popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Setup_x32_x64.exe

UPX Malicious Library VMProtect PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 25, 2023, 5:35 p.m. May 25, 2023, 5:39 p.m.
Size 4.7MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c51e82e2c7a0f3b68d02fc988f764f8f
SHA256 5cbcbf21e72a2a382039f92862cf3fd8364e0fcccda137c0eb1a57c6c3fc46e2
CRC32 448992B4
ssdeep 98304:s2Ck1pncPKXnRwJgPRVPh1g09XjV4AIvLEazhyf6Dqo:vvncP6nRwJoVngwXjVLQ0Q
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • VMProtect_Zero - VMProtect packed file

Name Response Post-Analysis Lookup
t.me
A 149.154.167.99
149.154.167.99
steamcommunity.com
A 104.88.222.199
96.7.99.39
IP Address Status Action
104.88.222.199 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
5.75.210.95 Active Moloch
192.30.89.67 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 149.154.167.99:443 -> 192.168.56.101:49164 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 104.88.222.199:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49161 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49161 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49163 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49161 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49163 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49163 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49168 -> 5.75.210.95:80 2027262 ET INFO Dotted Quad Host ZIP Request Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49161 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49166
104.88.222.199:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .vmp0
section .vmp1
section .vmp2
suspicious_features Connection to IP address suspicious_request GET http://5.75.210.95/93847ac75331fcbc8340ae251ef2cc25
suspicious_features Connection to IP address suspicious_request GET http://5.75.210.95/addon.zip
request GET http://5.75.210.95/93847ac75331fcbc8340ae251ef2cc25
request GET http://5.75.210.95/addon.zip
request GET https://steamcommunity.com/profiles/76561199508624021
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00350000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 995328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x61e00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\vcruntime140.dll
file C:\ProgramData\msvcp140.dll
file C:\ProgramData\nss3.dll
file C:\ProgramData\freebl3.dll
file C:\ProgramData\mozglue.dll
file C:\ProgramData\softokn3.dll
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2572
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00350000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00489000', u'virtual_address': u'0x002ea000', u'entropy': 7.931716175896431, u'name': u'.vmp2', u'virtual_size': u'0x00488e70'} entropy 7.9317161759 description A section with a high entropy has been found
entropy 0.971446501412 description Overall entropy of this PE file is high
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
section .vmp2 description Section name indicates VMProtect
host 5.75.210.95
host 192.30.89.67
process Setup_x32_x64.exe useragent Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process Setup_x32_x64.exe useragent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Stealerc.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.67212429
Malwarebytes Malware.AI.4076761001
Sangfor Trojan.Win32.Save.a
Alibaba TrojanPSW:Win32/Stealerc.57693b99
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Packed.VMProtect.AU suspicious
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky Trojan-PSW.Win32.Stealerc.tk
Avast FileRepMalware [Pws]
Tencent Win32.Trojan-QQPass.QQRob.Hajl
McAfee-GW-Edition Artemis!Trojan
Trapmine malicious.high.ml.score
FireEye Generic.mg.c51e82e2c7a0f3b6
SentinelOne Static AI - Suspicious PE
GData Win32.Trojan.Agent.M1LGBB
ZoneAlarm Trojan-PSW.Win32.Stealerc.tk
Microsoft Trojan:Win32/Cryware.B
Google Detected
McAfee Artemis!C51E82E2C7A0
MAX malware (ai score=82)
VBA32 BScope.TrojanPSW.Coins
Cylance unsafe
Panda Trj/Chgt.AD
Rising Stealer.Stealerc!8.17BE0 (CLOUD)
Ikarus Trojan.Win32.Generic
MaxSecure Trojan.Malware.300983.susgen
BitDefenderTheta Gen:NN.ZexaF.36196.@J2@aOdwaYpi
AVG FileRepMalware [Pws]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_60% (W)