Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 7, 2025, 2:11 p.m.	Feb. 7, 2025, 2:18 p.m.

Size	280.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`88ba5ea93cd4d63db0c02028808483d5`
SHA256	`27632516b503084b7a82223985ade9d419829b073a0da07411877f97e218e4a7`
CRC32	`C9945DAA`
ssdeep	`6144:adbUUC1t/5mHkcx+rN4m0X+zWjw3sSVZZJa4zxjcOcRyb1oY7mRXx:adfCL/5Brmm04SosmNa49ILRvXx`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

code.exe "C:\Users\test22\AppData\Local\Temp\code.exe"
2548
sxstrace.exe "C:\Windows\SysWOW64\sxstrace.exe"
2676
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2952
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.shibbets.xyz	A 76.223.54.146 A 13.248.169.48	13.248.169.48
www.lifesentials.life	A 63.250.47.57	63.250.47.57
www.laohuc58.net	A 23.225.160.132 CNAME r0lqcud7.nbnnn.xyz A 23.225.159.42 A 202.79.161.151 A 27.124.4.246	27.124.4.246
www.banjia0731.icu	A 45.199.72.207	45.199.72.207
www.meacci.xyz	A 13.248.169.48 A 76.223.54.146	76.223.54.146
www.brothersharetender.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.031234103.xyz	A 144.76.229.203 CNAME 031234103.xyz	144.76.229.203
www.extremedoge.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.dogebonus.xyz	A 76.223.54.146 A 13.248.169.48	76.223.54.146
www.zltbd.top	A 198.2.236.221	198.2.236.221
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.67051.app	A 103.215.78.119	103.215.78.119

IP Address	Status	Action
103.215.78.119	Active	Moloch
13.248.169.48	Active	Moloch
144.76.229.203	Active	Moloch
164.124.101.2	Active	Moloch
198.2.236.221	Active	Moloch
27.124.4.246	Active	Moloch
45.199.72.207	Active	Moloch
45.33.6.223	Active	Moloch
63.250.47.57	Active	Moloch
76.223.54.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 198.2.236.221:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2026888	ET INFO DNS Query for Suspicious .icu Domain	Potentially Bad Traffic
TCP 192.168.56.101:49189 -> 45.199.72.207:80	2026887	ET INFO HTTP POST Request to Suspicious *.icu domain	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 63.250.47.57:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 63.250.47.57:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (21 events)

request	POST http://www.brothersharetender.xyz/zt2z/
request	GET http://www.brothersharetender.xyz/zt2z/?Llh=xrZBxJYgw8cIQMiqB7MJTIt56Y5x1dzsCIunmK+cvRjjBmIrzA2dl/VKD+8Ko7RwD9ZNT3MsvQ9uHPPRt337yY3SQq9c32vIKb0ZpnkUqAHAqojpvsCz/3SLl1qRQBpJo+hmuPc=&td=4M-32bF2uXv9
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
request	POST http://www.extremedoge.xyz/d8se/
request	GET http://www.extremedoge.xyz/d8se/?Llh=/SD9pFSzQOAsk6zpabHlU9ZXbxrg7PaZHGb2u7tA7jL8hbNivAh91rSnEmMQYiYm2xILAWc0h2mK7v85Eb/bwmkVaqdX4hXL1d46fAKlPCExW94pmuU+QNfSRFIryEKBz6Xtm2w=&td=4M-32bF2uXv9
request	POST http://www.meacci.xyz/y3n2/
request	GET http://www.meacci.xyz/y3n2/?Llh=YYHifcw1ROMF/3Rui21dObVXjAOycMKtO4hXXvbRKVUVh0h/q4DM+aO7A1nlqnFctBzVAwzHmVAfM2sicI7T38fTXgwlOQpRgAWrULTRJOennTkobfA6A/gEUPp6kRoqEnphUcA=&td=4M-32bF2uXv9
request	POST http://www.zltbd.top/1jgm/
request	GET http://www.zltbd.top/1jgm/?Llh=eA6uj9mZZG+EKrxfswGApmXXI0p+YTaKp1gfdi5CfcM9nM+TLjgWcwBtgp/C7prMYA+QDtZzzV+0rSF+jYnqwmuWlATC+zwKaxmM0eLSIF6KRgpcsoHnjR3ICsIoHcDcBWoJljM=&td=4M-32bF2uXv9
request	POST http://www.67051.app/fm7p/
request	GET http://www.67051.app/fm7p/?Llh=fBQGVIP7Njvsfk9lzF9d/sdBluYbkOx9Vaqk3JyU25ETPeViuHfhuXRn/X/4l2r/aQcZiXoH+567skXIk+or+vUABT2ejmBxdOFfcD/7nc+/oBxuIH8atQY3BV9A3FWHsGb3cNA=&td=4M-32bF2uXv9
request	POST http://www.lifesentials.life/ai0p/
request	GET http://www.lifesentials.life/ai0p/?Llh=rZDqlkYBI8Udwc1PV/KnJHNh6pEuqfnUU600R0dEHTi0g/oFcrH0VJPjKDcJsyDPkPK5dg/BoZxLcakNPxKVIp3FFoqOpAqATHzFTc0Kc7j4Hnf42/UwaR/YWWdcV10GGOZvjs0=&td=4M-32bF2uXv9
request	POST http://www.031234103.xyz/dcuq/
request	GET http://www.031234103.xyz/dcuq/?Llh=7EIrk2a44qM8+P4T8JDW5BXJ9n28PXV7+/6L2NN5PDXBTTL/JZ98MmX8dmN4cg/v65DfsXcqsYvOJsm24QtwtT24Ily7fae4aXU265y/XHAb6zWkMeauie4snRNRUk0nTZ2JMB0=&td=4M-32bF2uXv9
request	POST http://www.shibbets.xyz/c3po/
request	GET http://www.shibbets.xyz/c3po/?Llh=/Wnh70q18r/I0Nchd4hywIFo9BzviYpX0j5Xn0WCxuGW1YNIN7yCv1GXQYyzHI9oVtbk0Qn7crHFX7iLWoKgAm1hHHflXN/4uvMxriDJeHGGOSWZuqMgFDJgNgOgFdkkkLhhx7k=&td=4M-32bF2uXv9
request	POST http://www.banjia0731.icu/7hg3/
request	GET http://www.banjia0731.icu/7hg3/?Llh=v5X+3+iEc/Uvt288LwqsYb5NJ0322hz3EXLj0Ccb66JVULuRjil5/VwtV230PPKy6CklN/m1lmp+ebN8FryGocLqxWElOtZH067PqeKPuYFK80ONFwqGcRNYKgFa/Hst8tVb9YA=&td=4M-32bF2uXv9
request	POST http://www.dogebonus.xyz/0vny/
request	GET http://www.dogebonus.xyz/0vny/?Llh=myEZ251pNFEUATDY+9yAk+s16G6gEHJ2TfH5Ex+eBmeHh8124vv24n+FuItehPX14VOi64VFrqeI2WDFhnLrQF1N78gHuIe9wI/OsVlX0IK+R23f3LJlJIi96OSfeEBtIW5OHg8=&td=4M-32bF2uXv9

Sends data using the HTTP POST Method (10 events)

request	POST http://www.brothersharetender.xyz/zt2z/
request	POST http://www.extremedoge.xyz/d8se/
request	POST http://www.meacci.xyz/y3n2/
request	POST http://www.zltbd.top/1jgm/
request	POST http://www.67051.app/fm7p/
request	POST http://www.lifesentials.life/ai0p/
request	POST http://www.031234103.xyz/dcuq/
request	POST http://www.shibbets.xyz/c3po/
request	POST http://www.banjia0731.icu/7hg3/
request	POST http://www.dogebonus.xyz/0vny/

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 274432 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2548 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2548 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2676 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 7, 2025, 2:05 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

sxstrace.exe tried to sleep 164 seconds, actually delayed analysis time by 164 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00045000', u'virtual_address': u'0x00001000', u'entropy': 7.996338728900525, u'name': u'.text', u'virtual_size': u'0x00044f44'}

entropy

7.9963387289

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 manipulating memory of non-child process 988
NtMapViewOfSection Feb. 7, 2025, 2:11 p.m.	section_handle: 0x0000004c process_identifier: 988 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x04250000 allocation_type: 0 () section_offset: 0 view_size: 14200832 process_handle: 0x00000050	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2676
NtSetContextThread Feb. 7, 2025, 2:11 p.m.	registers.eip: 1995571652 registers.esp: 720668 registers.edi: 0 registers.eax: 1285792 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000064 process_identifier: 2676	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Formbook.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	cld.trojan.sdum
Skyhigh	BehavesLike.Win32.VirRansom.dc
ALYac	Gen:Variant.Mikey.173310
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.173310
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Mikey.173310
K7GW	Trojan ( 00536d121 )
K7AntiVirus	Trojan ( 00536d121 )
Arcabit	Trojan.Mikey.D2A4FE
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Formbook.AK
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/FormBook.d8d1db5a
MicroWorld-eScan	Gen:Variant.Mikey.173310
Rising	Trojan.Formbook!1.10495 (CLASSIC)
Emsisoft	Gen:Variant.Mikey.173310 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
TrendMicro	Possible_Virus
McAfeeD	Real Protect-LS!88BA5EA93CD4
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.formbook
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.88ba5ea93cd4d63d
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan/Win32.Formbook.ak
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.Gen.sa
Microsoft	Trojan:Win32/FormBook.NF!MTB
GData	Gen:Variant.Mikey.173310
Varist	W32/Formbook.AG.gen!Eldorado
AhnLab-V3	Infostealer/Win.Formbook.R647393
McAfee	Artemis!88BA5EA93CD4
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Formbook
Malwarebytes	Malware.Heuristic.2051
Ikarus	Trojan.Win32.Formbook
Panda	Trj/CI.A
TrendMicro-HouseCall	Possible_Virus
Tencent	Win32.Trojan.Crypt.Jtgl
MaxSecure	Trojan.Malware.300983.susgen

code.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All