Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 19, 2021, 2:03 a.m.	Nov. 19, 2021, 2:05 a.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`3c98acf1760cf6c13d4b82e4dc133252`
SHA256	`699b94fcc53da790da2dad2e68b38b66902f1381af98dc6962e2c6f982d951ba`
CRC32	`43AC57C3`
ssdeep	`49152:j7+nSHJ05LnIx//NUdVUhuhpUP278Sg4CyK7Ze1JMeyLy7hkZm:JYI7UdVUhUYIK+yI2Zm`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

opera.exe "C:\Users\test22\AppData\Local\Temp\opera.exe"
2772
- opera.exe C:\Users\test22\AppData\Local\Temp\opera.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\test22\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=81.0.4196.37 --initial-client-data=0x198,0x19c,0x1a0,0x16c,0x1a4,0x734074e8,0x734074f8,0x73407504
  2828
- opera.exe "C:\Users\test22\AppData\Local\Temp\.opera\Opera Installer Temp\opera.exe" --version
  2988
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
autoupdate.geo.opera.com	A 37.228.108.132 CNAME us-autoupdate.opera.com A 37.228.108.133	37.228.108.133
desktop-netinstaller-sub.osp.opera.software	CNAME submit.geo.opera.com CNAME submit-target.osp.opera.software CNAME submit-ash.osp.opera.software A 107.167.119.133	107.167.119.133
download.opera.com	CNAME us-download.opera.com A 107.167.110.218 A 107.167.110.217 CNAME download.geo.opera.com	107.167.110.218
get.geo.opera.com	CNAME us.get.opera.com A 37.228.108.150 A 37.228.108.149	37.228.108.149

IP Address	Status	Action
107.167.110.217	Active	Moloch
107.167.119.133	Active	Moloch
164.124.101.2	Active	Moloch
37.228.108.133	Active	Moloch
37.228.108.149	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 37.228.108.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 107.167.119.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 37.228.108.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 107.167.110.217:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 107.167.110.217:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 37.228.108.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 37.228.108.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=autoupdate.opera.com	df:13:f4:d0:65:47:f5:9b:d2:0d:b0:35:2b:5b:b6:83:41:0e:cc:b3
TLSv1 192.168.56.101:49170 107.167.119.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=*.osp.opera.software	6d:d9:01:44:cc:bd:09:69:75:57:f3:29:45:43:81:7f:c1:91:d8:fe
TLSv1 192.168.56.101:49167 37.228.108.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=autoupdate.opera.com	df:13:f4:d0:65:47:f5:9b:d2:0d:b0:35:2b:5b:b6:83:41:0e:cc:b3
TLSv1 192.168.56.101:49178 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49175 107.167.110.217:443	None	None	None
TLSv1 192.168.56.101:49171 107.167.110.217:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=*.opera.com	45:ff:b6:6a:62:1a:93:a5:18:01:05:1f:42:39:b0:97:68:c3:6a:13
TLSv1 192.168.56.101:49177 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49179 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49181 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49182 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49185 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49190 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49186 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49187 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49189 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49188 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49180 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49172 37.228.108.149:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=get.opera.com	5d:eb:0c:02:8d:0a:eb:24:ba:f3:0c:b2:af:79:7f:7f:ff:46:44:1f
TLSv1 192.168.56.101:49176 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49183 37.228.108.149:443	None	None	None
TLSv1 192.168.56.101:49184 37.228.108.149:443	None	None	None

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 19, 2021, 2:03 a.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 2:03 a.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 2:03 a.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 2:03 a.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 2:03 a.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 2:03 a.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 2:03 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2021, 2:03 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	PNG
resource name	TXT

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST https://autoupdate.geo.opera.com/v2/netinstaller/Stable/windows/x64
suspicious_features	POST method with no referer header				suspicious_request	POST https://desktop-netinstaller-sub.osp.opera.software/v1/binary

Performs some HTTP requests (5 events)

request	GET https://autoupdate.geo.opera.com/geolocation/
request	POST https://autoupdate.geo.opera.com/v2/netinstaller/Stable/windows/x64
request	POST https://desktop-netinstaller-sub.osp.opera.software/v1/binary
request	GET https://download.opera.com/download/get/?id=55532&autoupdate=1&ni=1&stream=stable&utm_campaign=search_relatedapp_via_opera_com_https&utm_lastpage=opera.com/partner&utm_medium=pb&utm_site=opera_com&utm_source=softonic_via_opera_com&utm_tryagain=yes&niuid=0aab6fe4-e22e-44e0-82f5-3816589ecd7c
request	GET https://get.geo.opera.com/pub/opera/desktop/81.0.4196.54/win/Opera_81.0.4196.54_Autoupdate_x64.exe

Sends data using the HTTP POST Method (2 events)

request	POST https://autoupdate.geo.opera.com/v2/netinstaller/Stable/windows/x64
request	POST https://desktop-netinstaller-sub.osp.opera.software/v1/binary

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 19, 2021, 2:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2021, 2:03 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 2:05 a.m.	process_identifier: 1156 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 19, 2021, 2:03 a.m.	total_number_of_free_bytes: 13709930496 free_bytes_available: 13709930496 root_path: C: total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (1 event)

registry

HKEY_CURRENT_USER\Software\Opera Software

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2111190203439842828.dll
file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2111190203437342772.dll
file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2111190203443282988.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202111191103441\opera_package
file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2111190203443282988.dll
file	C:\Users\test22\AppData\Local\Temp\.opera\Opera Installer Temp\opera.exe

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Cylance	Unsafe
APEX	Malicious

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00272600', u'virtual_address': u'0x001d8000', u'entropy': 7.7721686394343035, u'name': u'UPX1', u'virtual_size': u'0x00273000'}

entropy

7.77216863943

description

A section with a high entropy has been found

entropy

0.987000196967

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Network activity contains more than one unique useragent (2 events)

process	opera.exe				useragent	Opera installer
process	opera.exe				useragent	Opera NetInstaller/81.0.4196.37

opera.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All