Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2021, 12:31 p.m.	Nov. 11, 2021, 12:48 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`954cb27a8b7a8022163bf0855e9dc1da`
SHA256	`cdb4e3529f2cc4a1c9be0fc3da007e011f2cdd275aca1c8639cd682c9116f8c3`
CRC32	`419C950D`
ssdeep	`24576:tOSb5hndv5nLTaxQzYO/McICSlKp3uJhcH1S60D2DU:hrdhf8KMc3McQW0TT`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Svchost.exe "C:\Users\test22\AppData\Local\Temp\Svchost.exe"
2776

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
telegin.top
telegka.top

IP Address	Status	Action
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:60131 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.101:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.101:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.101:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	telegin.top				description	Generic top level domain TLD
domain	telegka.top				description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2776 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 434176 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fab000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008ce00', u'virtual_address': u'0x00094000', u'entropy': 7.999571373616528, u'name': u'.data', u'virtual_size': u'0x0008cc1c'}

entropy

7.99957137362

description

A section with a high entropy has been found

entropy

0.455353535354

description

Overall entropy of this PE file is high

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fragtor.31624
FireEye	Generic.mg.954cb27a8b7a8022
Malwarebytes	MachineLearning/Anomalous.100%
K7AntiVirus	Trojan ( 0055037d1 )
K7GW	Trojan ( 0055037d1 )
Cybereason	malicious.7c5a8f
BitDefenderTheta	Gen:NN.ZexaF.34266.nL0@aGDW4mki
Cyren	W32/Stealer.M.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HNCG
Kaspersky	VHO:Trojan-PSW.MSIL.Agent.gen
BitDefender	Gen:Variant.Fragtor.31624
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.Fragtor.31624
Emsisoft	Gen:Variant.Fragtor.31624 (B)
VIPRE	MultiPlug (v)
SentinelOne	Static AI - Malicious PE
Sophos	ML/PE-A
Ikarus	Trojan.Win32.Krypt
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Stealer.RPR!MTB
GData	Gen:Variant.Fragtor.31624
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.BackDoor.R447594
ALYac	Gen:Variant.Fragtor.31624
Cylance	Unsafe
APEX	Malicious
MAX	malware (ai score=82)
Fortinet	W32/Fragtor.3162!tr
AVG	Win32:PWSX-gen [Trj]

Svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All