Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2025, 12:12 p.m.	March 8, 2025, 12:26 p.m.

Size	282.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3e4a1eeea0b92fbe4d53fb0cc057a48b`
SHA256	`5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044`
CRC32	`92B6D587`
ssdeep	`6144:bduXBAAwGSD+ALyZqm+TE9ODvYsItuhiEvUbK71S59CTbc1oQdU:bIxnTJ1meODvYNWvoo1Ucbc8`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

dressman.exe "C:\Users\test22\AppData\Local\Temp\dressman.exe"
1648
SearchFilterHost.exe "C:\Windows\SysWOW64\SearchFilterHost.exe"
2540
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2748
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.iighpb.bid	A 168.206.158.193	168.206.158.193
www.topanked.top	A 66.29.149.46	66.29.149.46
www.sbrqmu.info	A 47.83.1.90	47.83.1.90
www.memelending.xyz	A 13.248.169.48 A 76.223.54.146	76.223.54.146
www.ddvids.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.ganjubaspepe.shop	A 37.220.85.148	37.220.85.148
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
13.248.169.48	Active	Moloch
164.124.101.2	Active	Moloch
168.206.158.193	Active	Moloch
37.220.85.148	Active	Moloch
45.33.6.223	Active	Moloch
47.83.1.90	Active	Moloch
66.29.149.46	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49173 -> 47.83.1.90:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 13.248.169.48:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 168.206.158.193:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 37.220.85.148:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.29.149.46:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.29.149.46:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 13.248.169.48:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (13 events)

request	POST http://www.iighpb.bid/5d1n/
request	GET http://www.iighpb.bid/5d1n/?HURm=jh47ZkWe3pMLesNqQxfZnWcYZ42BfePGwJQBvqmjJc844U6cN8Ak4K3ulvzfn6lddo6S72gjxf7EodEqFRvd5fa+7Ski0xAnnVoh+cas+na3D3OiP6NDxLmvcInSsfLuZB1qyXo=&Ns-H=ldGxzsoTk
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
request	POST http://www.sbrqmu.info/i883/
request	GET http://www.sbrqmu.info/i883/?HURm=huU73JBtu3QyRUSva8mlc4VM62Ko0Xc2M3iXbmGsv5OJILTOM0eREVkX+jSCcFjglKBhrhOcOpoUYzGu15X9RjKkbHF88msUhX/mnpDKTKXKLLfW9eyFo/HeGZ1M8hO+4DNCATo=&Ns-H=ldGxzsoTk
request	POST http://www.memelending.xyz/akvb/
request	GET http://www.memelending.xyz/akvb/?HURm=etUAwxxBsZH+778s54dWVVdYnxhpoHiG3WmQ7Xy2Jez6gkEbSSV1pnV2OkCedoCpOo91hQ5SDOX5jJoDXCCe3V8zXEVYkf5aO2mlGjtwmr2v3LCnrmqkVFJBk7wXFV2Y3Jrzzzg=&Ns-H=ldGxzsoTk
request	POST http://www.ddvids.xyz/woo9/
request	GET http://www.ddvids.xyz/woo9/?HURm=Ctp2Csd8snwCAAuq+RhIGc8y73rjA79cYY9yf3pDFf9BGTycD8yIDUQcrIec3wCe/NdFl1LxRqJjhC0a3XbgS+5O7jounWyTbnXMDRi3is3s3Eh62gnvfSw2GphUSSZx+6/bYAk=&Ns-H=ldGxzsoTk
request	POST http://www.topanked.top/0fhi/
request	GET http://www.topanked.top/0fhi/?HURm=cCXyyk4J5faVFTox+ER0RAjK1Z9ezHk0lrOwdAeOPfQPZof5UExjSf5+z32UEGUY2RvHxIeZh84xexKPhP2Wt9YWBTosPSkYAOuNjmbEy7eZW95sQnWGsLl87K/ZMBw5C9s6Sjc=&Ns-H=ldGxzsoTk
request	POST http://www.ganjubaspepe.shop/xuh3/
request	GET http://www.ganjubaspepe.shop/xuh3/?HURm=IaEP9l0bvW2FY56Ja/vGWov3+eLbumgWWdgQ6YQDxSUuegQZjPsgg8yUWW0L3fr7l0MrDhbdM2OVgc0I1OJs7eJnFzzLLchM9iy+w2WbZhy1Q4TzF2nv9eEICoF+EmBgA1JBu4o=&Ns-H=ldGxzsoTk

Sends data using the HTTP POST Method (6 events)

request	POST http://www.iighpb.bid/5d1n/
request	POST http://www.sbrqmu.info/i883/
request	POST http://www.memelending.xyz/akvb/
request	POST http://www.ddvids.xyz/woo9/
request	POST http://www.topanked.top/0fhi/
request	POST http://www.ganjubaspepe.shop/xuh3/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.topanked.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 8, 2025, 12:12 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 278528 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00103000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:12 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00101000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:12 p.m.	process_identifier: 1648 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:12 p.m.	process_identifier: 2540 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00045800', u'virtual_address': u'0x00001000', u'entropy': 7.995983783793285, u'name': u'.text', u'virtual_size': u'0x000457f4'}

entropy

7.99598378379

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.Win32.Formbook.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.174048384057a48b
Skyhigh	BehavesLike.Win32.VirRansom.dc
ALYac	Gen:Variant.Mikey.173310
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.173310
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Mikey.173310
K7GW	Trojan ( 00536d121 )
K7AntiVirus	Trojan ( 00536d121 )
Arcabit	Trojan.Mikey.D2A4FE
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Formbook.AA
APEX	Malicious
Avast	Win32:MiscX-gen [PUP]
Kaspersky	Trojan-Spy.Win32.Noon.bkpp
Alibaba	Trojan:Win32/FormBook.26a4b89e
MicroWorld-eScan	Gen:Variant.Mikey.173310
Rising	Trojan.Formbook!1.10495 (CLASSIC)
Emsisoft	Gen:Variant.Mikey.173310 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
Zillya	Trojan.Formbook.Win32.11345
McAfeeD	Real Protect-LS!3E4A1EEEA0B9
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.formbook
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.3e4a1eeea0b92fbe
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan/Win32.Formbook.ak
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.Formbook.sa
Microsoft	Trojan:Win32/FormBook.NF!MTB
GData	Gen:Variant.Mikey.173310
Varist	W32/Formbook.AG.gen!Eldorado
AhnLab-V3	Infostealer/Win.Formbook.R647393
McAfee	Artemis!3E4A1EEEA0B9
DeepInstinct	MALICIOUS
VBA32	Virus.Goblin.2521
Malwarebytes	Malware.Heuristic.2051
Ikarus	Trojan.Win32.Formbook
Panda	Trj/CI.A
Tencent	Win32.Trojan.Crypt.Jajl
huorong	TrojanSpy/Formbook.ah
MaxSecure	Trojan.Malware.300983.susgen

dressman.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All