Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 18, 2021, 12:53 p.m.	Nov. 18, 2021, 12:53 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`568e1204996456984c05f12de9201168`
SHA256	`02f992c886f423ef0a2fb16bfbb31ae66309a6206baab5beb1d379891664e4cd`
CRC32	`7DD3DAB8`
ssdeep	`24576:44P0tnXo1pxRBlH56KNo37ig2OxyFrtRt1VnUtRJaPWHX0H/:3stnXo1pxRB/6KNo3OtOxyFZ1VUtXaPp`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

octafx4setup.exe "C:\Users\test22\AppData\Local\Temp\octafx4setup.exe"
2796

Name	Response	Post-Analysis Lookup
download.mql5.com	A 27.111.161.152	27.111.161.152
content.mql5.com	A 27.111.161.150	27.111.161.150
api9.mql5.net	A 147.75.92.40	147.75.92.40
api14.mql5.net	A 0.0.0.0	0.0.0.0
crt.usertrust.com	A 91.199.212.52 CNAME crt.comodoca.com	91.199.212.52

IP Address	Status	Action
102.68.85.100	Active	Moloch
103.26.205.122	Active	Moloch
117.20.41.198	Active	Moloch
142.215.208.235	Active	Moloch
147.139.41.121	Active	Moloch
147.75.48.214	Active	Moloch
147.75.92.40	Active	Moloch
156.38.206.18	Active	Moloch
156.38.206.21	Active	Moloch
164.124.101.2	Active	Moloch
177.154.156.125	Active	Moloch
195.201.80.82	Active	Moloch
27.111.161.150	Active	Moloch
27.111.161.152	Active	Moloch
47.74.84.54	Active	Moloch
47.91.24.164	Active	Moloch
78.140.180.43	Active	Moloch
88.212.232.132	Active	Moloch
91.199.212.52	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49223 -> 78.140.180.43:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 27.111.161.152:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 117.20.41.198:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 102.68.85.100:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 195.201.80.82:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49248 -> 147.75.92.40:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49245 -> 147.75.48.214:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 27.111.161.152:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49240 -> 147.75.92.40:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 142.215.208.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 88.212.232.132:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49244 -> 103.26.205.122:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49251 -> 147.75.92.40:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49247 -> 156.38.206.18:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 177.154.156.125:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49223 78.140.180.43:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49170 27.111.161.152:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.com	11:c6:6f:e9:03:73:a1:89:6a:e8:05:1b:7a:8a:e2:f6:bc:94:09:61
TLS 1.2 192.168.56.101:49224 117.20.41.198:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49233 102.68.85.100:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49231 195.201.80.82:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49248 147.75.92.40:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49245 147.75.48.214:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49234 27.111.161.152:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49240 147.75.92.40:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49228 142.215.208.235:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49226 88.212.232.132:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49244 103.26.205.122:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49162 27.111.161.150:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.com	11:c6:6f:e9:03:73:a1:89:6a:e8:05:1b:7a:8a:e2:f6:bc:94:09:61
TLS 1.2 192.168.56.101:49251 147.75.92.40:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49247 156.38.206.18:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49232 177.154.156.125:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d
TLS 1.2 192.168.56.101:49250 156.38.206.18:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=*.mql5.net	2b:27:bf:69:5f:ae:13:cd:07:b9:0a:d1:5a:b0:51:f3:7b:ab:69:0d

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 18, 2021, 12:53 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 12:53 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	AFX_DIALOG_LAYOUT
resource name	FILE
resource name	LNG

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://crt.usertrust.com/USERTrustECCAddTrustCA.crt

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 18, 2021, 12:53 p.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Nov. 18, 2021, 12:53 p.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

octafx4setup.exe tried to sleep 309 seconds, actually delayed analysis time by 9 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 18, 2021, 12:53 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: C:\Program Files (x86)\Octa Markets MetaTrader 4 total_number_of_bytes: 0		0	0

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\octafx4setup.exe

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_VideoController

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Jiangmin

Trojan.PSW.Stelega.gu

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 18, 2021, 12:53 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000f7c00', u'virtual_address': u'0x00233000', u'entropy': 7.849635161794706, u'name': u'UPX1', u'virtual_size': u'0x000f8000'}

entropy

7.84963516179

description

A section with a high entropy has been found

entropy

0.863616557734

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (14 events)

host	102.68.85.100
host	103.26.205.122
host	117.20.41.198
host	142.215.208.235
host	147.139.41.121
host	147.75.48.214
host	156.38.206.18
host	156.38.206.21
host	177.154.156.125
host	195.201.80.82
host	47.74.84.54
host	47.91.24.164
host	78.140.180.43
host	88.212.232.132

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Users\test22\AppData\Local\Temp\octafx4setup.exe:Zone.Identifier:$DATA

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Queries information on disks, possibly for anti-virtualization (3 events)

Time & API	Arguments	Status	Return
NtCreateFile Nov. 18, 2021, 12:53 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x0000015c filepath: \??\PHYSICALDRIVE0 desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\PHYSICALDRIVE0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 18, 2021, 12:53 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x0000015c filepath: \??\PHYSICALDRIVE0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PHYSICALDRIVE0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
DeviceIoControl Nov. 18, 2021, 12:53 p.m.	input_buffer: control_code: 2954240 () device_handle: 0x0000015c output_buffer: (§Lu~$ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036	1	1

Attempts to create or modify system certificates (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob

Detects the presence of Wine emulator (4 events)

Time & API	Arguments	Return
LdrGetProcedureAddress Nov. 18, 2021, 12:53 p.m.	ordinal: 0 function_address: 0x0045e9c4 function_name: wine_get_version module: ntdll module_address: 0x77640000	3221225785
LdrGetProcedureAddress Nov. 18, 2021, 12:53 p.m.	ordinal: 0 function_address: 0x0045e9c4 function_name: wine_get_version module: ntdll module_address: 0x77640000	3221225785
LdrGetProcedureAddress Nov. 18, 2021, 12:53 p.m.	ordinal: 0 function_address: 0x0045e9c4 function_name: wine_get_version module: ntdll module_address: 0x77640000	3221225785
LdrGetProcedureAddress Nov. 18, 2021, 12:53 p.m.	ordinal: 0 function_address: 0x0045e9c4 function_name: wine_get_version module: ntdll module_address: 0x77640000	3221225785

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49229
dead_host	156.38.206.21:443

octafx4setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All