Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 14, 2023, 12:50 p.m.	Oct. 14, 2023, 12:52 p.m.

Size	657.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`898a7d62ce8f67a4bf58a4d697ee65da`
SHA256	`3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589`
CRC32	`9917AD4A`
ssdeep	`12288:JfLGuL+Ybqt4KEzCkTj5ot3/BxnoFQaLn6R0:JfLGLYGOKcnT2t3bJIM0`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Flow	SID	Signature	Category
TCP 15.197.130.221:80 -> 192.168.56.101:49167	2527001	ET Threatview.io High Confidence Cobalt Strike C2 IP group 2	Misc Attack
TCP 192.168.56.101:49168 -> 15.197.148.33:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 15.197.130.221:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 15.197.204.56:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 156.245.54.118:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 14, 2023, 12:50 p.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hndswicco.best/ge06/?P6A=PQptMrbywirwOBsv2/k9gasn5Q9AT3eVC9w1MPVM+581myTPrrPRsbPASzXeYXe5c34Wjnkd&1bS=W6O8DXLhJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.diverseindiatours.com/ge06/?P6A=IlJ6uct7nLNOkVUg7dSIO1ufNnudgOP1rBW9T1wcy5Ojeqv/jFwMq4W339KeBHdyAUeSR3I5&1bS=W6O8DXLhJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.chucobuilt.net/ge06/?P6A=mgJZc34E+QHjHDFP2795MijuneaKxhMRMXDMLqe7oIpY9TsA6d7BobIv4A2nrFt6YRi7hqu+&1bS=W6O8DXLhJ
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.time-edu.net/ge06/?P6A=3gVulpDN/zRIaENLvBRBOU+GJXsTSPVd6fpjgkIicxSY0YrdfquFm+i5o+mpo+HrdASdsMrY&1bS=W6O8DXLhJ

request	GET http://www.hndswicco.best/ge06/?P6A=PQptMrbywirwOBsv2/k9gasn5Q9AT3eVC9w1MPVM+581myTPrrPRsbPASzXeYXe5c34Wjnkd&1bS=W6O8DXLhJ
request	GET http://www.diverseindiatours.com/ge06/?P6A=IlJ6uct7nLNOkVUg7dSIO1ufNnudgOP1rBW9T1wcy5Ojeqv/jFwMq4W339KeBHdyAUeSR3I5&1bS=W6O8DXLhJ
request	GET http://www.chucobuilt.net/ge06/?P6A=mgJZc34E+QHjHDFP2795MijuneaKxhMRMXDMLqe7oIpY9TsA6d7BobIv4A2nrFt6YRi7hqu+&1bS=W6O8DXLhJ
request	GET http://www.time-edu.net/ge06/?P6A=3gVulpDN/zRIaENLvBRBOU+GJXsTSPVd6fpjgkIicxSY0YrdfquFm+i5o+mpo+HrdASdsMrY&1bS=W6O8DXLhJ

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 14, 2023, 12:50 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73312000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2023, 12:50 p.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2023, 12:50 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2023, 12:50 p.m.	process_identifier: 2700 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\sespa.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 14, 2023, 12:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 called NtSetContextThread to modify thread in remote process 2700
NtSetContextThread Oct. 14, 2023, 12:50 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000108 process_identifier: 2700	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
FireEye	Generic.mg.898a7d62ce8f67a4
McAfee	Artemis!898A7D62CE8F
Cylance	unsafe
Sangfor	Spyware.Win32.Agent.Vesp
Cybereason	malicious.ff0bd3
Arcabit	Trojan.NSISX.Spy.Gen.24 [many]
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Formbook.AA
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Trojan.NSISX.Spy.Gen.24
Avast	Win32:TrojanX-gen [Trj]
Sophos	Generic Reputation PUA (PUA)
VIPRE	Trojan.NSISX.Spy.Gen.24
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
Ikarus	Trojan.NSIS.Agent
Varist	W32/ABRisk.UBFP-7754
Kingsoft	malware.kb.a.891
Gridinsoft	Trojan.Win32.FormBook.bot
Microsoft	TrojanSpy:Win32/Swotter.A!bit
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Trojan.NSISX.Spy.Gen.24
Google	Detected
BitDefenderTheta	Gen:NN.ZexaF.36738.CmW@aCo2elp
ALYac	Gen:Heur.Mint.Zard.55
MAX	malware (ai score=82)
VBA32	BScope.Trojan.Injector
Malwarebytes	Generic.Malware/Suspicious
Rising	Trojan.Generic@AI.86 (RDML:+aWhUpwN+ik6817FKNLryw)
Fortinet	W32/Injector_AGen.ADG!tr
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

windviewcikon2.1.exe