Summary | ZeroBOX

w.exe

PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6401 March 29, 2023, 5:33 p.m. March 29, 2023, 5:39 p.m.
Size 16.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c200ea136a598e37eb83c8c6031b3f29
SHA256 3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8
CRC32 BAC89AA0
ssdeep 96:kEVg6r1wCCbBarsanJtRHJeZW+RElJ869X/Q+sjsTNTSEnrtDINyncI+vL/mg56D:XVZZrDRgAKErjOEnrtDINynT+vCgcNXh
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

IP Address Status Action
104.18.19.218 Active Moloch
104.21.89.144 Active Moloch
104.22.68.176 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 104.18.19.218:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.18.19.218:443 -> 192.168.56.101:49166 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 104.22.68.176:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49168 -> 104.21.89.144:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49165 -> 104.18.19.218:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49162
104.22.68.176:443
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=*.bitcoin.org 1a:81:c6:0e:51:52:81:af:8a:1f:a8:fe:a3:18:04:fa:db:01:f5:3c
TLSv1
192.168.56.101:49168
104.21.89.144:443
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=*.electrum.org 76:1b:7b:1a:b2:a7:3f:c5:99:a7:2b:68:f5:fd:1b:a5:5e:97:4b:65

resource name SETTINGS
request GET https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe
request GET https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2628
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03450000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2628
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x034a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\exodus-windows-x64-23.3.27.exe
file C:\Users\test22\AppData\Local\Temp\Updater.exe
file C:\Users\test22\AppData\Roaming\electrum-4.3.4-setup.exe
file C:\Users\test22\AppData\Roaming\bitcoin-22.0-win64-setup.exe
file C:\Users\test22\AppData\Local\Temp\Updater.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x02340000
process_handle: 0xffffffff
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows reg_value C:\Users\test22\AppData\Local\Temp\Updater.exe
Lionic Trojan.Win32.Agent.Y!c
tehtris Generic.Malware
DrWeb Trojan.DownLoader30.17344
MicroWorld-eScan Gen:Variant.Midie.111126
CAT-QuickHeal Trojan.AgentMF.S19993834
McAfee Downloader-FBWZ!C200EA136A59
Malwarebytes Trojan.Downloader
VIPRE Gen:Variant.Midie.111126
Sangfor Suspicious.Win32.Save.vb
K7AntiVirus Riskware ( 0040eff71 )
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Midie.D1B216
BitDefenderTheta AI:Packer.6732398D1F
VirIT Trojan.Win32.Genus.PBD
Cyren W32/VBTrojan.Downloader.1D!Maxi
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/TrojanDownloader.VB.RLW
Cynet Malicious (score: 99)
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Aizczvpi-7667171-0
Kaspersky Trojan.Win32.Agent.xabduu
BitDefender Gen:Variant.Midie.111126
NANO-Antivirus Trojan.Win32.VB.fxwldb
SUPERAntiSpyware Trojan.Agent/Gen-Downloader
Avast Win32:Evo-gen [Trj]
Tencent Win32.Trojan.Agent.Ogil
TACHYON Trojan/W32.VB-Agent.16384.ID
TrendMicro TROJ_GEN.R002C0DCS23
McAfee-GW-Edition BehavesLike.Win32.Generic.lz
FireEye Generic.mg.c200ea136a598e37
Emsisoft Gen:Variant.Midie.111126 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin TrojanDownloader.Generic.bdxz
Avira TR/VB.Downloader.Gen
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Agent.dd!n
Microsoft Trojan:Win32/VBObfuse.BIV!MTB
ViRobot Trojan.Win.Z.Midie.16384.B
GData Gen:Variant.Midie.111126
Google Detected
AhnLab-V3 Trojan/Win32.RL_Vobfus.R326912
VBA32 Malware-Cryptor.VB.gen.1
ALYac Gen:Variant.Midie.111126
MAX malware (ai score=82)
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.R002C0DCS23
Rising Downloader.Generic!8.141 (TFE:4:2XZfwNMewX)