Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 30, 2021, 6:57 p.m.	Aug. 30, 2021, 6:59 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`308da60a9996a07824a1a1ce3a994d05`
SHA256	`1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94`
CRC32	`71BE19D6`
ssdeep	`24576:pAT8QE+krxuiBQZ0pzvtIej9zXs3a/reJkSA3ZeoI5fiq3DMR9HC+QKHHIVqPJ7A:pAI+gV22RjuK/YtLeJQ4IVqPJ7uT`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

Setup2.exe "C:\Users\test22\AppData\Local\Temp\Setup2.exe"
620
- md8_8eus.exe "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
  2072
- inst1.exe "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
  1772
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
164.124.101.2	Active	Moloch
186.2.171.3	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49205 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49205 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 30, 2021, 6:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2021, 6:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2021, 6:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2021, 6:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2021, 6:57 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 30, 2021, 6:57 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	c:\program files (x86)\Google\Chrome\application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 30, 2021, 6:57 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 30, 2021, 6:57 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 c8 ef f0 exception.symbol: md8_8eus+0x9b82c exception.instruction: mov dword ptr [eax], ecx exception.module: md8_8eus.exe exception.exception_code: 0xc0000005 exception.offset: 636972 exception.address: 0x49b82c registers.esp: 1638276 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 4831254 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://186.2.171.3/seemorebty/il.php?e=md8_8eus

Performs some HTTP requests (2 events)

request	GET http://186.2.171.3/seemorebty/il.php?e=md8_8eus
request	GET https://iplogger.org/ZhiS4

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 2072 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 1772 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 1772 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 1772 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 30, 2021, 6:58 p.m.	total_number_of_free_bytes: 13722144768 free_bytes_available: 13722144768 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (4 events)

file	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
file	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
file	C:\Program Files (x86)\Company\NewProduct\inst1.exe
file	C:\Program Files (x86)\Company\NewProduct\cutm3.exe

Creates a shortcut to an executable file (11 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops a binary and executes it (3 events)

file	C:\Program Files (x86)\Company\NewProduct\cutm3.exe
file	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
file	C:\Program Files (x86)\Company\NewProduct\inst1.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 30, 2021, 6:57 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\cutm3.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\cutm3.exe		0
ShellExecuteExW Aug. 30, 2021, 6:57 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	1	1
ShellExecuteExW Aug. 30, 2021, 6:57 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\inst1.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\inst1.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 30, 2021, 6:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW Aug. 30, 2021, 6:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

186.2.171.3

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 30, 2021, 6:57 p.m.	key_handle: 0x000004d4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Upatre.a!c
Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop16.31196
MicroWorld-eScan	Trojan.GenericKD.37502524
FireEye	Trojan.GenericKD.37502524
McAfee	Artemis!308DA60A9996
Cylance	Unsafe
Sangfor	Trojan.Win32.Upatre.izhi
K7AntiVirus	Password-Stealer ( 005760bf1 )
Alibaba	TrojanDownloader:Win32/Upatre.1085f083
K7GW	Password-Stealer ( 005760bf1 )
Arcabit	Trojan.Mikey.D1EF45
BitDefenderTheta	Gen:NN.ZexaF.34110.5iWaaK94sCpb
Cyren	W64/Upatre.MT.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.Upatre.izhi
BitDefender	Trojan.GenericKD.37502524
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Avast	Win64:Malware-gen
Ad-Aware	Trojan.GenericKD.37502524
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Emsisoft	Trojan.GenericKD.37502524 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDownloader.Upatre.ancr
Webroot	W32.Trojan.Gen
Avira	TR/Dldr.Agent.vkaxa
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Generic.ASMalwS.347D6EF
Gridinsoft	Trojan.Win32.CoinMiner.vb!s8
Microsoft	TrojanDownloader:Win32/Upatre!MSR
GData	Win32.Trojan-Stealer.Predator.O7N5IO
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win.Generic.C4613211
ALYac	Gen:Variant.Zusy.397443
Tencent	Win32.Trojan-downloader.Upatre.Lhxd
Yandex	Trojan.Blocker!OH3Aj8L7MuI
Ikarus	Trojan.Win32.Crypt
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/multiple_detections
AVG	Win64:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_70% (W)
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq

Setup2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All