Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 15, 2021, 9:21 p.m.	June 15, 2021, 9:27 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`793707365df26450bc8642f518a540f0`
SHA256	`7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217`
CRC32	`281E8546`
ssdeep	`24576:8Ec46GnhPe4h/N5m8loOoYJ/HRz1IgRizQJYiEH0YSXHZTNbf86:8EBQ2xrVEcXfbf86`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

imagen01.jpg "C:\Users\test22\AppData\Local\Temp\imagen01.jpg"
2416
- ipconfig.exe "C:\Windows\system32\ipconfig.exe"
  2276
  - cmd.exe "C:\Users\test22\AppData\Local\Temp\cmd.exe"
    1632
    - GetX64BTIT.exe "C:\Users\test22\AppData\Local\Temp\GetX64BTIT.exe"
      1108
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
i.imgur.com	A 151.101.40.193 CNAME ipv4.imgur.map.fastly.net	151.101.52.193

IP Address	Status	Action
151.101.40.193	Active	Moloch
164.124.101.2	Active	Moloch
193.23.244.244	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.23.244.244:80 -> 192.168.56.101:49206	2522324	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325	Misc Attack
TCP 192.168.56.101:49202 -> 151.101.40.193:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 151.101.40.193:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 193.23.244.244:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 192.168.56.101:49206 -> 193.23.244.244:80	2221033	SURICATA HTTP Request abnormal Content-Encoding header	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49202 151.101.40.193:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	f4:34:6e:0c:34:5f:9f:d4:b5:ef:1c:cf:a5:e9:c1:67:1b:65:2a:a7
TLSv1 192.168.56.101:49203 151.101.40.193:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	f4:34:6e:0c:34:5f:9f:d4:b5:ef:1c:cf:a5:e9:c1:67:1b:65:2a:a7

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, HTTP version 1.0 used, Connection to IP address				suspicious_request	GET http://193.23.244.244/tor/status-vote/current/consensus
suspicious_features	GET method with no useragent header				suspicious_request	GET https://i.imgur.com/qOLD3Td.png

Performs some HTTP requests (3 events)

request	GET http://193.23.244.244/tor/status-vote/current/consensus
request	HEAD https://i.imgur.com/qOLD3Td.png
request	GET https://i.imgur.com/qOLD3Td.png

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 15, 2021, 9:21 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:21 p.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:21 p.m.	process_identifier: 2416 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 15, 2021, 9:22 p.m.	total_number_of_free_bytes: 13722681344 free_bytes_available: 13722681344 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvp.lnk

Creates a suspicious process (1 event)

cmdline

C:\Users\test22\AppData\Local\Temp\cmd.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\GetX64BTIT.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 15, 2021, 9:22 p.m.	snapshot_handle: 0x00000280 process_name: taskhost.exe process_identifier: 2984	1	1	0
Process32NextW June 15, 2021, 9:22 p.m.	snapshot_handle: 0x00000280 process_name: cmd.exe process_identifier: 1632	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000f800', u'virtual_address': u'0x0012f000', u'entropy': 6.873823789889154, u'name': u'.data', u'virtual_size': u'0x00014000'}

entropy

6.87382378989

description

A section with a high entropy has been found

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\System32\ipconfig.exe

Communicates with host for which no DNS query was performed (1 event)

host

193.23.244.244

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\GetX64BTIT.exe

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA June 15, 2021, 9:22 p.m.	thread_identifier: 0 callback_function: 0x0042625e hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	6685413	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

MicroWorld-eScan	Trojan.GenericKD.34502366
FireEye	Trojan.GenericKD.34502366
CAT-QuickHeal	Trojan.Shellcode
ALYac	Trojan.GenericKD.34502366
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Exploit:Win32/Shellcode.e6e9e737
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D20E76DE
Invincea	Mal/Generic-S
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Exploit.Win32.Shellcode.ttk
BitDefender	Trojan.GenericKD.34502366
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.34502366
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.NsisInject.odady
DrWeb	BackDoor.Rat.281
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R069C0WIC20
McAfee-GW-Edition	Artemis!Trojan
MaxSecure	Trojan.Malware.106434902.susgen
Emsisoft	Trojan.GenericKD.34502366 (B)
Avira	TR/AD.NsisInject.odady
Microsoft	Trojan:Win32/Tiggre!rfn
AegisLab	Hacktool.Win32.Shellcode.3!c
ZoneAlarm	Exploit.Win32.Shellcode.ttk
GData	Trojan.GenericKD.34502366
Cynet	Malicious (score: 85)
McAfee	Artemis!793707365DF2
MAX	malware (ai score=83)
VBA32	Malware-Cryptor.Limpopo
ESET-NOD32	Win32/Spy.Kronosbot.A
TrendMicro-HouseCall	TROJ_GEN.R069C0WIC20
Rising	Backdoor.Konus!8.AC8 (TFE:6:G4wbRRZm8RN)
Ikarus	Trojan.NsisInject
Fortinet	W32/Rugmi.FAH!tr.dldr
AVG	Win32:Malware-gen
Panda	Trj/GdSda.A
Qihoo-360	Generic/Trojan.f93

imagen01.jpg

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All