Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 27, 2023, 7:30 a.m.	June 27, 2023, 7:35 a.m.

Size	2.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1fb72647665a1635f4fbef1430d43279`
SHA256	`c21c505650cd2b99a23f1cebb6cbd544552c02d9334460c72aadf436d68cdab1`
CRC32	`26FB9CBD`
ssdeep	`49152:VN+1VxCkbPBzS7ULCbGyDboE8wrupidLNDNVeC1T5nY5tHfswXNWoUr3EHDMYCpk:SlpDBzS7UL+G3q5V7y5JB9WBUHIYCpsT`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2552

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 23.210.138.32	104.76.78.101

IP Address	Status	Action
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
23.210.138.32	Active	Moloch
5.75.142.250	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49161 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49163 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49166 -> 23.210.138.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 23.210.138.32:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA June 27, 2023, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 27, 2023, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 27, 2023, 7:30 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 27, 2023, 7:30 a.m.	stacktrace: RtlDeleteTimerQueueEx+0x5db RtlCutoverTimeToSystemTime-0xaf ntdll+0x74801 @ 0x76f84801 LdrVerifyImageMatchesChecksum+0x326 RtlComputePrivatizedDllName_U-0xf12 ntdll+0xa08f5 @ 0x76fb08f5 RtlDeleteTimerQueueEx+0x378 RtlCutoverTimeToSystemTime-0x312 ntdll+0x7459e @ 0x76f8459e RtlDeleteTimerQueueEx+0x2bb RtlCutoverTimeToSystemTime-0x3cf ntdll+0x744e1 @ 0x76f844e1 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389 RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6 RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395 RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05 RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08 svchost+0x17564 @ 0xb57564 svchost+0x177c1 @ 0xb577c1 svchost+0x1d846 @ 0xb5d846 svchost+0xfb38 @ 0xb4fb38 svchost+0x111af @ 0xb511af svchost+0x2dfaa @ 0xb6dfaa BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 50 04 29 55 fc 8b 08 03 4d 08 57 56 83 c0 08 exception.symbol: RtlDeleteTimerQueueEx+0x644 RtlCutoverTimeToSystemTime-0x46 ntdll+0x7486a exception.instruction: mov edx, dword ptr [eax + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000006 exception.offset: 477290 exception.address: 0x76f8486a registers.esp: 1981048 registers.edi: 0 registers.eax: 1346199552 registers.ebp: 1981072 registers.edx: 1346199552 registers.ebx: 268435456 registers.esi: 1076887552 registers.ecx: 22624	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 27, 2023, 7:30 a.m.

stacktrace:

RtlDeleteTimerQueueEx+0x5db RtlCutoverTimeToSystemTime-0xaf ntdll+0x74801 @ 0x76f84801
LdrVerifyImageMatchesChecksum+0x326 RtlComputePrivatizedDllName_U-0xf12 ntdll+0xa08f5 @ 0x76fb08f5
RtlDeleteTimerQueueEx+0x378 RtlCutoverTimeToSystemTime-0x312 ntdll+0x7459e @ 0x76f8459e
RtlDeleteTimerQueueEx+0x2bb RtlCutoverTimeToSystemTime-0x3cf ntdll+0x744e1 @ 0x76f844e1
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08
svchost+0x17564 @ 0xb57564
svchost+0x177c1 @ 0xb577c1
svchost+0x1d846 @ 0xb5d846
svchost+0xfb38 @ 0xb4fb38
svchost+0x111af @ 0xb511af
svchost+0x2dfaa @ 0xb6dfaa
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 50 04 29 55 fc 8b 08 03 4d 08 57 56 83 c0 08
exception.symbol: RtlDeleteTimerQueueEx+0x644 RtlCutoverTimeToSystemTime-0x46 ntdll+0x7486a
exception.instruction: mov edx, dword ptr [eax + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 477290
exception.address: 0x76f8486a
registers.esp: 1981048
registers.edi: 0
registers.eax: 1346199552
registers.ebp: 1981072
registers.edx: 1346199552
registers.ebx: 268435456
registers.esi: 1076887552
registers.ecx: 22624

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://5.75.142.250/958f564fa564ae293605c0c6d8cb4c20

Performs some HTTP requests (2 events)

request	GET http://5.75.142.250/958f564fa564ae293605c0c6d8cb4c20
request	GET https://steamcommunity.com/profiles/76561199235044780

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 27, 2023, 7:30 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:30 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:30 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:30 a.m.	process_identifier: 2552 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00291600', u'virtual_address': u'0x0004f000', u'entropy': 7.998651357179907, u'name': u'.data', u'virtual_size': u'0x002a4d84'}

entropy

7.99865135718

description

A section with a high entropy has been found

entropy

0.886846543002

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

5.75.142.250

Network activity contains more than one unique useragent (2 events)

process	svchost.exe				useragent	Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process	svchost.exe				useragent	Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD91D; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.124 Safari/537.36

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
MicroWorld-eScan	Gen:Trojan.Heur.JP.5sW@aGmZVmk
FireEye	Generic.mg.1fb72647665a1635
ALYac	Gen:Trojan.Heur.JP.5sW@aGmZVmk
Malwarebytes	Malware.AI.3362036860
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanPSW:Win32/Stealer.d559462e
Cybereason	malicious.7665a1
Arcabit	Trojan.Heur.JP.ED184C6
BitDefenderTheta	AI:Packer.BA0977B91E
Cyren	W32/Agent.GHQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Vidar
ESET-NOD32	a variant of Win32/PSW.Agent.ONW
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan-PSW.Win32.Stealer.bopm
BitDefender	Gen:Trojan.Heur.JP.5sW@aGmZVmk
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan-QQPass.QQRob.Wylw
Emsisoft	Gen:Trojan.Heur.JP.5sW@aGmZVmk (B)
F-Secure	Trojan.TR/ATRAPS.Gen4
VIPRE	Gen:Trojan.Heur.JP.5sW@aGmZVmk
TrendMicro	TrojanSpy.Win32.VIDAR.YXDFWZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/ATRAPS.Gen4
Antiy-AVL	Trojan[PSW]/Win32.Stealer
Microsoft	Trojan:Win32/Vidar.JNB!MTB
ZoneAlarm	Trojan-PSW.Win32.Stealer.bopm
GData	Win32.Trojan-Stealer.Arkei.H4AWWK
Google	Detected
AhnLab-V3	Trojan/Win.Vidar.R588668
McAfee	Artemis!1FB72647665A
MAX	malware (ai score=83)
VBA32	BScope.TrojanPSW.Stealer
Cylance	unsafe
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXDFWZ
Rising	Stealer.Agent!8.C2 (TFE:5:AvQdEuhLBi)
Ikarus	Trojan-PSW.Agent
Fortinet	W32/Agent.ONW!tr.pws
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All