popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

build.exe

Vidar UPX Malicious Library PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 22, 2023, 9:40 p.m. July 22, 2023, 9:44 p.m.
Size 4.2MB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 ed3809d571d4d52fa5bf9339b9750b27
SHA256 ac3e72d085e062564ec329377615d7188683c24e4e6744c75eb5be82eb91e132
CRC32 8DEBCC1B
ssdeep 98304:yqL5M17FDIAh1sbMIwFGvcJFfh3csYKH2SVlEZgxYvG+7brIFZIIffmyEiD0n48T:yqL5M1dI06bMIgGUP+KHx0exyG+7br4G
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
t.me
A 149.154.167.99
149.154.167.99
steamcommunity.com
A 104.88.222.199
184.87.111.197
IP Address Status Action
104.88.222.199 Active Moloch
116.203.7.113 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49161 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49161 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49163 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49163 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49163 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 149.154.167.99:443 -> 192.168.56.101:49164 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 104.88.222.199:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49167 -> 116.203.7.113:80 2027262 ET INFO Dotted Quad Host ZIP Request Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49161 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49166
104.88.222.199:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: alice sosal
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: alice sosal
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: alice sosal
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
suspicious_features Connection to IP address suspicious_request GET http://116.203.7.113/ba898ce7ff6c6db9d00aca6445e5d347
suspicious_features Connection to IP address suspicious_request GET http://116.203.7.113/upgrade.zip
request GET http://116.203.7.113/ba898ce7ff6c6db9d00aca6445e5d347
request GET http://116.203.7.113/upgrade.zip
request GET https://steamcommunity.com/profiles/76561198982268531
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4296704
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00402000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 995328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x61e00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\vcruntime140.dll
file C:\ProgramData\msvcp140.dll
file C:\ProgramData\nss3.dll
file C:\ProgramData\freebl3.dll
file C:\ProgramData\mozglue.dll
file C:\ProgramData\softokn3.dll
host 116.203.7.113
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
FireEye Generic.mg.ed3809d571d4d52f
Malwarebytes Spyware.RedLineStealer
CrowdStrike win/malicious_confidence_100% (W)
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.GMBA
APEX Malicious
Cynet Malicious (score: 100)
Avast Win32:PWSX-gen [Trj]
Trapmine malicious.moderate.ml.score
SentinelOne Static AI - Suspicious PE
Google Detected
Cylance unsafe
Rising Backdoor.Agent!8.C5D (TFE:5:TmDVI2xbRDB)
Ikarus Trojan.Win32.Krypt
Fortinet W32/Kryptik.HUBJ!tr
AVG Win32:PWSX-gen [Trj]
DeepInstinct MALICIOUS
process build.exe useragent Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process build.exe useragent Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9