Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 9, 2021, 4:20 p.m.	June 9, 2021, 4:23 p.m.

Size	177.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`24dd4963d365c33435f58adaebb1ef26`
SHA256	`a1b5a409baecc58b655cafee130c86297f979e65ca1ebd430755d378ab76f513`
CRC32	`3C0A8EFE`
ssdeep	`3072:JS8BCfoDaXJnMUkMagUiz0g9EDpyujez1T5du0bgGBoFJRcKUCJaHKZAiDZqVW:JPB6WUvxr4g9EtUT9bgGBoFJiCJa+Xn`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Proforma Invoice·pdf.exe "C:\Users\test22\AppData\Local\Temp\Proforma Invoice·pdf.exe"
2504
- Proforma Invoice·pdf.exe "C:\Users\test22\AppData\Local\Temp\Proforma Invoice·pdf.exe"
  7140

Name	Response	Post-Analysis Lookup
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
34.104.35.123	Active	Moloch
63.141.228.141	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49811 -> 63.141.228.141:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49811 -> 63.141.228.141:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49812 -> 63.141.228.141:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49812 -> 63.141.228.141:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49808 -> 63.141.228.141:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49808 -> 63.141.228.141:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 63.141.228.141:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49812 -> 63.141.228.141:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 63.141.228.141:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.102:49812 -> 63.141.228.141:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49808 -> 63.141.228.141:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49808 -> 63.141.228.141:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 34.104.35.123:80 -> 192.168.56.102:49815	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49815	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 34.104.35.123:80 -> 192.168.56.102:49815	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49814 -> 172.217.174.195:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49816 -> 172.217.174.195:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49817 -> 172.217.174.195:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49814 172.217.174.195:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62
TLS 1.2 192.168.56.102:49816 172.217.174.195:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62
TLS 1.2 192.168.56.102:49817 172.217.174.195:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA June 9, 2021, 4:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 9, 2021, 4:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 4:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 4:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 4:20 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 9, 2021, 4:20 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 9, 2021, 4:20 p.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec exception.instruction: mov cl, byte ptr [edx] exception.module: Proforma Invoice·pdf.exe exception.exception_code: 0xc0000005 exception.offset: 11073 exception.address: 0x402b41 registers.esp: 45088564 registers.edi: 35796470 registers.eax: 45088800 registers.ebp: 45088572 registers.edx: 9330688 registers.ebx: 45088800 registers.esi: 1007253352 registers.ecx: 105	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, HTTP version 1.0 used, Connection to IP address	suspicious_request	POST http://63.141.228.141/32.php/s396KA3xaZWY1
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:220834941&cup2hreq=821e0dc3f2f4acc54994383995b4c935d5c9e4e2e67bc15b9110c55ac7730735
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2

Performs some HTTP requests (5 events)

request	POST http://63.141.228.141/32.php/s396KA3xaZWY1
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:220834941&cup2hreq=821e0dc3f2f4acc54994383995b4c935d5c9e4e2e67bc15b9110c55ac7730735
request	POST https://update.googleapis.com/service/update2

Sends data using the HTTP POST Method (3 events)

request	POST http://63.141.228.141/32.php/s396KA3xaZWY1
request	POST https://update.googleapis.com/service/update2?cup2key=10:220834941&cup2hreq=821e0dc3f2f4acc54994383995b4c935d5c9e4e2e67bc15b9110c55ac7730735
request	POST https://update.googleapis.com/service/update2

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory June 9, 2021, 4:20 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 9, 2021, 4:20 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 9, 2021, 4:20 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 9, 2021, 4:20 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 57073 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac620 process_handle: 0xffffffff		3221225477

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW June 9, 2021, 4:20 p.m.	number_of_free_clusters: 3246347 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW June 9, 2021, 4:20 p.m.	number_of_free_clusters: 3246347 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nswFBFE.tmp\System.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nswFBFE.tmp\System.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: mobsync.exe process_identifier: 3488	1	1
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 6252	1	1
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: taskhost.exe process_identifier: 5308	1	1
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 6668	1	1
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 8356	1	1
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: Proforma Invoice·pdf.exe process_identifier: 2504	1	1
Process32NextW June 9, 2021, 4:20 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 3576	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 9, 2021, 4:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	63.141.228.141

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetect.malware2
McAfee	Artemis!24DD4963D365
Cyren	W32/Ninjector.J.gen!Camelot
Symantec	Packed.Generic.609
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
McAfee-GW-Edition	BehavesLike.Win32.Dropper.cc
FireEye	Generic.mg.24dd4963d365c334
Sophos	Mal/Generic-S
Microsoft	PWS:MSIL/Lokibot.GG!MTB
Cynet	Malicious (score: 100)
Cylance	Unsafe
Rising	Trojan.Injector/NSIS!1.D6F5 (CLASSIC)
SentinelOne	Static AI - Malicious PE
AVG	FileRepMalware

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2504 called NtSetContextThread to modify thread in remote process 7140
NtSetContextThread June 9, 2021, 4:20 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 7140	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\Proforma Invoice·pdf.exe

Proforma Invoice·pdf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All