Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 3, 2021, 6:24 p.m.	July 3, 2021, 6:29 p.m.

Size	107.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9ef7986267bda788fec22557df41e6f1`
SHA256	`5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20`
CRC32	`C72FC31A`
ssdeep	`3072:z2kNdv6G5BHlLjBRQHiabSttu1wY/q8qhcLskyh7ppkCvPx3:KkN/jF+HbfwY/k7kq53`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

preloader.exe "C:\Users\test22\AppData\Local\Temp\preloader.exe"
2648
- app.exe "app.exe" (null)
  1396

Name	Response	Post-Analysis Lookup
fikerty.info	A 172.67.202.130 A 104.21.76.249	104.21.76.249
touchook.info	A 172.67.145.198 A 104.21.63.133	172.67.145.198
fackerty.info	A 172.67.155.53 A 104.21.89.3	104.21.89.3

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.145.198	Active	Moloch
172.67.155.53	Active	Moloch
172.67.202.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 172.67.155.53:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 172.67.145.198:80	2007837	ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)	A Network Trojan was detected
TCP 192.168.56.101:49200 -> 172.67.202.130:80	2007837	ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)	A Network Trojan was detected
TCP 192.168.56.101:49200 -> 172.67.202.130:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49199 -> 172.67.145.198:80	2007837	ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)	A Network Trojan was detected
TCP 192.168.56.101:49199 -> 172.67.145.198:80	2007837	ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49203 172.67.155.53:443	C=US, O=Let's Encrypt, CN=R3	CN=*.fackerty.info	bf:19:31:33:38:10:41:9d:0e:a5:85:db:79:b1:e5:0d:b9:03:12:33

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://touchook.info/

Performs some HTTP requests (3 events)

request	POST http://touchook.info/
request	GET http://fikerty.info/app.exe
request	GET https://fackerty.info/app.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://touchook.info/

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 3, 2021, 6:25 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4440064 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01110000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 3, 2021, 6:25 p.m.	process_identifier: 1396 region_size: 9592832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\app.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\app.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 3, 2021, 6:25 p.m.	thread_identifier: 2276 thread_handle: 0x00000298 process_identifier: 1396 current_directory: filepath: track: 1 command_line: "app.exe" (null) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000004b0	1	1	0

An executable file was downloaded by the process preloader.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 3, 2021, 6:24 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $À;.Z@_Z@_Z@_Õ_Z@_Ã_ïZ@_£;_Z@_ZA_îZ@_Ä_ªZ@_Ò_Z@_Ô_Z@_Ñ_Z@_RichZ@_PELW¤ò_à ¶DøfDÐD@B³FÀÄD`Ô¼D<0` G0F(°¼°d.text µD¶D `.dataè[ÐDÚºD@À.rsrc w30`HE@@.reloc&S°TÜE@BÐ¿D¾D´¾DÊ¾DØ¾Dæ¾Dö¾D¾D¿D.¿D<¿DF¿DV¿Dj¿Dz¿D¿D¿D°¿D¿Dt¾Dî¿DÀDÀD2ÀDPÀDdÀDvÀDÀDÀD ÀD¬ÀD¾ÀDÊÀDÞÀDðÀDþÀD ÁDÁD"ÁD:ÁDJÁD`ÁDxÁDÁDÁD¨ÁDºÁDÒÁDäÁDüÁDÂD"ÂD0ÂD@ÂDHÂDVÂDbÂDxÂDÂD¨ÂDÂÂDÔÂDîÂDþÂDÃD.ÃD:ÃDFÃDXÃDdÃDÃDÃD²ÃDÈÃDØÃDêÃDüÃDÄDÄD.ÄD>ÄDPÄDdÄDrÄDÄDÄD¨ÄDÄ$ù6Gr¨}h±ª7t Þ`D, bad allocation000gowagikutapojixelunizegusaÜ,@«çg\-@;ö-ö¨-@~ø-övector<T> too longbad allocationø-@¿-östring too longinvalid string positionH.@tgUnknown exception\.@¥csmà EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAlloc'¤.@¨%gbad exception(null)(null)EEE50P( 8PX700WP `h````xpxxxxCorExitProcessmscoree.dllruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: ÀÀÀÀÀÀÀÀÀÀèu@v Complete Object Locator' Class Hierarchy Descriptor' Base Class Array' Base Class Descriptor at ( Type Descriptor'`local static thread guard'`managed vector copy constructor iterator'`vector vbase copy constructor iterator'`vector copy constructor iterator'`dynamic atexit destructor for '`dynamic initializer for '`eh vector vbase copy constructor iterator'`eh vector copy constructor iterator'`managed vector destructor itera request_handle: 0x00cc000c	1	1	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Heur.JP.guW@aKTiSUoi
ALYac	Gen:Trojan.Heur.JP.guW@aKTiSUoi
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanDownloader:Win32/Generic.39437262
Cybereason	malicious.267bda
Arcabit	Trojan.Heur.JP.EF3E30
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.Win32.Generic
BitDefender	Gen:Trojan.Heur.JP.guW@aKTiSUoi
Avast	Win32:Malware-gen
Ad-Aware	Gen:Trojan.Heur.JP.guW@aKTiSUoi
F-Secure	Heuristic.HEUR/AGEN.1133069
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.9ef7986267bda788
Emsisoft	Gen:Trojan.Heur.JP.guW@aKTiSUoi (B)
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1133069
Microsoft	Trojan:Win32/Wacatac.B!ml
AegisLab	Trojan.Win32.Generic.a!c
GData	Gen:Trojan.Heur.JP.guW@aKTiSUoi
Cynet	Malicious (score: 100)
McAfee	Artemis!9EF7986267BD
MAX	malware (ai score=89)
VBA32	suspected of Trojan.Downloader.gen
TrendMicro-HouseCall	TROJ_GEN.R002H09G221
Fortinet	W32/PossibleThreat
BitDefenderTheta	AI:Packer.C502AA2A1F
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_90% (W)

preloader.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All