Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 23, 2023, 9:40 a.m.	Oct. 23, 2023, 9:42 a.m.

Size	426.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`df247bbfaf91dbe0da4d79a04cfb5ca3`
SHA256	`354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579`
CRC32	`3E4A9ADC`
ssdeep	`6144:zfL+oqgoT3oPrD68F2PD44p8Ls1k7n82iKGI3TmBp6CbspK7M2jtsftCq9CPbz:zfLCT21oy82PGIC/Bb8K7MNCB/`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
www.qixservice.online	CNAME onstatic-pt.setupdns.net A 81.88.57.70	81.88.57.70
www.jizihao1.com	A 39.101.169.136	39.101.169.136
www.podplugca.com	A 198.49.23.144 CNAME ext-sq.squarespace.com A 198.185.159.144 A 198.49.23.145 A 198.185.159.145	198.49.23.144
www.displayfridges.fun	A 64.225.91.73	64.225.91.73

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 64.225.91.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 198.185.159.144:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 81.88.57.70:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 23, 2023, 9:40 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.qixservice.online/sy22/?GVW8=VBKd4i1TBAeTlYBnm9tWLCP4ww2vn+XVFOQPMnsW4AFxqlBX+KApyR5y0aXQ0sSyxSIvT0ne&uzuD=Zld0rPDHNj
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.podplugca.com/sy22/?GVW8=1SbEEVOB0X5p51zw8Y9tIyj0s4wRGWDD/YTF5BQf3aGuyUlv8rzVEk4tRHrNdM/Dikld30uR&uzuD=Zld0rPDHNj
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.jizihao1.com/sy22/?GVW8=3PKlaCPIzU4vEpSTCliM62U/p7q8/wgFKC2xum1ddk3IfpDEo7oK1Mr0Jaw/Go0sFzx2J7Yb&uzuD=Zld0rPDHNj
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.displayfridges.fun/sy22/?GVW8=aXg/rmbVwlFwwtnhCbViqZ1yX+MILNYt2xJKgyzLKbDp+5cOMXOnKyz8SWn7ESolc4/lQPeb&uzuD=Zld0rPDHNj

request	GET http://www.qixservice.online/sy22/?GVW8=VBKd4i1TBAeTlYBnm9tWLCP4ww2vn+XVFOQPMnsW4AFxqlBX+KApyR5y0aXQ0sSyxSIvT0ne&uzuD=Zld0rPDHNj
request	GET http://www.podplugca.com/sy22/?GVW8=1SbEEVOB0X5p51zw8Y9tIyj0s4wRGWDD/YTF5BQf3aGuyUlv8rzVEk4tRHrNdM/Dikld30uR&uzuD=Zld0rPDHNj
request	GET http://www.jizihao1.com/sy22/?GVW8=3PKlaCPIzU4vEpSTCliM62U/p7q8/wgFKC2xum1ddk3IfpDEo7oK1Mr0Jaw/Go0sFzx2J7Yb&uzuD=Zld0rPDHNj
request	GET http://www.displayfridges.fun/sy22/?GVW8=aXg/rmbVwlFwwtnhCbViqZ1yX+MILNYt2xJKgyzLKbDp+5cOMXOnKyz8SWn7ESolc4/lQPeb&uzuD=Zld0rPDHNj

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 23, 2023, 9:40 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 23, 2023, 9:40 a.m.	process_identifier: 2636 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05080000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 23, 2023, 9:40 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05090000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 23, 2023, 9:40 a.m.	process_identifier: 2692 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\ohtfjmxqk.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 23, 2023, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 called NtSetContextThread to modify thread in remote process 2692
NtSetContextThread Oct. 23, 2023, 9:40 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f0 process_identifier: 2692	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Strab.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Garf.Gen.7
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Gen:Heur.Mint.Zard.55
Malwarebytes	Malware.AI.3433992955
K7AntiVirus	Riskware ( 00584baa1 )
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.a4b746
Arcabit	Trojan.Garf.Gen.7 [many]
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ETKA
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Trojan.Garf.Gen.7
Avast	FileRepMalware [Pws]
Tencent	Win32.Trojan.Strab.Ddhl
Emsisoft	Trojan.Garf.Gen.7 (B)
VIPRE	Trojan.Garf.Gen.7
FireEye	Generic.mg.df247bbfaf91dbe0
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Google	Detected
Avira	TR/Injector.zigjw
MAX	malware (ai score=82)
Kingsoft	malware.kb.a.896
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Formbook.AT!MTB
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Trojan.NSISX.Spy.Gen.24
Varist	W32/ABRisk.XWJV-2760
AhnLab-V3	Malware/Win.Generic.C5520779
McAfee	RDN/Generic.dx
VBA32	BScope.Trojan.Injector
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Trojan.Generic@AI.90 (RDML:xL2rumekJHwIero2WuAZbQ)
Ikarus	Trojan.Win32.Injector
Fortinet	NSIS/Agent.DCAC!tr
BitDefenderTheta	Gen:NN.ZexaF.36738.wqW@aO74qdhi
AVG	FileRepMalware [Pws]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

audiodgse.exe