Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 30, 2023, 10:42 a.m.	May 30, 2023, 10:45 a.m.

Size	4.5MB
Type	7-zip archive data, version 0.4
MD5	`0d6f6b6bd8f63cb7ea5854d7fb265cb4`
SHA256	`e29b394be0b3c73641c25b17b2d40e4e468515a31970e8780ba62af98c014f3a`
CRC32	`606E2A2E`
ssdeep	`98304:YiOAzIGlo9MrG8VKpzXCkzUMHfAKKMREg8WO87C5TM/9h:YiOA0GlsMICLMHfl52g8BM1h`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iIohIuKT" C:\Users\test22\AppData\Local\Temp\File_pass1234.7z
3036
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\File_pass1234.7z"
  2192

Name	Response	Post-Analysis Lookup
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.137.164
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
ji.jahhaega2qq.com	A 104.21.18.146 A 172.67.182.87	104.21.18.146
ipinfo.io	A 34.117.59.81	34.117.59.81
hugersi.com	A 91.215.85.147	91.215.85.147
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
www.maxmind.com	A 104.17.215.67 A 104.17.214.67	104.17.214.67
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
104.17.214.67	Active	Moloch
104.21.18.146	Active	Moloch
104.26.4.15	Active	Moloch
104.26.5.15	Active	Moloch
163.123.143.4	Active	Moloch
164.124.101.2	Active	Moloch
176.113.115.239	Active	Moloch
34.117.59.81	Active	Moloch
45.12.253.74	Active	Moloch
45.63.40.48	Active	Moloch
83.97.73.126	Active	Moloch
85.208.136.10	Active	Moloch
87.240.137.164	Active	Moloch
91.215.85.147	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49195 -> 104.17.214.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49189 -> 85.208.136.10:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49193 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49200	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49190 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49190 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49198 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49190 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49199 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49205 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49205 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49217 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 91.215.85.147:80 -> 192.168.56.102:49215	2014819	ET INFO Packed Executable Download	Misc activity
TCP 104.21.18.146:80 -> 192.168.56.102:49212	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49225 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 91.215.85.147:80 -> 192.168.56.102:49215	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49232 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49213 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49213 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49214 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49214 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49216 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49216 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49220 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49228 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49222	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49223 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49223	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49209 -> 83.97.73.126:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49209 -> 83.97.73.126:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49204 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 83.97.73.126:80 -> 192.168.56.102:49209	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 83.97.73.126:80 -> 192.168.56.102:49209	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.63.40.48:3002 -> 192.168.56.102:49235	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.63.40.48:3002 -> 192.168.56.102:49235	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.63.40.48:3002 -> 192.168.56.102:49235	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49227 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49190 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49193 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49202 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49192 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49232 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49230 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49231 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49228 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49233 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49227 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 30, 2023, 10:42 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 30, 2023, 10:42 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://85.208.136.10/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://85.208.136.10/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://83.97.73.126/gallery/photo660.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://83.97.73.126/gallery/photo660.exe

Performs some HTTP requests (18 events)

request	GET http://85.208.136.10/api/tracemap.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	POST http://85.208.136.10/api/firegate.php
request	HEAD http://83.97.73.126/gallery/photo660.exe
request	HEAD http://ji.jahhaega2qq.com/m/p0aw25.exe
request	GET http://ji.jahhaega2qq.com/m/p0aw25.exe
request	GET http://83.97.73.126/gallery/photo660.exe
request	HEAD http://hugersi.com/dl/6523.exe
request	GET http://hugersi.com/dl/6523.exe
request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://vk.com/doc791620691_664633016?hash=Kx9Lk64SiBei7Frzj0lSzmTRwDQUGuLRnag9eWB0Yvz&dl=7l27SR2LgFb34pTgCkFSsXiqFFhU6Hm1fHoJzcRRnP4&api=1&no_preview=1
request	GET https://sun6-20.userapi.com/c237331/u791620691/docs/d11/350130cbb9c6/PMp123a.bmp?extra=tONVqElPo-mONv9H1N77dl5gnf0qx0RIDWhnQv0pfnggFyTSr0lcbBRhJPwYJlQIn69bcwZK5a77VAfW3irjaK0ObffcoXk5OiNOBL_6TNiZ1gJsMrCYqiluWsgsUZ703Jp5VOCRRBfq9vyf7w
request	GET https://vk.com/doc791620691_664562355?hash=60bw0oeYE8Op2FAtVeNLN5ZQODckNwEGocYRxvow6eT&dl=JqisKfdCTOlrG5C2zMgxyjDbqMol1WVGsHKuMJ7KUEL&api=1&no_preview=1
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://sun6-21.userapi.com/c237031/u791620691/docs/d10/1bb194217104/cosmic.bmp?extra=OzP24DVVNdJlAer6TrgAxQeVsgO593sZw5mfKKl8xTWXj7lwr_z097-pN9i5YcJ_4RF8zAGPCKGry1YMyyMfhUwODYfgzyVCvqJBZ4tscygTmOcjl43jai4gNPweG2FKerWXaLJ2Ntl6HPbakQ

Sends data using the HTTP POST Method (2 events)

request	POST http://85.208.136.10/api/firegate.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 30, 2023, 10:42 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 30, 2023, 10:42 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zE098F1D76\File.exe

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

FireEye	Trojan.GenericKD.67266264
Arcabit	Trojan.Generic.D40266D8
BitDefender	Trojan.GenericKD.67266264
MicroWorld-eScan	Trojan.GenericKD.67266264
Emsisoft	Trojan.GenericKD.67266264 (B)
VIPRE	Trojan.GenericKD.67266264
McAfee-GW-Edition	Artemis
MAX	malware (ai score=82)
GData	Trojan.GenericKD.67266264

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 30, 2023, 10:42 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW May 30, 2023, 10:43 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (6 events)

host	163.123.143.4
host	176.113.115.239
host	45.12.253.74
host	45.63.40.48
host	83.97.73.126
host	85.208.136.10

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	176.113.115.239:8080
dead_host	163.123.143.4:80
dead_host	45.63.40.48:80
dead_host	45.12.253.74:80
dead_host	176.113.115.239:80

File_pass1234.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All