Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 19, 2023, 7:47 a.m.	Oct. 19, 2023, 7:58 a.m.

Size	360.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d7bde041b821e3b3e6e3a71846cee9ef`
SHA256	`5a7df187972e8ac7ffd69cfd57e9ec4490a36b915cb8beaeee8cceac12ab76c8`
CRC32	`9B377384`
ssdeep	`6144:RfL+oqnzcACJXXBqiAu5BFi2QBlrogjVUe3bgoso0+zTtiNbtAfvUk7RwFdVJRMz:RfLQwACl0Dr2QBlroYXLgosRSYN5+mFG`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
www.vaskaworldairways.com	A 97.118.134.29 CNAME fletchto99.com	97.118.134.29
www.docomo-mobileconsulting.com	A 185.53.177.52	185.53.177.52
www.zhperviepixie.com	CNAME zhperviepixie.com A 167.172.228.26	167.172.228.26
www.vinteligencia.com	A 172.67.198.50 A 104.21.52.110	172.67.198.50
www.gracefullytouchedartistry.com	CNAME cdn1.wixdns.net CNAME td-ccm-neg-87-45.wixdns.net A 34.149.87.45	34.149.87.45

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 172.67.198.50:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 97.118.134.29:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 167.172.228.26:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 34.149.87.45:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 185.53.177.52:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2023, 7:47 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vaskaworldairways.com/sy22/?Dxlpd=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&mnSh=Txlhkdx
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.zhperviepixie.com/sy22/?Dxlpd=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&mnSh=Txlhkdx
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vinteligencia.com/sy22/?Dxlpd=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&mnSh=Txlhkdx
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gracefullytouchedartistry.com/sy22/?Dxlpd=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&mnSh=Txlhkdx
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.docomo-mobileconsulting.com/sy22/?Dxlpd=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&mnSh=Txlhkdx

request	GET http://www.vaskaworldairways.com/sy22/?Dxlpd=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&mnSh=Txlhkdx
request	GET http://www.zhperviepixie.com/sy22/?Dxlpd=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&mnSh=Txlhkdx
request	GET http://www.vinteligencia.com/sy22/?Dxlpd=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&mnSh=Txlhkdx
request	GET http://www.gracefullytouchedartistry.com/sy22/?Dxlpd=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&mnSh=Txlhkdx
request	GET http://www.docomo-mobileconsulting.com/sy22/?Dxlpd=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&mnSh=Txlhkdx

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2100 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2172 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\dalqyf.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 19, 2023, 7:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

host

131.153.76.130

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2100 called NtSetContextThread to modify thread in remote process 2172
NtSetContextThread Oct. 19, 2023, 7:47 a.m.	registers.eip: 2005598660 registers.esp: 3537604 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000cc process_identifier: 2172	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Convagent.4!c
MicroWorld-eScan	Trojan.Garf.Gen.10
FireEye	Generic.mg.d7bde041b821e3b3
Skyhigh	BehavesLike.Win32.Trojan.fc
McAfee	Artemis!D7BDE041B821
Malwarebytes	Malware.AI.16081259
Sangfor	Trojan.Win32.Agent.V1za
Alibaba	Trojan:Win32/Strab.8a611332
Cybereason	malicious.2a21aa
Arcabit	Trojan.Garf.Gen.10 [many]
BitDefenderTheta	Gen:NN.ZexaF.36738.luW@a4haPHci
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETJW
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Strab
BitDefender	Trojan.Garf.Gen.10
Avast	Win32:Evo-gen [Trj]
Emsisoft	Trojan.Garf.Gen.10 (B)
VIPRE	Trojan.Garf.Gen.10
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Google	Detected
Kingsoft	malware.kb.a.982
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.Garf.Gen.10
AhnLab-V3	Win-Trojan/Gandcrab08.Exp
VBA32	BScope.Trojan.Injector
ALYac	Gen:Variant.Jaik.185139
MAX	malware (ai score=83)
Cylance	unsafe
Rising	Trojan.Generic@AI.93 (RDML:cAYMevCeN6jb8rNjQttN9w)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Kryptik.HDLS!tr
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

audiodgse.exe