Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 8, 2023, 9:09 a.m.	Aug. 8, 2023, 9:16 a.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`82cf051811579ee4f1d9978af52f12db`
SHA256	`2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb`
CRC32	`0B5CB128`
ssdeep	`49152:M32RUvjn/TCGDQiMDpU/Sb8HDWSrbmnidPtrmEKhPlGRr4g0aQ7svt/:nyn/+GDhOcSb8HDhrK8rtGlGRr4+`
PDB Path	none
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

5.exe "C:\Users\test22\AppData\Local\Temp\5.exe"
2688

Name	Response	Post-Analysis Lookup
apps.identrust.com	CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.67.53.17
doi.org	A 104.26.8.237 A 172.67.72.147 A 104.26.9.237	104.26.8.237

IP Address	Status	Action
104.26.9.237	Active	Moloch
121.254.136.57	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49172 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 104.26.9.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49172 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49173 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49180 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49164 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49177 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49178 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49167 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49186 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49168 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49161 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49176 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49174 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49166 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49183 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49175 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49184 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49181 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49185 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49182 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49169 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49170 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49171 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55
TLSv1 192.168.56.101:49179 104.26.9.237:443	C=US, O=Let's Encrypt, CN=R3	CN=doi.org	0a:f8:a3:93:58:7d:14:24:a2:12:c6:8c:60:a2:28:a0:d5:c9:08:55

This executable has a PDB path (1 event)

pdb_path

none

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 8, 2023, 9:09 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 8, 2023, 9:09 a.m.	flags: 15 family: 0		111	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.AIDetectMalware
Sangfor	Trojan.Win32.Agent.V8pc
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	FileRepMalware [Misc]
McAfee-GW-Edition	Artemis!Trojan
Ikarus	Trojan-Dropper.Win32.Autoit
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Script/Phonzy.B!ml
Google	Detected
McAfee	Artemis!82CF05181157
VBA32	BScope.Backdoor.Remcos
AVG	FileRepMalware [Misc]
DeepInstinct	MALICIOUS

5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All