Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 10, 2023, 7:45 a.m.	July 10, 2023, 7:53 a.m.

Size	210.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`484ba824bee1da806d39dd7c902b5110`
SHA256	`959b84bd323f73783b6d1ad4bb8d05b04d10a15809d251cbdea7ef18fe202b0b`
CRC32	`46EE225D`
ssdeep	`3072:/PDOEk3kKqUa9antF5hvvJkeXp2QhHkKqUa9antF5hvvJkeXp:HeUKq99UF5hvvfjhEKq99UF5hvvf`
PDB Path	cleanmgr.pdb
Yara	UPX_Zero - UPX packed file IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer

okka25.exe "C:\Users\test22\AppData\Local\Temp\okka25.exe"
1872

Name	Response	Post-Analysis Lookup
aa.imgjeoogbb.com	A 154.221.26.108	154.221.26.108
us.imgjeoigaa.com	A 103.100.211.218	103.100.211.218

IP Address	Status	Action
103.100.211.218	Active	Moloch
154.221.26.108	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 154.221.26.108:80	2045057	ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

cleanmgr.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MUI

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://aa.imgjeoogbb.com/check/?sid=332560&key=252f82d98dac61a4deedfdc4cb61b177

Performs some HTTP requests (3 events)

request	GET http://us.imgjeoigaa.com/sts/imagc.jpg
request	GET http://aa.imgjeoogbb.com/check/safe
request	POST http://aa.imgjeoogbb.com/check/?sid=332560&key=252f82d98dac61a4deedfdc4cb61b177

Sends data using the HTTP POST Method (1 event)

request

POST http://aa.imgjeoogbb.com/check/?sid=332560&key=252f82d98dac61a4deedfdc4cb61b177

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 10, 2023, 7:45 a.m.	process_identifier: 1872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000ff455000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 10, 2023, 7:45 a.m.	process_identifier: 1872 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 10, 2023, 7:45 a.m.	process_identifier: 1872 region_size: 1249280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 out of 105 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 58\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 38\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 81\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 41\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 32\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 19\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 30\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 94\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 68\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 90\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 29\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 91\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 10\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 96\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 46\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 89\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 100\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 86\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 87\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 14\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 43\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 104\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 67\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 33\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 102\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 99\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 16\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 71\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 42\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 54\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 60\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 48\Network\Cookies

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 10, 2023, 7:45 a.m.	flags: 15 family: 0		111	0

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Cylance	unsafe
VirIT	Trojan.Win64.Agent.UC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.DGHZGFB
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Fabookie.bst
Avast	FileRepMalware [Misc]
Rising	Downloader.Agent!8.B23 (TFE:2:EmnL0dJ0FNC)
DrWeb	Trojan.PWS.Facebook.196
TrendMicro	Trojan.Win64.PRIVATELOADER.YXDGIZ
Sophos	Mal/Generic-S
ZoneAlarm	UDS:Trojan.Win32.Fabookie.bst
Microsoft	Trojan:Win32/Wacatac.B!ml
AVG	FileRepMalware [Misc]

okka25.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All