Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 3, 2023, 6:09 p.m.	Nov. 3, 2023, 6:17 p.m.

Size	410.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`0c57a7aae080fd2eac42a31fa5b7f051`
SHA256	`87770248637ba53e2fd2c65ec24b95659d9b1f2d3af87234601fd720f81d6fd8`
CRC32	`E7E6A809`
ssdeep	`12288:urCOfcbuDZzf0/vJomoJNmBPQBZo+j34j:UCociJwB7AKj`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Flow	SID	Signature	Category
TCP 192.168.56.101:49169 -> 103.224.212.211:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 77.245.157.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2023, 6:09 p.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.xpermate.com/ju29/?8pwDZZSX=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&mvHpx=Y4C4ZlYp7ZstcN7
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.sextapevidhot.com/ju29/?8pwDZZSX=GMwV4/acGCaMlZi4K+MQ3vTvNv8+0oL4+WFE2ysoGOt3m0Xi0X0oVpaGXeUG3ymsAqEbf+Ht&mvHpx=Y4C4ZlYp7ZstcN7

request	GET http://www.xpermate.com/ju29/?8pwDZZSX=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&mvHpx=Y4C4ZlYp7ZstcN7
request	GET http://www.sextapevidhot.com/ju29/?8pwDZZSX=GMwV4/acGCaMlZi4K+MQ3vTvNv8+0oL4+WFE2ysoGOt3m0Xi0X0oVpaGXeUG3ymsAqEbf+Ht&mvHpx=Y4C4ZlYp7ZstcN7

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73272000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2844 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\xheuzyg.exe

section

{u'size_of_data': u'0x0000d000', u'virtual_address': u'0x00037000', u'entropy': 6.895564080355565, u'name': u'.rsrc', u'virtual_size': u'0x0000ced8'}

entropy

6.89556408036

description

A section with a high entropy has been found

entropy

0.630303030303

description

Overall entropy of this PE file is high

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 3, 2023, 6:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

host	104.76.78.101
host	185.196.8.176

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2756 called NtSetContextThread to modify thread in remote process 2844
NtSetContextThread Nov. 3, 2023, 6:09 p.m.	registers.eip: 1995571652 registers.esp: 3342032 registers.edi: 0 registers.eax: 4321552 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f8 process_identifier: 2844	1	0	0

jujoptics2.1.exe