popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

autolog.exe

Formbook NSIS Malicious Library UPX PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 26, 2023, 5:10 p.m. Oct. 26, 2023, 5:16 p.m.
Size 360.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 5a7848fdbc0ca7bab05257e730497197
SHA256 b8c61ae98e716d6953a68407927c99b395efcacb9ebec1a874b939d79a7e0ca4
CRC32 E8774CF0
ssdeep 6144:b8LxB6j3cNeimx2YJlBNaDugXLZfc1Kd7/WAObnijZLO5UFnF14DN:rsNoJJlApcwCA+kvFFCDN
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.sunspotplumbing.com
CNAME sunspotplumbing.com
A 3.33.130.190
A 15.197.148.33
15.197.148.33
www.dryadai.com
A 3.64.163.50
3.64.163.50
www.sarthaksrishticreation.com
CNAME sarthaksrishticreation.com
A 119.18.49.69
119.18.49.69
www.fuhouse.link
IP Address Status Action
119.18.49.69 Active Moloch
164.124.101.2 Active Moloch
3.33.130.190 Active Moloch
3.64.163.50 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 119.18.49.69:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 3.33.130.190:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 3.64.163.50:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.sarthaksrishticreation.com/sy22/?tZUT=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&9r48E=FdC4E0Y
suspicious_features GET method with no useragent header suspicious_request GET http://www.sunspotplumbing.com/sy22/?tZUT=d6AqkGJ7bunbgmizHHRyxSnS+cE7N+DoqWC4nPxnpUsdFYm3pr534s62tX1C6jkDEl4YnzCY&9r48E=FdC4E0Y
suspicious_features GET method with no useragent header suspicious_request GET http://www.dryadai.com/sy22/?tZUT=T4nku/U6fUoiT4V699ActYtDMjyavvK02m+fxEC1q0+DSMs1WUMajGSqA4Kum2DGC179VQvP&9r48E=FdC4E0Y
request GET http://www.sarthaksrishticreation.com/sy22/?tZUT=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&9r48E=FdC4E0Y
request GET http://www.sunspotplumbing.com/sy22/?tZUT=d6AqkGJ7bunbgmizHHRyxSnS+cE7N+DoqWC4nPxnpUsdFYm3pr534s62tX1C6jkDEl4YnzCY&9r48E=FdC4E0Y
request GET http://www.dryadai.com/sy22/?tZUT=T4nku/U6fUoiT4V699ActYtDMjyavvK02m+fxEC1q0+DSMs1WUMajGSqA4Kum2DGC179VQvP&9r48E=FdC4E0Y
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\pznhcda.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2148 called NtSetContextThread to modify thread in remote process 2220
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000e4
process_identifier: 2220
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.70042484
FireEye Generic.mg.5a7848fdbc0ca7ba
Skyhigh BehavesLike.Win32.Generic.fc
ALYac Gen:Variant.Jaik.182440
VIPRE Trojan.Garf.Gen.10
Sangfor Trojan.Win32.Injector.Vb6s
K7AntiVirus Trojan ( 005ad15f1 )
BitDefender Trojan.GenericKD.70042484
K7GW Trojan ( 005ad15f1 )
CrowdStrike win/malicious_confidence_100% (W)
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector_AGen.ADX
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Strab.gen
Rising Trojan.Generic@AI.90 (RDML:eestCTKhkN64RBWOCbjvfQ)
Sophos Mal/Generic-S
F-Secure Trojan.TR/Injector_AGen.fnogn
DrWeb Trojan.Loader.1797
Emsisoft Trojan.GenericKD.70042484 (B)
SentinelOne Static AI - Suspicious PE
GData Trojan.GenericKD.70042484
Google Detected
Avira HEUR/AGEN.1337943
Varist W32/Injector.BRW.gen!Eldorado
Antiy-AVL Trojan/Win32.Injector
Kingsoft malware.kb.a.726
Xcitium Malware@#1unkggprgst7p
Arcabit Trojan.Generic.D42CC374
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
Microsoft Trojan:Win32/Leonem
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Wacatac.C5531410
McAfee Artemis!5A7848FDBC0C
MAX malware (ai score=84)
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Strab
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.F0D1C00JP23
Tencent Win32.Trojan.Strab.Gplw
Ikarus Trojan.Win32.Injector
Fortinet NSIS/Agent.DCAC!tr
BitDefenderTheta Gen:NN.ZexaF.36792.nqW@aOpaH8ki
AVG Win32:AdwareX-gen [Adw]
Cybereason malicious.71054b
Avast Win32:AdwareX-gen [Adw]