Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 22, 2024, 5:19 p.m.	Sept. 22, 2024, 5:22 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8b016746ea349838ed337927770248eb`
SHA256	`3f1860fe684db010bb065f30b652d4fe4ae0c1b80ad1b33875196affe6d0e569`
CRC32	`E54C59B4`
ssdeep	`24576:uRmJkcoQricOIQxiZY1iaCtiztMhDTABIIXkN6fh5X7lum8ly:7JZoQrbTFZY1iaCMtAnAaIN44`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

audiodg.exe "C:\Users\test22\AppData\Local\Temp\audiodg.exe"
2556
- svchost.exe "C:\Users\test22\AppData\Local\Temp\audiodg.exe"
  2664
netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
2744
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2984
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.antonio-vivaldi.mobi
www.goldenjade-travel.com	A 116.50.37.244	116.50.37.244
www.3xfootball.com	A 154.215.72.110	154.215.72.110
www.kasegitai.tokyo
www.magmadokum.com	CNAME natroredirect.natrocdn.com CNAME redirect.natrocdn.com A 85.159.66.93	85.159.66.93
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
116.50.37.244	Active	Moloch
154.215.72.110	Active	Moloch
164.124.101.2	Active	Moloch
45.33.6.223	Active	Moloch
85.159.66.93	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 154.215.72.110:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 116.50.37.244:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 85.159.66.93:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2024, 5:19 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 5:19 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2024, 5:19 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (8 events)

request	POST http://www.3xfootball.com/fo8o/
request	GET http://www.3xfootball.com/fo8o/?01Rq=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&G0g-=NkDPf
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
request	POST http://www.goldenjade-travel.com/fo8o/
request	GET http://www.goldenjade-travel.com/fo8o/?01Rq=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&G0g-=NkDPf
request	POST http://www.magmadokum.com/fo8o/
request	GET http://www.magmadokum.com/fo8o/?01Rq=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&G0g-=NkDPf

Sends data using the HTTP POST Method (3 events)

request	POST http://www.3xfootball.com/fo8o/
request	POST http://www.goldenjade-travel.com/fo8o/
request	POST http://www.magmadokum.com/fo8o/

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 22, 2024, 5:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2024, 5:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f6c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 5:19 p.m.	process_identifier: 2664 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 5:19 p.m.	process_identifier: 2744 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 5:20 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

netbtugc.exe tried to sleep 164 seconds, actually delayed analysis time by 164 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 22, 2024, 5:19 p.m.	thread_identifier: 2668 thread_handle: 0x000001a4 process_identifier: 2664 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\audiodg.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001a8	1	1	0

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2664
NtSetContextThread Sept. 22, 2024, 5:19 p.m.	registers.eip: 1995571652 registers.esp: 3078192 registers.edi: 0 registers.eax: 4199888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a4 process_identifier: 2664	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Autoit.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Dropper.tc
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	AIT:Trojan.Nymeria.6337
K7GW	Trojan ( 700000111 )
K7AntiVirus	Trojan ( 700000111 )
Arcabit	AIT:Trojan.Nymeria.D18C1 [many]
Symantec	Trojan.Gen.2
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.Autoit.GKF
APEX	Malicious
Avast	Script:SNH-gen [Trj]
Alibaba	TrojanSpy:Win32/Autoitinject.373fe4e2
MicroWorld-eScan	AIT:Trojan.Nymeria.6337
Rising	Trojan.Injector/Autoit!1.10326 (CLASSIC)
Emsisoft	AIT:Trojan.Nymeria.6337 (B)
F-Secure	Trojan.TR/AD.ShellcodeCrypter.owcbu
TrendMicro	Cryp_Embed4
McAfeeD	ti!3F1860FE684D
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.autoit
Sophos	Mal/Generic-S
FireEye	Generic.mg.8b016746ea349838
Google	Detected
Avira	TR/AD.ShellcodeCrypter.owcbu
Kingsoft	Win32.Trojan-Spy.Noon.bidz
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Autoitinject.PPEH!MTB
GData	AIT:Trojan.Nymeria.6337 (2x)
Varist	W32/AutoIt.AQ.gen!Eldorado
AhnLab-V3	Packed/Win.Suspicious.C5673041
McAfee	Artemis!8B016746EA34
DeepInstinct	MALICIOUS
VBA32	Trojan.Autoit.F
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.Win32.Injector
Panda	Trj/CI.A
TrendMicro-HouseCall	Cryp_Embed4
Tencent	Win32.Trojan-Spy.Noon.Sgil
MaxSecure	Trojan.Autoit.AZA
Fortinet	W32/Injector_Autoit.GKE!tr
AVG	Script:SNH-gen [Trj]
Paloalto	generic.ml

audiodg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All