Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 20, 2021, 3:46 p.m.	April 20, 2021, 3:49 p.m.

Size	3.7MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`73eb70ca5994df6e2766bb5b799f04ec`
SHA256	`d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c`
CRC32	`A2ED8A9D`
ssdeep	`49152:OQDY27iKqkXNjrRMF0TiBlOagRMs0ogXUaBqhreSM0Z14Dk6I5ZdzREmquDI0A+V:OqqkXsF0TcOlzgXUdK0YDbI5ZdzRy6J`
Yara	PE_Header_Zero - PE File Signature Zero UPX_Zero - UPX packed file IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

setupapp.exe "C:\Users\test22\AppData\Local\Temp\setupapp.exe"
2616

Name	Response	Post-Analysis Lookup
sndvoices.com	TXT 16	172.67.216.130
lalemada.info	A 172.67.207.106 A 104.21.69.103	172.67.207.106
cd525338-6a0f-400b-a98a-ae23e317d921.sndvoices.com
msdl.microsoft.com	CNAME msdl.microsoft.akadns.net CNAME msdl-microsoft-com.a-0016.a-msedge.net CNAME a-0016.a-msedge.net A 204.79.197.219	204.79.197.219
spolaect.info	A 104.21.33.110 A 172.67.161.225	172.67.161.225
fotamene.com	A 104.21.1.88 A 172.67.128.242	172.67.128.242
server10.sndvoices.com	A 104.21.16.228 A 172.67.216.130	172.67.216.130
vsblobprodscussu5shard10.blob.core.windows.net	CNAME blob.sat10prdstr06a.store.core.windows.net A 20.150.39.196	20.150.39.196
vsblobprodscussu5shard58.blob.core.windows.net	CNAME blob.sn4prdstr01a.store.core.windows.net A 13.84.56.16	13.84.56.16

IP Address	Status	Action
104.21.1.88	Active	Moloch
104.21.16.228	Active	Moloch
13.84.56.16	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.161.225	Active	Moloch
172.67.207.106	Active	Moloch
20.150.39.196	Active	Moloch
204.79.197.219	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 204.79.197.219:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49809 -> 204.79.197.219:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 20.150.39.196:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 204.79.197.219:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 13.84.56.16:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 204.79.197.219:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com	59:ef:31:b0:03:89:82:c9:2b:90:9a:8c:60:24:70:85:f6:45:ed:9a
TLSv1 192.168.56.102:49809 204.79.197.219:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com	59:ef:31:b0:03:89:82:c9:2b:90:9a:8c:60:24:70:85:f6:45:ed:9a
TLS 1.3 192.168.56.102:49811 104.21.16.228:443	None	None	None
TLS 1.3 192.168.56.102:49812 104.21.16.228:443	None	None	None
TLSv1 192.168.56.102:49810 20.150.39.196:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=*.blob.core.windows.net	d0:4c:33:5f:cd:ac:48:a4:00:ff:d5:6a:1c:fc:1c:61:d5:84:05:4d
TLSv1 192.168.56.102:49813 204.79.197.219:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com	59:ef:31:b0:03:89:82:c9:2b:90:9a:8c:60:24:70:85:f6:45:ed:9a
TLSv1 192.168.56.102:49814 13.84.56.16:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=*.blob.core.windows.net	70:c1:14:b5:95:35:c0:4b:01:19:5c:47:78:be:e0:40:bc:d4:62:09
TLS 1.3 192.168.56.102:49816 172.67.161.225:443	None	None	None
TLS 1.3 192.168.56.102:49815 104.21.1.88:443	None	None	None
TLS 1.3 192.168.56.102:49817 172.67.207.106:443	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 20, 2021, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2021, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2021, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2021, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2021, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2021, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2021, 3:46 p.m.	computer_name: TEST22-PC	1	1

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Performs some HTTP requests (5 events)

request	GET https://msdl.microsoft.com/download/symbols/index2.txt
request	GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
request	GET https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7AbuFcy6rVsv90SWbhZYjX%2F1l2smGDcgr940AwiIF4k%3D&spr=https&se=2021-04-21T07%3A12%3A02Z&rscl=x-e2eid-d85b51fb-5af2448b-86391750-db8470b1-session-1ebff91c-856e4d36-a4b4e0af-5a74b6de
request	GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
request	GET https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=9UUozfiE%2FOpxeeckU6eKE51prLyA7vjOQSQhv8%2F4Goc%3D&spr=https&se=2021-04-21T07%3A35%3A45Z&rscl=x-e2eid-1750f897-21ec47fd-858b9192-280e65c5-session-4d66908c-74d44857-ac54d7ee-2d4cedfc

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74421000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74421000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73831000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2021, 3:46 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73891000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003b8600', u'virtual_address': u'0x0056c000', u'entropy': 7.89301260559595, u'name': u'UPX1', u'virtual_size': u'0x003b9000'}

entropy

7.8930126056

description

A section with a high entropy has been found

entropy

0.999868766404

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 20, 2021, 3:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT Name FROM Win32_Processor

Performs a TXT record DNS lookup potentially for command and control or covert channel (2 events)

domain	sndvoices.com
domain	cd525338-6a0f-400b-a98a-ae23e317d921.sndvoices.com

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Executes one or more WMI queries (5 events)

wmi	SELECT displayName FROM AntiVirusProduct
wmi	SELECT OSArchitecture FROM Win32_OperatingSystem
wmi	SELECT Name FROM Win32_VideoController
wmi	SELECT Caption FROM Win32_OperatingSystem
wmi	SELECT Name FROM Win32_Processor

Expresses interest in specific running processes (1 event)

process: potential process injection target

winlogon.exe

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress April 20, 2021, 3:46 p.m.	ordinal: 0 function_address: 0x0018fe3d function_name: wine_get_version module: ntdll module_address: 0x773a0000		3221225785	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen13.6110
MicroWorld-eScan	Trojan.Agent.ETWT
FireEye	Generic.mg.73eb70ca5994df6e
CAT-QuickHeal	Trojan.Generic
McAfee	Artemis!73EB70CA5994
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00575e511 )
Alibaba	Trojan:Win32/RanumBot.91cc2273
K7GW	Trojan ( 00575e511 )
Cybereason	malicious.a5994d
BitDefenderTheta	AI:Packer.9D62356B1F
Cyren	W32/RanumBot.E.gen!Eldorado
Symantec	Trojan.Glupteba
ESET-NOD32	a variant of WinGo/RanumBot.J
APEX	Malicious
Avast	FileRepMalware
ClamAV	Win.Trojan.MSShellcode-7
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.Agent.ETWT
NANO-Antivirus	Trojan.Win32.Mlw.itxuuo
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Ranumbot.3901952
Rising	Trojan.RanumBot!8.112AC (CLOUD)
Ad-Aware	Trojan.Agent.ETWT
Sophos	Mal/Behav-030
Comodo	Malware@#3r3hhrh1xmw8g
Zillya	Trojan.Agent.Win32.1965981
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Emsisoft	Trojan.Agent.ETWT (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDDoS.Windigo.oa
Webroot	W32.Malware.Gen
Avira	TR/Agent.hofzi
Gridinsoft	Trojan.Win32.Agent.oa
Microsoft	Trojan:Win32/RanumBot.MT!MTB
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.Agent.ETWT
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.RanumBot.C4414318
VBA32	Rootkit.Agent
MAX	malware (ai score=82)
Malwarebytes	Trojan.Ranumbot
TrendMicro-HouseCall	TROJ_GEN.R002C0DDB21
Ikarus	Trojan.Win32.Ranumbot
eGambit	Unsafe.AI_Score_99%

setupapp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All