Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 11:31 a.m.	Nov. 1, 2021, 11:40 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4e79889f1ed630cc252814f471454f0d`
SHA256	`fe9c234f50ce222b6c197cc6b9950ac57f0c1f016bf689bbbae12e095da36b09`
CRC32	`72A1D19B`
ssdeep	`24576:5EQ8J0nvh49ggaax8nWGbwKQ6imFUG6MMtW3pYJMXRI3D8r/Ce:5dvgu0mFUG67gMMuD8Oe`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

FastPC.exe "C:\Users\test22\AppData\Local\Temp\FastPC.exe"
2648

Name	Response	Post-Analysis Lookup
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
164.124.101.2	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 1, 2021, 11:32 a.m.	stacktrace: exception.instruction_r: 8a 09 8b 7c 24 34 8b 6c 24 48 8d 64 24 00 55 8b exception.symbol: fastpc+0x78142 exception.instruction: mov cl, byte ptr [ecx] exception.module: FastPC.exe exception.exception_code: 0xc0000005 exception.offset: 491842 exception.address: 0x478142 registers.esp: 70646716 registers.edi: 10038368 registers.eax: 172458218 registers.ebp: 4194304 registers.edx: 20971520 registers.ebx: 2727465170 registers.esi: 70646732 registers.ecx: 2	1	0	0

Performs some HTTP requests (1 event)

request

GET https://iplogger.org/1rE4g7

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 11:31 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 11:31 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 2648 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 2648 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 2648 region_size: 872448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 888832 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 1, 2021, 11:32 a.m.	show_type: 0 filepath_r: ttttttttttt parameters: filepath: ttttttttttt		0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00106000', u'virtual_address': u'0x00084000', u'entropy': 6.828984660651823, u'name': u'.rsrc', u'virtual_size': u'0x00106000'}

entropy

6.82898466065

description

A section with a high entropy has been found

entropy

0.674822923374

description

Overall entropy of this PE file is high

Generates some ICMP traffic

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37907719
FireEye	Generic.mg.4e79889f1ed630cc
McAfee	Artemis!4E79889F1ED6
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00589b521 )
K7GW	Trojan ( 00589b521 )
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Generic.D2426D07
BitDefenderTheta	Gen:NN.ZelphiF.34236.HHW@ayH5UUfi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FMVR
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Chapak.gen
BitDefender	Trojan.GenericKD.37907719
Avast	Win32:Trojan-gen
Ad-Aware	Trojan.GenericKD.37907719
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.GenSteal.whlgd
McAfee-GW-Edition	BehavesLike.Win32.Dropper.th
Emsisoft	Trojan.GenericKD.37907719 (B)
SentinelOne	Static AI - Malicious PE
Avira	TR/AD.GenSteal.whlgd
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Chapak.gen
GData	Trojan.GenericKD.37907719
Cynet	Malicious (score: 100)
VBA32	BScope.Trojan.Sabsik.FL
ALYac	Trojan.GenericKD.37907719
Rising	Trojan.Generic@ML.92 (RDML:PtiMUaV9Eh8cT9hyJTScyQ)
Ikarus	Trojan.Win32.Injector
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Injector.EQGY!tr
AVG	Win32:Trojan-gen
Cybereason	malicious.b01825
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

FastPC.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All