Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 16, 2023, 1:21 p.m.	Nov. 16, 2023, 1:24 p.m.

Size	244.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7630a755b70921f9f22891035c3628e9`
SHA256	`10f863afc82cd61fdc8a55bc67e2726401ac51c4e9647ddd19dbf1ea30df9e09`
CRC32	`5B418280`
ssdeep	`6144:ReoIZR781uLl43/1Mg2p7F1bhUlCMSrSJ6Igy9WaukV3Y709:RkvJ4nspglx3J6tykNk2O`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

unsecapp.exe "C:\Users\test22\AppData\Local\Temp\unsecapp.exe"
2648
where.exe "C:\Windows\SysWOW64\where.exe"
2772
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  3008

Name	Response	Post-Analysis Lookup
www.ofupakoshi.com	A 118.27.125.154	118.27.125.154
www.talknconvert.com	A 34.120.137.41 CNAME connect.hostinger.com	34.120.137.41
www.54c7pv.top	A 154.91.180.241	154.91.180.241
www.velvet-key-properties.top	A 162.0.222.119	162.0.222.119
www.zz23xw.top	A 198.44.187.121	198.44.187.121
www.speedbikesglobal.com	A 207.244.126.150 CNAME speedbikesglobal.com	207.244.126.150
www.oneillspubs.com	A 199.59.243.225	199.59.243.225
www.surcebmx.shop	A 104.21.25.102 A 172.67.134.1	104.21.25.102
www.wearehydrant.com	A 216.40.34.41	216.40.34.41
www.tauruss29.click	CNAME tauruss29.click A 198.252.99.243	198.252.99.243
www.izabeladesa.com	CNAME izabeladesa.com A 192.185.223.51	192.185.223.51
www.ayotundewrites.com	A 83.229.19.76 CNAME ayotundewrites.com	83.229.19.76
www.brls.money	A 76.76.21.241 A 76.76.21.164	76.76.21.93
www.cardsfinanse.online
www.ezus.life	A 34.96.147.60	34.96.147.60
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.stprov.biz	A 208.91.197.132	208.91.197.132

IP Address	Status	Action
118.27.125.154	Active	Moloch
154.91.180.241	Active	Moloch
162.0.222.119	Active	Moloch
164.124.101.2	Active	Moloch
172.67.134.1	Active	Moloch
192.185.223.51	Active	Moloch
198.252.99.243	Active	Moloch
198.44.187.121	Active	Moloch
199.59.243.225	Active	Moloch
207.244.126.150	Active	Moloch
208.91.197.132	Active	Moloch
216.40.34.41	Active	Moloch
34.120.137.41	Active	Moloch
34.96.147.60	Active	Moloch
45.33.6.223	Active	Moloch
76.76.21.241	Active	Moloch
83.229.19.76	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:58166 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 198.44.187.121:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 34.96.147.60:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 154.91.180.241:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Performs some HTTP requests (21 events)

request	POST http://www.talknconvert.com/zqco/
request	GET http://www.talknconvert.com/zqco/?wFt=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&o0Ijw=FV31C
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
request	GET http://www.zz23xw.top/zqco/?wFt=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&o0Ijw=FV31C
request	GET http://www.oneillspubs.com/zqco/?wFt=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&o0Ijw=FV31C
request	GET http://www.ezus.life/zqco/?wFt=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&o0Ijw=FV31C
request	GET http://www.speedbikesglobal.com/zqco/?wFt=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&o0Ijw=FV31C
request	GET http://www.ofupakoshi.com/zqco/?wFt=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&o0Ijw=FV31C
request	GET http://www.velvet-key-properties.top/zqco/?wFt=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&o0Ijw=FV31C
request	GET http://www.wearehydrant.com/zqco/?wFt=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&o0Ijw=FV31C
request	GET http://www.54c7pv.top/zqco/?wFt=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&o0Ijw=FV31C
request	GET http://www.brls.money/zqco/?wFt=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&o0Ijw=FV31C
request	GET http://www.stprov.biz/zqco/?wFt=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&o0Ijw=FV31C
request	GET http://www.tauruss29.click/zqco/?wFt=BXZ/xzuuMumnvtIwilHAju88nUMjodQ2L7qTmXiCbitM75fYFK9Ni/+RZPv+ooYbFCP5HCJJxbmcDVUQEF+nSIUi2tQgIq30IPYEAqs=&o0Ijw=FV31C
request	GET http://www.izabeladesa.com/zqco/?wFt=xgP5YBHAlkZQY3zMM6zpGwRaICyRepfzD3pvdIKGHZOpNZwdZqd18fiXnD4wcHdwNOCnD+EJd+f9y7+0iF4km1rz8VJupnABKYXyGpk=&o0Ijw=FV31C
request	GET http://www.surcebmx.shop/zqco/?wFt=sVrFTG3ePMlGeHtN+9NOfDvz/GoZiwZc2hOKEoTgtp1zYewc+7d6IlOKQB9rGmOyetA1JhIO28lR44+yf+JFgN9FJ6btdItGqkraV1A=&o0Ijw=FV31C
request	GET http://www.ayotundewrites.com/zqco/?wFt=+wI3MeD3jbNUmfUR22cpBsb5CtqXzI827TrKoKznZ2673z1g+k3Zglb4E7/i1xr4Z9cBRHIArS2WPt0us+pQAzv8dUN4XDgXBL/DreA=&o0Ijw=FV31C

Sends data using the HTTP POST Method (1 event)

request

POST http://www.talknconvert.com/zqco/

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	www.zz23xw.top	description	Generic top level domain TLD
domain	www.54c7pv.top	description	Generic top level domain TLD
domain	www.velvet-key-properties.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 16, 2023, 1:21 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00303000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:21 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00301000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 2648 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 2772 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\unsecapp.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003c000', u'virtual_address': u'0x00001000', u'entropy': 7.9919199392600335, u'name': u'.text', u'virtual_size': u'0x0003be44'}

entropy

7.99191993926

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Formbook.l!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Inject4.64351
MicroWorld-eScan	Gen:Variant.Zusy.460032
FireEye	Generic.mg.7630a755b70921f9
Skyhigh	BehavesLike.Win32.Generic.dc
ALYac	Gen:Variant.Zusy.460032
Malwarebytes	Spyware.FormBook
VIPRE	Gen:Variant.Zusy.460032
Sangfor	Spyware.Win32.Formbook.Vl9i
K7AntiVirus	Trojan ( 00536d121 )
BitDefender	Gen:Variant.Zusy.460032
K7GW	Trojan ( 00536d121 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zusy.D70500
BitDefenderTheta	Gen:NN.ZexaF.36792.peX@aaNRV2f
VirIT	Trojan.Win32.GenusT.DTQP
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Formbook.AA
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Spy.Win32.Noon.bfdm
Alibaba	Trojan:Win32/FormBook.f7b8d397
Rising	Spyware.Noon!8.E7C9 (TFE:3:u7ALXQCfWED)
Sophos	Troj/Formbook-A
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
TrendMicro	TROJ_GEN.R06CC0DKE23
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.Zusy.460032 (B)
Ikarus	Win32.Outbreak
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan/Win32.Formbook
Kingsoft	Win32.Troj.Undef.a
Gridinsoft	Spy.Win32.Keylogger.sa
Microsoft	Trojan:Win32/FormBook.AFK!MTB
ZoneAlarm	Trojan-Spy.Win32.Noon.bfdm
GData	Win32.Trojan.PSE.11JTEDN
Varist	W32/Formbook.AG.gen!Eldorado
AhnLab-V3	Trojan/Win.FormBook.R619333
VBA32	Malware-Cryptor.General.3
MAX	malware (ai score=88)
DeepInstinct	MALICIOUS
Cylance	unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R06CC0DKE23
Tencent	Win32.Trojan-Spy.Noon.Gjgl
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen

unsecapp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All