Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 17, 2023, 6:06 p.m.	June 17, 2023, 6:12 p.m.

Size	1.0MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`77d6c227485a414fd6676dc5a006a9cf`
SHA256	`61c9a03a1d0603b58bfc58651c06825acdb62afc621d1ed9ef2c6b73d0da5cdf`
CRC32	`8677FBA9`
ssdeep	`24576:EPjEdvLuFy/c4Ka75kH+EXGwDLzC4lt4woWYRemb3/C:Ujo2yDKa75kH+gvzz/4w9Y3`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) PE_Header_Zero - PE File Signature

steamrepairnet.exe "C:\Users\test22\AppData\Local\Temp\steamrepairnet.exe"
932

Name	Response	Post-Analysis Lookup
cdn.wmpvp.com	A 61.110.197.11 CNAME cdn.wmpvp.com.wsglb0.com A 14.0.113.205	14.0.113.205
new-service.biliapi.net	A 122.189.171.106 A 122.190.64.60 A 61.54.7.107 CNAME new-service.biliapi.net.cdn.dnsv1.com A 113.207.69.188 A 116.177.242.226 A 61.54.7.129 A 113.194.51.217 CNAME 488928.sched.sma.tdnsstic1.cn A 113.194.51.135 A 113.207.69.126 A 221.204.43.71 A 123.6.2.133 A 218.29.50.93 A 61.54.7.127	122.189.171.106

IP Address	Status	Action
113.207.69.188	Active	Moloch
14.0.113.205	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 113.207.69.188:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 14.0.113.205:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49165 113.207.69.188:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 DV TLS CA 2020	CN=*.biliapi.net	ce:3f:f7:0a:8d:37:1c:cb:b4:10:53:29:c8:51:cd:3b:7e:4e:5a:ed
TLS 1.2 192.168.56.103:49169 14.0.113.205:443	C=US, O=DigiCert, Inc., CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1	CN=*.wmpvp.com	7a:33:5f:6b:95:b3:9f:fa:cc:e0:8f:ee:6e:f9:c8:b9:1a:7e:1b:ac

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 17, 2023, 6:06 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (9 events)

Time & API	Arguments	Status	Return
bind June 17, 2023, 6:06 p.m.	ip_address: 127.0.0.1 socket: 220 port: 0	1	0
listen June 17, 2023, 6:06 p.m.	socket: 220 backlog: 1	1	0
accept June 17, 2023, 6:06 p.m.	ip_address: socket: 220 port: 0	1	228
bind June 17, 2023, 6:06 p.m.	ip_address: 127.0.0.1 socket: 220 port: 0	1	0
listen June 17, 2023, 6:06 p.m.	socket: 220 backlog: 1	1	0
accept June 17, 2023, 6:06 p.m.	ip_address: socket: 220 port: 0	1	236
bind June 17, 2023, 6:06 p.m.	ip_address: 127.0.0.1 socket: 492 port: 0	1	0
listen June 17, 2023, 6:06 p.m.	socket: 492 backlog: 1	1	0
accept June 17, 2023, 6:06 p.m.	ip_address: socket: 492 port: 0	1	496

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://new-service.biliapi.net/picture/chatres/update/version.txt
suspicious_features	GET method with no useragent header				suspicious_request	GET https://cdn.wmpvp.com/steamWeb/F24DCA1346594DF3B954684015A7C50F-1686833838173.pdf

Performs some HTTP requests (2 events)

request	GET https://new-service.biliapi.net/picture/chatres/update/version.txt
request	GET https://cdn.wmpvp.com/steamWeb/F24DCA1346594DF3B954684015A7C50F-1686833838173.pdf

Foreign language identified in PE resource (6 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000fffc8

size

0x000010a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000fffc8

size

0x000010a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000fffc8

size

0x000010a8

name

RT_RCDATA

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00101070

size

0x0000db6b

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010ebdc

size

0x00000030

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010ec0c

size

0x0000027c

Creates executable files on the filesystem (1 event)

file	C:\hid.dll

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

CrowdStrike	win/grayware_confidence_60% (D)
APEX	Malicious
McAfee-GW-Edition	BehavesLike.Win64.Generic.th
DeepInstinct	MALICIOUS

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00010200', u'virtual_address': u'0x000ff000', u'entropy': 7.867571231363807, u'name': u'.rsrc', u'virtual_size': u'0x00010165'}

entropy

7.86757123136

description

A section with a high entropy has been found

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress June 17, 2023, 6:06 p.m.	ordinal: 0 function_address: 0x0000000000379a08 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0
LdrGetProcedureAddress June 17, 2023, 6:06 p.m.	ordinal: 0 function_address: 0x00000000003abe38 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0

steamrepairnet.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All