Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 27, 2023, 9:23 a.m.	Nov. 27, 2023, 9:38 a.m.

Size	456.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`cf52e32f7257ad06e9436c2090585f55`
SHA256	`f727949e07d541b18cebe8cd2b7bb9d6411de4dc70da6c0d50e192443f7348f0`
CRC32	`E9AA8B5D`
ssdeep	`12288:HMQ9NbCGz1EAj3xAQId/jvIAl1nUiAbqTtzcN1GrkwX:sK0y1EAlAQE/jvI21nkstzcN1GowX`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer UPX_Zero - UPX packed file

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 208.91.197.132:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 163.44.185.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.21.82.142:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 62.149.128.45:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 27, 2023, 9:23 a.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg

request	GET http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
request	GET http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg
request	GET http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg
request	GET http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 27, 2023, 9:23 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73272000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 27, 2023, 9:23 a.m.	process_identifier: 2652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 27, 2023, 9:23 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 27, 2023, 9:23 a.m.	process_identifier: 2696 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\pedchgywx.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 27, 2023, 9:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 called NtSetContextThread to modify thread in remote process 2696
NtSetContextThread Nov. 27, 2023, 9:23 a.m.	registers.eip: 1995571652 registers.esp: 5767108 registers.edi: 0 registers.eax: 4321408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000009c process_identifier: 2696	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Strab.4!c
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
Skyhigh	BehavesLike.Win32.Trojan.gc
McAfee	RDN/Generic.dx
Malwarebytes	Spyware.AgentTesla
VIPRE	Trojan.NSISX.Spy.Gen.24
Sangfor	Trojan.Win32.Strab.Vjpm
Alibaba	Trojan:Win32/Guloader.b3fb8f9b
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETMM
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Trojan.NSISX.Spy.Gen.24
Avast	Win32:MalwareX-gen [Trj]
Tencent	Win32.Trojan.Strab.Pcnw
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
DrWeb	Trojan.Loader.1550
TrendMicro	Ransom.Win32.GULOADER.USBLKQ23
FireEye	Generic.mg.cf52e32f7257ad06
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Webroot	W32.Trojan.NSISX.Spy
Google	Detected
Avira	TR/AD.GenShell.dwjyc
Varist	W32/ABRisk.EGPX-0756
Kingsoft	malware.kb.a.945
Microsoft	Trojan:Win32/Guloader.SMTK!MTB
Gridinsoft	Trojan.Win32.FormBook.tr
Arcabit	Trojan.NSISX.Spy.Gen.24 [many]
ViRobot	Trojan.Win.Z.Strab.467872
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Win32.Trojan.Agent.12FJA7
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Generic.C5551419
BitDefenderTheta	Gen:NN.ZexaF.36792.GyW@ailve9p
ALYac	Gen:Heur.Mint.Zard.55
MAX	malware (ai score=83)
VBA32	BScope.Trojan.Strab
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014C0DKQ23
Rising	Trojan.Strab!8.12D03 (TFE:5:qCpbHD75FAV)
Fortinet	NSIS/Agent.DCAC!tr
AVG	Win32:MalwareX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

balotek2.1.exe