Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 26, 2021, 1:38 p.m.	Oct. 26, 2021, 1:41 p.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5	`77294635b863561ecd6267711c5222a2`
SHA256	`b1dd835c2d5caae422469d55c05823f95f649829db8ed2dddc3a4f3e5a228b28`
CRC32	`3DBD2442`
ssdeep	`49152:ASXSNLA7IvAVurnKd1MZLGSUs0f/i+94vR0NN:ASD0YVurnKd1MZrUHfK+UR`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

note866.exe "C:\Users\test22\AppData\Local\Temp\note866.exe"
1608

Name	Response	Post-Analysis Lookup
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
164.124.101.2	Active	Moloch
186.2.171.3	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 26, 2021, 1:38 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

PECompact 2.xx --> BitSum Technologies

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	PNG
resource name	STYLE_XML
resource name	None

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 26, 2021, 1:38 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 6c ee 7e exception.symbol: note866+0x1016 exception.instruction: mov dword ptr [eax], ecx exception.module: note866.exe exception.exception_code: 0xc0000005 exception.offset: 4118 exception.address: 0x401016 registers.esp: 1638276 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 4198400 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://186.2.171.3/seemorebty/il.php?e=note866

Performs some HTTP requests (2 events)

request	GET http://186.2.171.3/seemorebty/il.php?e=note866
request	GET https://iplogger.org/ZdUWq

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 26, 2021, 1:38 p.m.	process_identifier: 1608 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Foreign language identified in PE resource (50 out of 747 events)

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004d03c0

size

0x00001623

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001e3200', u'virtual_address': u'0x00001000', u'entropy': 7.999905905334937, u'name': u'.text', u'virtual_size': u'0x0053b000'}

entropy

7.99990590533

description

A section with a high entropy has been found

entropy

0.922874880611

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

186.2.171.3

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 26, 2021, 1:38 p.m.	key_handle: 0x00000510 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Win32.Passteal.7!c
MicroWorld-eScan	Trojan.GenericKD.37863841
FireEye	Trojan.GenericKD.37863841
McAfee	Artemis!77294635B863
Cylance	Unsafe
Sangfor	Trojan.Win32.Passteal.qe
K7AntiVirus	Password-Stealer ( 0055912f1 )
Alibaba	TrojanPSW:Win32/Generic.7673b671
K7GW	Password-Stealer ( 0055912f1 )
Cybereason	malicious.8eefac
Cyren	W32/Agent.DRF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OHG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Banker.Win32.Passteal.qe
BitDefender	Trojan.GenericKD.37863841
Ad-Aware	Trojan.GenericKD.37863841
Sophos	Mal/Generic-S
DrWeb	Trojan.DownLoader43.54254
McAfee-GW-Edition	BehavesLike.Win32.Trojan.vc
Emsisoft	Trojan.GenericKD.37863841 (B)
MAX	malware (ai score=84)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Gridinsoft	Trojan.Win32.Agent.ns
Arcabit	Trojan.Generic.D241C275
GData	Trojan.GenericKD.37863841
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R445505
BitDefenderTheta	Gen:NN.ZexaF.34236.ck0aaSLsSZl
ALYac	Trojan.GenericKD.37863841
Malwarebytes	Spyware.PasswordStealer
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002H0DJO21
Fortinet	W32/Agent.OLG!tr.pws
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]

note866.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All