popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

File_pass1234.7z

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 13, 2023, 9:51 a.m. April 13, 2023, 9:53 a.m.
Size 4.0MB
Type 7-zip archive data, version 0.4
MD5 5ce7e6a25d84c2c2dbcb96b30a608643
SHA256 fec433daf03cf85433373f5a079ab06c982034ee7e9e8fca7aff29005671a6e6
CRC32 140E2E37
ssdeep 98304:xTsyzCwLw5IVqzhaSkDMUthjiXURjd+uao1rJc/lGAOgGNu:WcbL0Xq5HjisjRrJoGK
Yara None matched

Name Response Post-Analysis Lookup
ipinfo.io
A 34.117.59.81
34.117.59.81
api.db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
172.67.75.166
www.maxmind.com
A 104.17.215.67
A 104.17.214.67
104.17.215.67
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.5.15
IP Address Status Action
104.17.214.67 Active Moloch
104.26.5.15 Active Moloch
164.124.101.2 Active Moloch
172.67.75.166 Active Moloch
208.67.104.60 Active Moloch
34.117.59.81 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49179 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49179 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49181 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49182 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49185 -> 104.17.214.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49179 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49181
104.26.5.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc
TLSv1
192.168.56.102:49182
172.67.75.166:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://208.67.104.60/api/tracemap.php
request GET http://208.67.104.60/api/tracemap.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x721c3000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zE8380E05D\mlang.dll
file C:\Users\test22\AppData\Local\Temp\7zE8380E05D\Install.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description PWS Memory rule Generic_PWS_Memory_Zero
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 208.67.104.60