Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 27, 2021, 8:15 a.m.	Sept. 27, 2021, 8:17 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6a46023492d437f7a9ef76a8a9b38684`
SHA256	`5692034f83380042a7ff741622d94271dc540d2d4b0a46f5aafc05498225f5a6`
CRC32	`7EAD0A55`
ssdeep	`12288:Vv0OyFHg9rfrZ89rOYrOOo119uYd4J9A3i/OVFrPf2VQpz6TWXPL4ZavQAOy9A+9:hXyFHKrfl89qXC4YODrXzzCWXz4Y5A+`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

27.exe "C:\Users\test22\AppData\Local\Temp\27.exe"
2140

Name	Response	Post-Analysis Lookup
telete.in	A 178.20.158.28	178.20.158.28

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.20.158.28	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49173 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49163 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49176 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49184 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49168 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49183 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49185 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49177 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49171 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 178.20.158.28:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 27, 2021, 8:15 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 2140 region_size: 913408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 913408 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	Artemis!6A46023492D4
Malwarebytes	Malware.AI.662758648
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanPSW:Win32/Racealer.e17603db
K7GW	Trojan ( 00585f691 )
K7AntiVirus	Trojan ( 00585f691 )
Arcabit	Trojan.Generic.D2CD777D
ESET-NOD32	a variant of Win32/Kryptik.HMPI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win32.Racealer.maj
BitDefender	Trojan.GenericKD.47019901
MicroWorld-eScan	Trojan.GenericKD.37661855
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan-qqpass.Qqrob.Wozu
Ad-Aware	Trojan.GenericKD.47019901
Sophos	Mal/EncPk-APW
McAfee-GW-Edition	BehavesLike.Win32.Generic.tm
FireEye	Generic.mg.6a46023492d437f7
Emsisoft	Trojan.GenericKD.47019901 (B)
Ikarus	Trojan.Win32.Crypt
Avira	TR/AD.StellarStealer.ozgjl
MAX	malware (ai score=82)
Kingsoft	Win32.PSWTroj.Racealer.m.(kcloud)
Microsoft	Trojan:Script/Phonzy.A!ml
GData	Trojan.GenericKD.37661855
Acronis	suspicious
ALYac	Trojan.GenericKD.47019901
Cylance	Unsafe
Zoner	Probably Heur.ExeHeaderH
TrendMicro-HouseCall	TrojanSpy.Win32.RACEALER.USMANIQ21
Rising	Trojan.Generic@ML.93 (RDML:D6xdNjvSCM6dWFKj45HVjw)
Yandex	Trojan.PWS.Racealer!m6ziQ7epDjk
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Kryptik.HMLF!tr
BitDefenderTheta	Gen:NN.ZexaF.34170.bLW@aiu8syii
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.121218.susgen

27.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All