popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

bin.exe

Formbook Malicious Packer Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 25, 2024, 8:51 a.m. Jan. 25, 2024, 8:55 a.m.
Size 185.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d36b9ed936c51fc667d67cb5fa419a94
SHA256 74af268a3cc5fe46f85426eb5896ecd93384185bbd2df9274363166308921460
CRC32 CEEE28B8
ssdeep 3072:XrNO0kCgRx0pGY3RdK52rOlwFhhVD+joLtVzLP6WFB2v:NgVWRA4rOlwFh5r+2B2v
Yara
  • win_formbook_auto - Detects win.formbook.
  • win_formbook_w0 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • Win_Trojan_Formbook_Zero - Used Formbook

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.21.6.136:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.21.6.136:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 104.21.6.136:80 2031089 ET HUNTING Request to .TOP Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 172.67.166.205:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 103.224.212.213:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 34.149.87.45:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

suspicious_features GET method with no useragent header suspicious_request GET http://www.martinkeyword.top/b21s/?LZa0=0tEjvMOQZ1u+KiVdVD9NMdDqyg4NNl7IsBZDKOPbb44psP0R1uri9OUTuHQ9LNmBSi0J17UR&uTux=njoTZ26xmz
suspicious_features GET method with no useragent header suspicious_request GET http://www.gattgraphic.com/b21s/?LZa0=EodxxVnP6AALhCm6PMojoLYK50H/6a9ovP9+wbqeR1Lo4rltyls8iqRv+JR8KYWFAhTe4tyj&uTux=njoTZ26xmz
suspicious_features GET method with no useragent header suspicious_request GET http://www.family-doctor-79417.com/b21s/?LZa0=Mxt8ckLWX1wN0TXkckU8PS2/S2ul7U/m+MSjsB7vFpbxPb8t47jkcaQcBHmi0NSFrzd3m2nN&uTux=njoTZ26xmz
suspicious_features GET method with no useragent header suspicious_request GET http://www.zhangnational.site/b21s/?LZa0=y0Dj+cpzYNB0KREV3i9vRRBmemYalAwO39f2/WBFUnsbQy2Uen8j2v8X32Jt1Fp/TC7TXkMI&uTux=njoTZ26xmz
request GET http://www.martinkeyword.top/b21s/?LZa0=0tEjvMOQZ1u+KiVdVD9NMdDqyg4NNl7IsBZDKOPbb44psP0R1uri9OUTuHQ9LNmBSi0J17UR&uTux=njoTZ26xmz
request GET http://www.gattgraphic.com/b21s/?LZa0=EodxxVnP6AALhCm6PMojoLYK50H/6a9ovP9+wbqeR1Lo4rltyls8iqRv+JR8KYWFAhTe4tyj&uTux=njoTZ26xmz
request GET http://www.family-doctor-79417.com/b21s/?LZa0=Mxt8ckLWX1wN0TXkckU8PS2/S2ul7U/m+MSjsB7vFpbxPb8t47jkcaQcBHmi0NSFrzd3m2nN&uTux=njoTZ26xmz
request GET http://www.zhangnational.site/b21s/?LZa0=y0Dj+cpzYNB0KREV3i9vRRBmemYalAwO39f2/WBFUnsbQy2Uen8j2v8X32Jt1Fp/TC7TXkMI&uTux=njoTZ26xmz
domain www.martinkeyword.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 800
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0002d400', u'virtual_address': u'0x00001000', u'entropy': 7.401692454615399, u'name': u'.text', u'virtual_size': u'0x0002d214'} entropy 7.40169245462 description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Formbook.4!c
Elastic Windows.Trojan.Diceloader
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.GenericPMF.S31790698
Skyhigh BehavesLike.Win32.Generic.cc
McAfee GenericRXCD-ZZ!D36B9ED936C5
Cylance unsafe
VIPRE Gen:Variant.Lazy.425031
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan ( 00536d121 )
BitDefender Gen:Variant.Lazy.425031
K7GW Trojan ( 00536d121 )
Cybereason malicious.8c90f0
Arcabit Trojan.Lazy.D67C47
Symantec Trojan.Formbook
ESET-NOD32 a variant of Win32/Formbook.AL
APEX Malicious
Avast Win32:Formbook-B [Trj]
ClamAV Win.Malware.Formbook-7399661-0
Kaspersky HEUR:Trojan.Win32.Generic
NANO-Antivirus Virus.Win32.Gen.ccmw
SUPERAntiSpyware Trojan.Agent/Gen-Crypt
MicroWorld-eScan Gen:Variant.Lazy.425031
Rising Stealer.Formbook!1.C470 (CLASSIC)
Emsisoft Gen:Variant.Lazy.425031 (B)
F-Secure Trojan.TR/Crypt.ZPACK.Gen
DrWeb Trojan.Siggen9.48175
TrendMicro TrojanSpy.Win32.FORMBOOK.SMYXDDE
FireEye Generic.mg.d36b9ed936c51fc6
Sophos Troj/Formbook-A
Ikarus Trojan.Win32.Formbook
Webroot W32.Malware.gen
Google Detected
Avira TR/Crypt.ZPACK.Gen
MAX malware (ai score=81)
Antiy-AVL Trojan/Win32.Formbook.x
Kingsoft Win32.Trojan.Generic.a
Microsoft Trojan:Win32/FormBook.AFB!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Win32.Trojan.PSE.100IPS
Varist W32/Formbook.A.gen!Eldorado
AhnLab-V3 Trojan/Win.Formbook.X2185
BitDefenderTheta AI:Packer.EE3E03421E
DeepInstinct MALICIOUS
VBA32 BScope.TrojanPSW.Banker
Malwarebytes Generic.Malware.AI.DDS
Tencent Win32.Trojan.Generic.Mqil
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen