzVEk4tRHrNdM/Dikld30uR&Rlj=YVFTx4dp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.qixservice.online/sy22/?GFNl=VBKd4i1TBAeTlYBnm9tWLCP4ww2vn+XVFOQPMnsW4AFxqlBX+KApyR5y0aXQ0sSyxSIvT0ne&Rlj=YVFTx4dp

Performs some HTTP requests (5 events)

request	GET http://www.kwamitikki.com/sy22/?GFNl=ayc0h3zWsM+s/UZ3LUjJJuwK+un3y5jAnwaTGnQTjoBH3sQruTiuCMTcn690zSCGQsaDZ/V1&Rlj=YVFTx4dp
request	GET http://www.displayfridges.fun/sy22/?GFNl=aXg/rmbVwlFwwtnhCbViqZ1yX+MILNYt2xJKgyzLKbDp+5cOMXOnKyz8SWn7ESolc4/lQPeb&Rlj=YVFTx4dp
request	GET http://www.kimgj.com/sy22/?GFNl=3SPsA2Ss8I6lJqBAUfWjnvopZUchcaiATf/poqfUwjZ4JN2yY1pEd2m56Et1bCNhcUG3dZ4S&Rlj=YVFTx4dp
request	GET http://www.podplugca.com/sy22/?GFNl=1SbEEVOB0X5p51zw8Y9tIyj0s4wRGWDD/YTF5BQf3aGuyUlv8rzVEk4tRHrNdM/Dikld30uR&Rlj=YVFTx4dp
request	GET http://www.qixservice.online/sy22/?GFNl=VBKd4i1TBAeTlYBnm9tWLCP4ww2vn+XVFOQPMnsW4AFxqlBX+KApyR5y0aXQ0sSyxSIvT0ne&Rlj=YVFTx4dp

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 8, 2023, 10:40 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73312000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2023, 10:40 a.m.	process_identifier: 2648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2023, 10:40 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2023, 10:40 a.m.	process_identifier: 2708 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\dslwsx.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 8, 2023, 10:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 called NtSetContextThread to modify thread in remote process 2708
NtSetContextThread Oct. 8, 2023, 10:40 a.m.	registers.eip: 1995571652 registers.esp: 2685696 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f0 process_identifier: 2708	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Strab.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.69627851
Skyhigh	BehavesLike.Win32.Generic.fc
McAfee	Artemis!90F56EEFB533
Malwarebytes	Trojan.MalPack.RND
VIPRE	Trojan.NSISX.Spy.Gen.24
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 005ac27e1 )
BitDefender	Trojan.NSISX.Spy.Gen.24
K7GW	Trojan ( 005ac27e1 )
Cybereason	malicious.682bb0
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ETIW
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/FormBook.780f20dc
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Strab.Ojgl
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
F-Secure	Trojan.TR/Injector.jcfou
DrWeb	Trojan.Siggen21.36843
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.90f56eefb533c21d
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Google	Detected
Avira	TR/AD.Swotter.kijak
Varist	W32/Trojan.KRJE-9145
Antiy-AVL	Trojan/Win32.Injector
Microsoft	Trojan:Win32/FormBook.RVAE!MTB
Gridinsoft	Trojan.Win32.FormBook.bot
Arcabit	Trojan.NSISX.Spy.Gen.24 [many]
ViRobot	Trojan.Win.Z.Spy.311061
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.69627851
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/Gandcrab08.Exp
ALYac	Gen:Variant.Midie.132251
MAX	malware (ai score=87)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DJ623
Rising	Trojan.Injector!8.C4 (TFE:5:D0R9bJufesD)
Ikarus	Trojan.Win32.Injector
Fortinet	W32/Injector.ETIW!tr
BitDefenderTheta	Gen:NN.ZexaF.36738.kuW@aOL3yoki
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/Chgt.AD
CrowdStrike	win/malicious_confidence_100% (W)

htmlc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All