Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 9, 2023, 9:36 a.m.	Jan. 9, 2023, 9:52 a.m.

Size	469.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6f165f33d7d16f38d3b952efe4f53f8c`
SHA256	`32248f0553821820bdb2a1d5a8346f16ddc53c041a1e57758479bd3a73e8e65e`
CRC32	`8D2A937F`
ssdeep	`6144:YwvBDo4VSC4nH0SDIv9rt/BcrZ5sKEM8OTVqvYIw0BZ1zfU+zsz7HJshlyuIV21r:SiGkzirZuK95qwN0BXzfa72hlyus6`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 23.37.146.163	104.76.78.101

IP Address	Status	Action
116.202.7.135	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
23.37.146.163	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.99:443 -> 192.168.56.103:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 23.37.146.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 116.202.7.135:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 23.37.146.163:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://116.202.7.135/804
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://116.202.7.135/samefiles.zip

Performs some HTTP requests (3 events)

request	GET http://116.202.7.135/804
request	GET http://116.202.7.135/samefiles.zip
request	GET https://steamcommunity.com/profiles/76561199467421923

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00070c00', u'virtual_address': u'0x00002000', u'entropy': 7.6462856416103095, u'name': u'.text', u'virtual_size': u'0x00070a72'}

entropy

7.64628564161

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00004400', u'virtual_address': u'0x00074000', u'entropy': 7.721087347356225, u'name': u'.rsrc', u'virtual_size': u'0x000042a6'}

entropy

7.72108734736

description

A section with a high entropy has been found

entropy

0.998932764141

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (7 events)

url	http://65.108.93.119:80
url	https://t.me/year2023start
url	http://www.smartassembly.com/webservices/Reporting/UploadReport2
url	http://www.smartassembly.com/webservices/UploadReportLogin/
url	https://steamcommunity.com/profiles/76561199467421923
url	http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
url	http://www.smartassembly.com/webservices/Reporting/L

Yara rule detected in process memory (10 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

116.202.7.135

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://65.108.93.119:80

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Bandra.4!c
MicroWorld-eScan	Gen:Variant.MSILHeracles.55372
FireEye	Generic.mg.6f165f33d7d16f38
CAT-QuickHeal	Trojan.MSIL
McAfee	Artemis!6F165F33D7D1
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0059cd1a1 )
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 0059cd1a1 )
Cybereason	malicious.a7adc7
Arcabit	Trojan.Lazy.D450C9
BitDefenderTheta	Gen:NN.ZemsilF.36158.Dm0@aOnI5lmG
Cyren	W32/ABRisk.BVSQ-8903
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/PSW.Agent.ONW
APEX	Malicious
Kaspersky	HEUR:Trojan-Banker.MSIL.Bandra.gen
BitDefender	Gen:Variant.Lazy.282825
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan-Banker.Bandra.Adhl
Ad-Aware	Gen:Variant.MSILHeracles.55372
Emsisoft	Gen:Variant.Lazy.282825 (B)
Comodo	Malware@#1uw07hdg05zx
VIPRE	Gen:Variant.MSILHeracles.55372
TrendMicro	TrojanSpy.Win32.VIDAR.YXDAFZ
McAfee-GW-Edition	BehavesLike.Win32.Fareit.gc
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S + Mal/MSIL-VD
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.MSIL.Bandra
Google	Detected
Avira	TR/AD.GenSteal.jcatq
MAX	malware (ai score=82)
Antiy-AVL	Trojan/MSIL.Kryptik
Kingsoft	Win32.Troj.Banker.(kcloud)
Gridinsoft	Malware.Win32.Sabsik.cc
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Gen:Variant.Lazy.282825
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Lazy.282825
Malwarebytes	Trojan.Crypt.MSIL
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXDAFZ
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:hKwpbcthsRDW8kvfsdrWOQ)
Ikarus	Trojan.MSIL.MultiPacked
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Malicious_Behavior.VEX
AVG	Win32:RATX-gen [Trj]

28.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All