Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 6, 2023, 9:34 a.m.	March 6, 2023, 9:37 a.m.

Size	6.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`646f9a44ad9c8719b45951a29f8d3c6d`
SHA256	`5e02b528b2cb0f1884c45c6dc3b095a8a6a8a9ae775aafa265d28a46af969c28`
CRC32	`9513075F`
ssdeep	`196608:58t40NmBV779xciWmIiIrHRmgi4EPP1EZ2RRT7/8:+y8SVDBOrHRmgTE37RT70`
Yara	OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

nik0300.exe "C:\Users\test22\AppData\Local\Temp\nik0300.exe"
2080

Name	Response	Post-Analysis Lookup
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
ipinfo.io	A 34.117.59.81	34.117.59.81
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
34.117.59.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49163 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc
TLSv1 192.168.56.103:49166 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 6, 2023, 9:34 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 6, 2023, 9:34 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.vmp#@@4

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Sends data using the HTTP POST Method (1 event)

request

POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 6, 2023, 9:34 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 9:34 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 9:34 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 9:34 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 9:34 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 9:34 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\freebl3.dll

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\LocalSimbaaoRJdxUjyBE\nss3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0063f600', u'virtual_address': u'0x0063b000', u'entropy': 7.96226112751985, u'name': u'.vmp#@@4', u'virtual_size': u'0x0063f490'}

entropy

7.96226112752

description

A section with a high entropy has been found

entropy

0.99937514645

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 events)

section	.vmp#@@4				description	Section name indicates VMProtect
section	.vmp#@@4				description	Section name indicates VMProtect

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.MarsvapRosJ.Trojan
Lionic	Trojan.Win32.Mufila.4!c
MicroWorld-eScan	Trojan.GenericKD.65688780
FireEye	Generic.mg.646f9a44ad9c8719
CAT-QuickHeal	Trojanspy.Mufila
ALYac	Trojan.GenericKD.65688780
Zillya	Trojan.Mufila.Win32.91
Sangfor	Spyware.Win32.Mufila.Vvd1
K7AntiVirus	Trojan ( 7000001c1 )
Alibaba	TrojanSpy:Win32/Mufila.6909de22
K7GW	Trojan ( 7000001c1 )
Cybereason	malicious.b59176
Arcabit	Trojan.Generic.D3EA54CC
Cyren	W32/ABRisk.UMFG-8476
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.VMProtect.AIN
Cynet	Malicious (score: 99)
Paloalto	generic.ml
Kaspersky	Trojan-Spy.Win32.Mufila.nx
BitDefender	Trojan.GenericKD.65688780
Avast	Win32:SpywareX-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Jajl
Sophos	Mal/VMProtBad-A
VIPRE	Trojan.GenericKD.65688780
TrendMicro	TROJ_GEN.R011C0RBS23
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
Emsisoft	Trojan.GenericKD.65688780 (B)
Ikarus	Trojan.Win32.Generic
Webroot	W32.Trojan.Gen
Avira	TR/Spy.Mufila.zrgkz
Gridinsoft	Malware.Win32.Gen.bot
Xcitium	Malware@#18ikzniv0m78a
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	Trojan.Win.Z.Agent.6562480
ZoneAlarm	Trojan-Spy.Win32.Mufila.nx
GData	Trojan.GenericKD.65688780
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5388733
McAfee	Artemis!646F9A44AD9C
MAX	malware (ai score=89)
VBA32	TrojanDownloader.Private
Malwarebytes	Spyware.RisePro
TrendMicro-HouseCall	TROJ_GEN.R011C0RBS23
Rising	Spyware.Mufila!8.10959 (TFE:5:gnJOwaQzABC)
Yandex	Trojan.VMProtect!+Ql8xVVUN5I
MaxSecure	Trojan.Malware.202072869.susgen
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.36308.@F1@aWRH1jfi

nik0300.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All