Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 15, 2021, 5:59 p.m.	Oct. 15, 2021, 6:06 p.m.

Size	3.3MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`6084bf88a6d2c70c894614fc762244de`
SHA256	`cb425063656b52bde063c94fafc99bb8c25eb6ee30a416bf2566b377b6072b62`
CRC32	`DB5B8C13`
ssdeep	`49152:+LTWSBKkKYizmb9kP2UuOWCoHXcsZaCqaPwe9m9BaH0T1LZA5H:iTWSBKkKYizmb62j5jm9wcqB`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware Malicious_Library_Zero - Malicious_Library

1soft.exe "C:\Users\test22\AppData\Local\Temp\1soft.exe"
872

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
sanctam.net
github.com	A 15.164.81.167	52.78.231.108

IP Address	Status	Action
15.164.81.167	Active	Moloch
164.124.101.2	Active	Moloch
185.199.110.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 185.199.110.133:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 15.164.81.167:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49201 185.199.110.133:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7
TLS 1.2 192.168.56.101:49200 15.164.81.167:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

\xea\x99\xb0\xea\x99\xb0\xea\x99

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MUI
resource name	TYPELIB

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://github.com/UnamSanctam/SilentETHMiner/raw/master/SilentETHMiner/Resources/ethminer.zip
suspicious_features	GET method with no useragent header				suspicious_request	GET https://raw.githubusercontent.com/UnamSanctam/SilentETHMiner/master/SilentETHMiner/Resources/ethminer.zip

Performs some HTTP requests (2 events)

request	GET https://github.com/UnamSanctam/SilentETHMiner/raw/master/SilentETHMiner/Resources/ethminer.zip
request	GET https://raw.githubusercontent.com/UnamSanctam/SilentETHMiner/master/SilentETHMiner/Resources/ethminer.zip

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002ff200', u'virtual_address': u'0x0017e000', u'entropy': 7.74348936848591, u'name': u'\\xea\\x99\\xb0\\xea\\x99\\xb0\\xea\\x99', u'virtual_size': u'0x002ff0e8'}

entropy

7.74348936849

description

A section with a high entropy has been found

entropy

0.909454653231

description

Overall entropy of this PE file is high

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 15, 2021, 5:52 p.m.	process_identifier: 2228 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000044	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 872 manipulating memory of non-child process 2228
NtAllocateVirtualMemory Oct. 15, 2021, 5:52 p.m.	process_identifier: 2228 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000044	1	0	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Autoruns.GenericKDS.37803180
McAfee	Artemis!6084BF88A6D2
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (W)
Arcabit	Trojan.Autoruns.GenericS.D240D4AC
ESET-NOD32	a variant of Win32/GenCBL.AZL
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win64.Donut.bvx
BitDefender	Trojan.Autoruns.GenericKDS.37803180
Avast	Win64:MdeClass
Ad-Aware	Trojan.Autoruns.GenericKDS.37803180
Emsisoft	Trojan.Autoruns.GenericKDS.37803180 (B)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.6084bf88a6d2c70c
Sophos	Mal/Generic-R
Gridinsoft	Trojan.Win64.Sabsik.vb
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	Trojan.Win64.Donut.bvx
GData	MSIL.Malware.Coinminer.15OWS9
Cynet	Malicious (score: 100)
MAX	malware (ai score=89)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.MU
AVG	Win64:MdeClass

1soft.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All