Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2023, 7:27 a.m.	June 16, 2023, 7:37 a.m.

Size	4.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`dd0891b669fbe6d2f1442f2f28f57fe3`
SHA256	`29f8caa4248a60f8e6d058fec89fd8679c7a7b695e30c3bb2582450864fc9585`
CRC32	`AD8AE7B2`
ssdeep	`98304:6tx706LdxV9QflRFhPDkNWLA9VPFi6f7zyol7:Ex70cdn9QXPDIfVLtl7`
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) PE_Header_Zero - PE File Signature

gate_011.exe "C:\Users\test22\AppData\Local\Temp\gate_011.exe"
1676

Name	Response	Post-Analysis Lookup
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	172.67.75.163
ipinfo.io	A 34.117.59.81	34.117.59.81
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.129.133

IP Address	Status	Action
104.26.8.59	Active	Moloch
164.124.101.2	Active	Moloch
208.67.104.60	Active	Moloch
34.117.59.81	Active	Moloch
93.186.225.194	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49164 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49164 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49166 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49167 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49170 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 208.67.104.60:80 -> 192.168.56.103:49162	2400039	ET DROP Spamhaus DROP Listed Traffic Inbound group 40	Misc Attack
TCP 192.168.56.103:49163 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49163 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 208.67.104.60:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49163 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	_RDATA
section	.vmp;""@

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BOOTOP

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://208.67.104.60/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address				suspicious_request	POST http://208.67.104.60/api/firegate.php

Performs some HTTP requests (4 events)

request	GET http://208.67.104.60/api/tracemap.php
request	POST http://208.67.104.60/api/firegate.php
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

Sends data using the HTTP POST Method (1 event)

request

POST http://208.67.104.60/api/firegate.php

Steals private information from local Internet browsers (14 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Pictures\Minor Policy\NJnlNuuBh5TdN5MPRfMOU2Ak.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW June 16, 2023, 7:20 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (33 events)

Time & API	Arguments	Status	Return
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: smss.exe process_identifier: 232	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: csrss.exe process_identifier: 308	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: wininit.exe process_identifier: 344	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: csrss.exe process_identifier: 356	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: services.exe process_identifier: 436	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: lsass.exe process_identifier: 452	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: lsm.exe process_identifier: 460	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 560	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 636	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 716	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 780	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 824	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 984	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 340	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: pw.exe process_identifier: 1888	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: mobsync.exe process_identifier: 524	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: pw.exe process_identifier: 912	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: taskhost.exe process_identifier: 1740	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: cmd.exe process_identifier: 2040	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: conhost.exe process_identifier: 1552	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: SearchProtocolHost.exe process_identifier: 444	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: gate_011.exe process_identifier: 1676	1	1
Process32NextW June 16, 2023, 7:20 a.m.	snapshot_handle: 0x000000000000039c process_name: pw.exe process_identifier: 2076	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00473c00', u'virtual_address': u'0x004bd000', u'entropy': 7.852833315098957, u'name': u'.vmp;""@', u'virtual_size': u'0x00473ba8'}

entropy

7.8528333151

description

A section with a high entropy has been found

entropy

0.968351741716

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

gate_011.exe

The executable is likely packed with VMProtect (3 events)

section	.vmp;""@	description	Section name indicates VMProtect
section	.vmp;""@	description	Section name indicates VMProtect
section	.vmp;""@	description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (1 event)

host

208.67.104.60

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.VMProtect.R suspicious
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Badur
Avast	Win64:Evo-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win64.Generic.rc
FireEye	Generic.mg.dd0891b669fbe6d2
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:Trojan.Win32.Badur
AVG	Win64:Evo-gen [Trj]
DeepInstinct	MALICIOUS

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Disables Windows Security features (10 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CCABF61C-839F-488E-AE04-EACFD6BCB499}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

gate_011.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All