popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

setup.exe

Process Kill OS Processor Check PE32 PE File Device_File_Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 8, 2021, 12:19 p.m. June 8, 2021, 12:22 p.m.
Size 704.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3150a1bf870aa243738b71875a62c51b
SHA256 9282835f29e080687ea77a9ffe8560955e2efebeb5cc68bd6e57d351c4b5e00c
CRC32 E0EF01B1
ssdeep 12288:fa/S3sCPfhmxjjpmt0OlIhaYbJAvSq8ZlUfMcZMSIP/LE5zfQnZuxTmP+fK0vS:UeSot0jvFAvS7ZufMcZMT/I1Qnse+p
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • Device_Check_Zero - Device Check Zero
  • Process_Snapshot_Kill_Zero - Process Kill Zero

Name Response Post-Analysis Lookup
edgedl.me.gvt1.com
A 34.104.35.123
34.104.35.123
www.waaer435fc.com
A 45.77.178.25
45.77.178.25
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
34.104.35.123 Active Moloch
45.77.178.25 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49812 -> 172.217.174.195:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.102:49812
172.217.174.195:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com 0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .txet
suspicious_features POST method with no referer header suspicious_request POST http://www.waaer435fc.com/index.php/api/a
suspicious_features POST method with no referer header suspicious_request POST http://www.waaer435fc.com/index.php/api/fb
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1929671218&cup2hreq=c069310cfc1ab8df9c466b265e40c1b95d7f7ef5967930c7bce8b28276cd14bd
request POST http://www.waaer435fc.com/index.php/api/a
request POST http://www.waaer435fc.com/index.php/api/fb
request HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request POST https://update.googleapis.com/service/update2?cup2key=10:1929671218&cup2hreq=c069310cfc1ab8df9c466b265e40c1b95d7f7ef5967930c7bce8b28276cd14bd
request POST http://www.waaer435fc.com/index.php/api/a
request POST http://www.waaer435fc.com/index.php/api/fb
request POST https://update.googleapis.com/service/update2?cup2key=10:1929671218&cup2hreq=c069310cfc1ab8df9c466b265e40c1b95d7f7ef5967930c7bce8b28276cd14bd
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-wal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data1-wal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data1
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data1-journal
cmdline cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\setup.exe"
file C:\Users\test22\AppData\Local\Temp\setup.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 3236
thread_handle: 0x00000138
process_identifier: 6204
current_directory:
filepath:
track: 1
command_line: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\setup.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000001f0
1 1 0
cmdline cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\setup.exe"
cmdline ping 1.1.1.1 -n 1 -w 3000
host 172.217.25.14
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000130
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

DeviceIoControl

 input_buffer:
control_code: 2954240 ()
device_handle: 0x00000130
output_buffer:
1 1 0
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.745231
FireEye Generic.mg.3150a1bf870aa243
CAT-QuickHeal Trojan.GenericRI.S19154279
McAfee GenericRXNE-CG!3150A1BF870A
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Cybereason malicious.f870aa
Arcabit Trojan.Razy.DB5F0F
BitDefenderTheta Gen:NN.ZexaF.34722.SyW@auZHkTei
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/PSW.Agent.OLD
ClamAV Win.Malware.Fbkatz-9833093-0
Kaspersky HEUR:Trojan-Spy.Win32.Fbkatz.vho
BitDefender Gen:Variant.Razy.745231
NANO-Antivirus Trojan.Win32.Fbkatz.iiwijl
Avast Win32:PWSX-gen [Trj]
Ad-Aware Gen:Variant.Razy.745231
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win32.Generic.bh
Emsisoft Trojan-PSW.Agent (A)
SentinelOne Static AI - Suspicious PE
Jiangmin TrojanSpy.Fbkatz.g
eGambit Unsafe.AI_Score_89%
Avira HEUR/AGEN.1138963
Microsoft Trojan:Win32/Glupteba!ml
GData Gen:Variant.Razy.745231
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Reputation.R414663
VBA32 BScope.TrojanSpy.Fbkatz
ALYac Gen:Variant.Razy.745231
MAX malware (ai score=82)
Malwarebytes Spyware.PasswordStealer
APEX Malicious
Rising Trojan.Generic@ML.100 (RDML:vpzonNB64C7MwIVw0b/vgg)
Ikarus Trojan-PSW.Agent
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:PWSX-gen [Trj]
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_70% (W)