Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 23, 2021, 11:52 a.m.	Aug. 23, 2021, 12:10 p.m.

Size	908.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4338aca68fbaab846ec6345a7b85c15c`
SHA256	`11f6a46954cdec78fec52771521926ff6917af81f79e3dc1198a38571b7d7519`
CRC32	`04AD35A0`
ssdeep	`12288:8GBapj1mg3ShbnM19hbLgBN0gj6rIU4zcSo6nVwxZzrSYf3ifItMI5WF9:8GUmgShbnM19hlw3HpyVfTt/5e`
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

credit.exe "C:\Users\test22\AppData\Local\Temp\credit.exe"
2204

Name	Response	Post-Analysis Lookup
login.live.com	A 40.126.52.0 A 40.126.52.148 A 40.126.52.1 A 40.126.52.147 A 40.126.52.2 A 40.126.52.146 A 40.126.52.3 CNAME www.tm.a.prd.aadg.trafficmanager.net A 40.126.52.150 CNAME login.msa.msidentity.com CNAME www.tm.lg.prod.aadmsa.trafficmanager.net CNAME prda.aadg.msidentity.com	40.126.35.129
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
40.126.52.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 40.126.52.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 40.126.52.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
TLSv1 192.168.56.102:49166 40.126.52.1:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	8d:57:81:3d:a5:f9:5a:59:21:fc:ae:40:ba:24:63:b8:aa:6a:cd:d0
TLSv1 192.168.56.102:49165 40.126.52.1:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	8d:57:81:3d:a5:f9:5a:59:21:fc:ae:40:ba:24:63:b8:aa:6a:cd:d0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 23, 2021, 11:52 a.m.	stacktrace: 0x8341d2 0x834260 DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x73663af0 timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x7366a535 timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x7366a434 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 40 50 50 6a 00 e8 c4 2d ff ff a3 94 68 83 00 exception.instruction: mov eax, dword ptr [eax + 0x50] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x833751 registers.esp: 37355024 registers.edi: 8612008 registers.eax: 275219519 registers.ebp: 37355076 registers.edx: 0 registers.ebx: 8752968 registers.esi: 8612004 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 23, 2021, 11:52 a.m.

stacktrace:

0x8341d2
0x834260
DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x73663af0
timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x7366a535
timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x7366a434
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 8b 40 50 50 6a 00 e8 c4 2d ff ff a3 94 68 83 00
exception.instruction: mov eax, dword ptr [eax + 0x50]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x833751
registers.esp: 37355024
registers.edi: 8612008
registers.eax: 275219519
registers.ebp: 37355076
registers.edx: 0
registers.ebx: 8752968
registers.esi: 8612004
registers.ecx: 0

Performs some HTTP requests (2 events)

request	GET https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21129&authkey=ALgOfs5uX8ML6NU
request	GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1629687681&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DD6676A9A61E841F3%26resid%3DD6676A9A61E841F3%2521129%26authkey%3DALgOfs5uX8ML6NU&lc=1033&id=250206&cbcxt=sky&cbcxt=sky

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 23, 2021, 11:52 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 11:52 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 23, 2021, 11:52 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00821000 process_handle: 0xffffffff	1	0	0

Network activity contains more than one unique useragent (2 events)

process	credit.exe				useragent	zipo
process	credit.exe				useragent	aswe

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
Alibaba	Trojan:Win32/Fareit.0af09ff6
CrowdStrike	win/malicious_confidence_60% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FJHZ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.46838012
MicroWorld-eScan	Trojan.GenericKD.46838012
Avast	Win32:Malware-gen
Ad-Aware	Trojan.GenericKD.46838012
Sophos	Mal/Generic-S
DrWeb	Trojan.DownLoader41.4140
McAfee-GW-Edition	Fareit-FCVN!4338ACA68FBA
FireEye	Generic.mg.4338aca68fbaab84
Emsisoft	Trojan.GenericKD.46838012 (B)
Ikarus	Trojan.Inject
GData	Trojan.GenericKD.46838012
Webroot	W32.Trojan.Gen
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa!s1
Microsoft	Trojan:Script/Phonzy.C!ml
McAfee	Fareit-FCVN!4338ACA68FBA
TrendMicro-HouseCall	TROJ_GEN.R002H06HK21
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_71%
Fortinet	W32/GenKryptik.FIVH!tr
BitDefenderTheta	Gen:NN.ZelphiCO.34088.4GX@a0xg3Kpi
AVG	Win32:Malware-gen

credit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All