Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 7, 2025, 2:11 p.m.	Feb. 7, 2025, 2:27 p.m.

Size	284.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`18653ba7baa00d4eae7f02368a3b5bc2`
SHA256	`f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b`
CRC32	`E362E348`
ssdeep	`6144:aMi1gkMYPj2ts4lXIrxUQFWDRo4n3nmHfS6vJWa9aIer+tGE:aLOkM2P4lXIrJB4nXmZJWaYpZ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

giania.exe "C:\Users\test22\AppData\Local\Temp\giania.exe"
2568
NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
2736
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  3044
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.selcukselcuklu.xyz	CNAME natroredirect.natrocdn.com CNAME redirect.natrocdn.com A 85.159.66.93	85.159.66.93
www.travel-cure.sbs	A 199.59.243.160	199.59.243.160
www.styling-fashion.shop	A 130.185.109.77	130.185.109.77
www.melengkung.xyz	A 13.248.169.48 A 76.223.54.146	76.223.54.146
www.uarsg.xyz	A 103.117.135.13 A 43.251.56.161 A 103.42.144.142 CNAME an05-prod-x.cdn-ng.net	103.42.144.142
www.dynavision.website	A 162.0.231.203	162.0.231.203
www.aicycling.pro	CNAME webapp-2412190.pythonanywhere.com A 35.173.69.207	35.173.69.207
www.newanthoperso.shop	A 104.21.16.1 A 104.21.96.1 A 104.21.112.1 A 104.21.64.1 A 104.21.80.1 A 104.21.32.1 A 104.21.48.1	104.21.64.1
www.ddvids.xyz	A 76.223.54.146 A 13.248.169.48	76.223.54.146
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
103.117.135.13	Active	Moloch
104.21.64.1	Active	Moloch
13.248.169.48	Active	Moloch
130.185.109.77	Active	Moloch
162.0.231.203	Active	Moloch
164.124.101.2	Active	Moloch
199.59.243.160	Active	Moloch
35.173.69.207	Active	Moloch
45.33.6.223	Active	Moloch
76.223.54.146	Active	Moloch
85.159.66.93	Active	Moloch
91.108.241.156	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (19 events)

request	POST http://www.ddvids.xyz/uzuz/
request	GET http://www.ddvids.xyz/uzuz/?7iLz=UshPKO0dNm98vEMhaNbSX2A+fJ/H21d4iWbSX/AQNqspcl+MVTRBgD3ji/S1tafiA6ZYZkh2ccHoP5V5YTirJ1qYPqv52BQNOT4EN3OvVYBIYMuLBq8bmJFPQgbmsIc9sUYEngo=&dQL=ERfY5WNK6VCL
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
request	POST http://www.selcukselcuklu.xyz/xmaq/
request	GET http://www.selcukselcuklu.xyz/xmaq/?7iLz=Nc0ahui9OuUyPWQ0wg6ddB7zfjvsIuhTYJo9+d9NbiMm9o6JrADtZGql50wZzqvTbZSQR4rd/x3lqdj1a5n74Ial39AJiquCe0FK2LNpOj8yctTDFAMGIGmIKHOmtdArY37nNnA=&dQL=ERfY5WNK6VCL
request	POST http://www.newanthoperso.shop/0le1/
request	GET http://www.newanthoperso.shop/0le1/?7iLz=Dx/MqlAFg1XKcbhdCtl9NXYZaNb/DbvfLlm0IsINePZ8H8nxVICNjyUJQ4fEfICAR8v0DHKlhm+FQ7oxeyJnu2RJ/Eus3rWWBRyl1PyqqKc4NuOn8OBQwZRW9f+OkAlRdJac7OQ=&dQL=ERfY5WNK6VCL
request	POST http://www.dynavision.website/qa02/
request	GET http://www.dynavision.website/qa02/?7iLz=JNwepELy7R4E6v0RPRdvOzrYBpTx1Hv5CYoJNnmQ71pjv3Abx2q8jLvoMy2rVexceSAQngCbZ7inZxjKorg4dH8KYKEx8XpXgMreEMRLqBM2zUFWW4/GPGmnHzQ6OUfZxDxxnXM=&dQL=ERfY5WNK6VCL
request	POST http://www.melengkung.xyz/epte/
request	GET http://www.melengkung.xyz/epte/?7iLz=qZ0lqbLV9ndGFXrdtn0Z3SKcqi+r0nxBnVcReZUGJvXJFs/WjXvOz4srz5ZcVbbFlLU7YNXQmhJyi71gCAY8yoyV7MlHQhYtSsW1x4J8EPHD3xkSw4IkXajKABHjZDF+hZX9Y9E=&dQL=ERfY5WNK6VCL
request	POST http://www.travel-cure.sbs/zncw/
request	GET http://www.travel-cure.sbs/zncw/?7iLz=6rPucfbE+4FkBCZ/C1DZqPGWQbVbwLGOEnooZk5smC2H/9chrAXXRKw1aX+tXHlN2Cx0I8Wr3ZhJ6KoQS/VdSAeiqJj3nZCt81kXeuKg7Nd2IqUE6ziB/SwV5eCpW1U4laD6Yi0=&dQL=ERfY5WNK6VCL
request	POST http://www.uarsg.xyz/0s8c/
request	GET http://www.uarsg.xyz/0s8c/?7iLz=Wip+pBdTTS6Jq5vB6efzdjHo/HiX4iRfTkAXLY59j/vEaJ/+fGA54AuL7sVj7bUmz7N5YuZthPXbJXmVXPMkHUZPDhld5lekCBbu4qkvjM1uKdN2iLe3ycLSVtfRyW+xBTjvaug=&dQL=ERfY5WNK6VCL
request	POST http://www.styling-fashion.shop/yi6p/
request	GET http://www.styling-fashion.shop/yi6p/?7iLz=qBhNOcMTBqfmCMUcEXvh6ShlA2gITQplXokF0NAH1+NfBcMLA0lsVYWoTIHRvU+tNy65wt0yoS+7gftlJR0RSKe0cjgKMjgDwzgQF+6JPMp+i7GST0tW3ld6oYxL3epGjqx0CYg=&dQL=ERfY5WNK6VCL
request	POST http://www.aicycling.pro/qnps/
request	GET http://www.aicycling.pro/qnps/?7iLz=MCJ7DzuZ6iBB0RpFWrXAftKdpydFD9ISqSO4molp0VMepsjMIELOoHRZsR0lMboGGH/TVbv+my/vFeh0fLJXgAiyE7rdadjQiRYlF8P2/Au9nMO1Bb3Zjyx3gjGvIOaKBdUtkaU=&dQL=ERfY5WNK6VCL

Sends data using the HTTP POST Method (9 events)

request	POST http://www.ddvids.xyz/uzuz/
request	POST http://www.selcukselcuklu.xyz/xmaq/
request	POST http://www.newanthoperso.shop/0le1/
request	POST http://www.dynavision.website/qa02/
request	POST http://www.melengkung.xyz/epte/
request	POST http://www.travel-cure.sbs/zncw/
request	POST http://www.uarsg.xyz/0s8c/
request	POST http://www.styling-fashion.shop/yi6p/
request	POST http://www.aicycling.pro/qnps/

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 278528 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2568 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 7, 2025, 2:11 p.m.	process_identifier: 2736 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 7, 2025, 2:05 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

NETSTAT.EXE tried to sleep 154 seconds, actually delayed analysis time by 154 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00045e00', u'virtual_address': u'0x00001000', u'entropy': 7.994013080479613, u'name': u'.text', u'virtual_size': u'0x00045c74'}

entropy

7.99401308048

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

91.108.241.156

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Formbook.l!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	cld.trojanspy.noon
Skyhigh	BehavesLike.Win32.VirRansom.dc
ALYac	Gen:Variant.Mikey.173310
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.173310
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Mikey.173310
K7GW	Trojan ( 00536d121 )
K7AntiVirus	Trojan ( 00536d121 )
Arcabit	Trojan.Mikey.D2A4FE
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Formbook.AA
APEX	Malicious
Avast	Win32:SpywareX-gen [Trj]
Kaspersky	Trojan-Spy.Win32.Noon.bkdv
Alibaba	Trojan:Win32/FormBook.e3b115d8
MicroWorld-eScan	Gen:Variant.Mikey.173310
Rising	Spyware.Agent!1.F5F4 (CLASSIC)
Emsisoft	Gen:Variant.Mikey.173310 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
McAfeeD	Real Protect-LS!18653BA7BAA0
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.formbook
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.18653ba7baa00d4e
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan/Win32.Formbook.ak
Kingsoft	malware.kb.a.1000
Gridinsoft	Spy.Win32.Keylogger.sa
Microsoft	Trojan:Win32/FormBook.NF!MTB
GData	Gen:Variant.Mikey.173310
Varist	W32/Formbook.AG.gen!Eldorado
AhnLab-V3	Infostealer/Win.Formbook.R647393
McAfee	Artemis!18653BA7BAA0
DeepInstinct	MALICIOUS
VBA32	Virus.Goblin.2521
Malwarebytes	Malware.Heuristic.2051
Ikarus	Trojan.Win32.Formbook
Panda	Trj/CI.A
Tencent	Win32.Trojan.Crypt.Ocnw
huorong	TrojanSpy/Formbook.ag
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Formbook.AA!tr

giania.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All