Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 12, 2024, 12:52 p.m.	Sept. 12, 2024, 12:55 p.m.

Size	280.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`95c51c6dc018281130ce62629f0ad475`
SHA256	`b120727ce78f5de370b91e1f0016740d3e9d57a105b54c4e265e94db40c045ef`
CRC32	`C01B2150`
ssdeep	`6144:7f3BgJnruDFAOVcJMKx4cIBBcWpKqhqPLIiFTO430:bxgJnrAsbxMBBcYKvTIiFt30`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

bin.exe "C:\Users\test22\AppData\Local\Temp\bin.exe"
1940
rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
2468
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2676
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.zz82x.top	CNAME zz82x.top A 38.47.232.196	38.47.232.196
www.withad.xyz	A 162.0.238.43	162.0.238.43
www.wcm50.top	CNAME wcm50.top A 154.23.184.60	154.23.184.60
www.coffee-and-blends.info	A 217.160.0.231	217.160.0.231
www.lanxuanz.tech	CNAME zhs.zohosites.com A 136.143.186.12	136.143.186.12
www.mayawashfold.net	A 3.33.130.190 A 15.197.148.33 CNAME mayawashfold.net	15.197.148.33
www.filelabel.info	A 15.197.148.33 CNAME filelabel.info A 3.33.130.190	15.197.148.33
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
136.143.186.12	Active	Moloch
15.197.148.33	Active	Moloch
154.23.184.60	Active	Moloch
162.0.238.43	Active	Moloch
164.124.101.2	Active	Moloch
217.160.0.231	Active	Moloch
3.33.130.190	Active	Moloch
38.47.232.196	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 38.47.232.196:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (15 events)

request	POST http://www.coffee-and-blends.info/v35v/
request	GET http://www.coffee-and-blends.info/v35v/?2V=QLykxYh4zvA0eVm8sHd9vJ7cm8Ocwd+aLw1iNOUTi/NZcFg0+k6SuajB+VDZEgWr7u3QxNH7fyl6o0+K3GiYVb/CpQQZmkLRlg6A/sXIMKu948ijpPl34Lh5vJIQLmsCgl/X2MY=&5N=yBxsewvl1
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
request	POST http://www.mayawashfold.net/mtee/
request	GET http://www.mayawashfold.net/mtee/?2V=mIo06BHEAes+1ktXaBAtNGKqBpRmqRxWlUKS3fumHCh/F9Apz5MmL+0gaGFLr/u+11M8U18avNpkfr0bp21uUDjReIWSdbsSeAfUqf/zog6+kRphWsZifsnSv92p91nXivHnLMY=&5N=yBxsewvl1
request	GET http://www.zz82x.top/ym8o/?2V=0oBut1yNYbWGPCBlgyv3pZVha+opv9VnbBTx5iLcdFvMwA802wT5+eN4s6JX6RPQYa1HVkeDIT7ul87fzWjyS3+9Bl5G+MuIzE/ROIZBkpIpmi83C/mWL5yyeDtdBV6PHeqsO2U=&5N=yBxsewvl1
request	POST http://www.wcm50.top/sok0/
request	GET http://www.wcm50.top/sok0/?2V=9nK66fHSoCGrYX5gaK/AO9t7tPQ5/QEti9hRjfn4Wr4e/FiQigglpcmZABT8bPLN/EEfVpiA5WrUcuyZtKi/BBJRI9fYI3SyqgQHC3eDkS3RCCCNVpOtSHUDKdaHP3QuqehRYy8=&5N=yBxsewvl1
request	POST http://www.withad.xyz/r0nv/
request	GET http://www.withad.xyz/r0nv/?2V=MbxsL1z6NlMfyEEdZx/ZxPf8EiE8jFH+EotLfQicwl73p/l3IQxOGOCDPbvxx6J9DUF2ANV1DH6MzynBnTYcCPycA1shdY1mvpanTFbxObMy1SnsPVKhvAf5oxTVz0DK2AgMbQQ=&5N=yBxsewvl1
request	POST http://www.lanxuanz.tech/em49/
request	GET http://www.lanxuanz.tech/em49/?2V=vV5RcTk6UjJnp8cFAK/SOuBjTCno8ikmF8l1hdm9JL6NOoivCUbMGww4nWsmekXmD/ydRpWe52eDtuCzDhpXjdrcsjftmH+l+fFtrvvEqEsdx0xgXMMdSTOC4EPGj+TD2I4a44E=&5N=yBxsewvl1
request	POST http://www.filelabel.info/2w7y/
request	GET http://www.filelabel.info/2w7y/?2V=Lawv0YecSOnZdZmqngGcZvprhomfb4X9YfPVtq1IvWwToR7xRnuqxAjnf14Kb1P7OK3qF8y3rVlNPzF5bdVhlCUeYm2+7ddpSexImSbNaMK380N1MHIbJRhlUDS9sCT5SZ96r/0=&5N=yBxsewvl1

Sends data using the HTTP POST Method (6 events)

request	POST http://www.coffee-and-blends.info/v35v/
request	POST http://www.mayawashfold.net/mtee/
request	POST http://www.wcm50.top/sok0/
request	POST http://www.withad.xyz/r0nv/
request	POST http://www.lanxuanz.tech/em49/
request	POST http://www.filelabel.info/2w7y/

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	www.wcm50.top				description	Generic top level domain TLD
domain	www.zz82x.top				description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 12, 2024, 12:52 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 274432 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01113000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2024, 12:52 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01111000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2024, 12:53 p.m.	process_identifier: 1940 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2024, 12:53 p.m.	process_identifier: 2468 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00044e00', u'virtual_address': u'0x00001000', u'entropy': 7.995106703390662, u'name': u'.text', u'virtual_size': u'0x00044d04'}

entropy

7.99510670339

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Formbook.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojanspy.Noon
Skyhigh	BehavesLike.Win32.VirRansom.dc
ALYac	Gen:Variant.Mikey.148734
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.148734
Sangfor	Trojan.Win32.Formbook.Vep1
K7AntiVirus	Trojan ( 00536d121 )
BitDefender	Gen:Variant.Mikey.148734
K7GW	Trojan ( 00536d121 )
Cybereason	malicious.dc0182
Arcabit	Trojan.Mikey.D244FE
VirIT	Trojan.Win32.Formbook.GEN
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Formbook.AK
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	Trojan-Spy.Win32.Noon.biby
Alibaba	Trojan:Win32/FormBook.4cc9e21c
MicroWorld-eScan	Gen:Variant.Mikey.148734
Rising	Trojan.Kryptik@AI.86 (RDML:7JRLDhO071wIAHwW0TLapg)
Emsisoft	Gen:Variant.Mikey.148734 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
TrendMicro	TROJ_GEN.R002C0DIB24
McAfeeD	Real Protect-LS!95C51C6DC018
Trapmine	malicious.moderate.ml.score
CTX	malware (ai score=88)
Sophos	Troj/Formbook-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.95c51c6dc0182811
Webroot	W32.Noon.Gen
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan/Win32.Formbook.x
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Kryptik.sa
Microsoft	Trojan:Win32/FormBook.NF!MTB
ZoneAlarm	Trojan-Spy.Win32.Noon.biby
GData	Gen:Variant.Mikey.148734
AhnLab-V3	Infostealer/Win.Formbook.R647393
McAfee	Artemis!95C51C6DC018
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Formbook
Malwarebytes	Spyware.FormBook
Ikarus	Trojan.Win32.Formbook
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DIB24

bin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All