Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 26, 2023, 9:14 a.m.	May 26, 2023, 9:31 a.m.

Size	662.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`4c213248be08249f75b68d85dcdf3365`
SHA256	`f0c730ae57d07440a0de0889db93705c1724f8c3c628ee16a250240cc4f91858`
CRC32	`02C880ED`
ssdeep	`12288:qNKLjILWnymhwEu5GmudCkDrvnZdbwAx8oYZL38:XISnjhDmuQk/vbwA25ZLM`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer

Medusa-2.exe "C:\Users\test22\AppData\Local\Temp\Medusa-2.exe"
2544

Name	Response	Post-Analysis Lookup
api.ipify.org	A 64.185.227.155 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	104.237.62.211

IP Address	Status	Action
104.237.62.211	Active	Moloch
164.124.101.2	Active	Moloch
79.137.203.39	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 104.237.62.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 104.237.62.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 79.137.203.39:15666 -> 192.168.56.101:49161	2260003	SURICATA Applayer Protocol detection skipped	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 26, 2023, 9:06 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2023, 9:06 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 26, 2023, 9:06 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Steals private information from local Internet browsers (50 out of 265 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dfmbcapkkeejcpmfhpnglndfkgmalhik
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gehmmocbbkpblljhkekmfhjpfbkclbph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhhldecdfagpbfggphklkaeiocfnaafm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nhhldecdfagpbfggphklkaeiocfnaafm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\UC Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\UC Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dppgmdbiimibapkepcbdbmkaabgiofem
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ocglkepbibnalbgmbachknglpdipeoio
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acdamagkdfmpkclpoglgnbddngblgibo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache

Looks up the external IP address (1 event)

domain

api.ipify.org

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA May 26, 2023, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1 base_handle: 0xffffffff80000001 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1		2	0
RegOpenKeyExA May 26, 2023, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1 base_handle: 0xffffffff80000001 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1		2	0

Communicates with host for which no DNS query was performed (1 event)

host

79.137.203.39

Attempts to identify installed AV products by installation directory (4 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser
file	C:\Users\test22\AppData\Roaming\AVAST Software\Browser
file	C:\Users\test22\AppData\Local\AVG\Browser
file	C:\Users\test22\AppData\Roaming\AVG\Browser

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\config
file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

FireEye	Generic.mg.4c213248be08249f
Malwarebytes	Malware.AI.4243800543
Sangfor	Spyware.Win64.Agent.Vzl3
Cybereason	malicious.aed5ad
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Spy.Agent.FW
APEX	Malicious
Cynet	Malicious (score: 100)
Avast	SpywareX-gen [Trj]
TrendMicro	Trojan.Win64.SMOKELOADER.YXDEYZ
McAfee-GW-Edition	BehavesLike.Win64.Dropper.jh
Sophos	Mal/Generic-S
Microsoft	Trojan:Win32/Casdet!rfn
AhnLab-V3	Trojan/Win.SpywareX-gen.C5422235
McAfee	Artemis!4C213248BE08
Cylance	unsafe
TrendMicro-HouseCall	Trojan.Win64.SMOKELOADER.YXDEYZ
Rising	Spyware.Agent!8.C6 (TFE:5:z1lGr5sNoqR)
AVG	SpywareX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

Medusa-2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All