Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 22, 2021, 9:44 a.m.	Sept. 22, 2021, 9:47 a.m.

Size	565.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c7be1b666b8ec3b2a43bb1713fba6fdd`
SHA256	`79b016ce5731ed6ba8a2f570c5d32b69f3ba9e6b6624e95e219df4a1626e67f8`
CRC32	`30FF8097`
ssdeep	`12288:jh/yDN787IPelHo8BM2rMayvaD7Jz52548cRWipfx8BjaM3bG7nU:d28y2rMDaD7j2581k3ijU`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

1115744375.exe "C:\Users\test22\AppData\Local\Temp\1115744375.exe"
1760

Name	Response	Post-Analysis Lookup
telete.in	A 195.201.225.248	195.201.225.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.163.45.42	Active	Moloch
195.201.225.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	be:a6:3d:e8:93:c3:13:0b:5f:1d:3a:f7:63:57:4c:39:0e:96:df:5e

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2021, 9:44 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.163.45.42/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://telete.in/vvhotsummer

Performs some HTTP requests (2 events)

request	POST http://185.163.45.42/
request	GET https://telete.in/vvhotsummer

Sends data using the HTTP POST Method (1 event)

request

POST http://185.163.45.42/

Communicates with host for which no DNS query was performed (1 event)

host

185.163.45.42

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Racealer.i!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46951398
FireEye	Generic.mg.c7be1b666b8ec3b2
ALYac	Trojan.GenericKD.46951398
Cylance	Unsafe
Zillya	Trojan.Racealer.Win32.2066
K7AntiVirus	Spyware ( 005768171 )
Alibaba	TrojanPSW:Win32/Racealer.39be2a57
K7GW	Spyware ( 005768171 )
Cybereason	malicious.66b8ec
BitDefenderTheta	Gen:NN.ZexaF.34170.JqW@aWi7jFl
Cyren	W32/Trojan.ITNZ-1654
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Spy.Raccoon.A
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Raccoon-9892387-1
Kaspersky	HEUR:Trojan-PSW.Win32.Racealer.gen
BitDefender	Trojan.GenericKD.46951398
NANO-Antivirus	Trojan.Win32.Racealer.janrll
Avast	Win32:MalwareX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10cece8f
Ad-Aware	Trojan.GenericKD.46951398
TACHYON	Trojan-PWS/W32.Racealer.579072
Sophos	Mal/Generic-S
DrWeb	Trojan.DownLoader41.22265
McAfee-GW-Edition	GenericRXMR-YQ!C7BE1B666B8E
Emsisoft	Trojan-Spy.Raccoon (A)
Ikarus	Trojan-Spy.Racoon
Jiangmin	Trojan.PSW.Racealer.dce
eGambit	Unsafe.AI_Score_99%
Avira	TR/AD.StellarStealer.jnxyo
Antiy-AVL	Trojan/Generic.ASMalwS.3475F0C
Gridinsoft	Spy.Win32.Keylogger.oa!s1
Microsoft	Trojan:Win32/Tnega!ml
GData	Trojan.GenericKD.46951398
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.YQ.C4604675
McAfee	GenericRXMR-YQ!C7BE1B666B8E
MAX	malware (ai score=82)
VBA32	BScope.TrojanSpy.MSIL.Stealer
Malwarebytes	Spyware.RaccoonStealer
TrendMicro-HouseCall	TROJ_GEN.R067C0PIH21
Rising	Stealer.Raccoon!1.D913 (CLASSIC)
Yandex	TrojanSpy.Raccoon!44EKjHk/UUM
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.74481986.susgen
Fortinet	W32/Raccoon.A!tr

1115744375.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All