Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 11, 2023, 5:54 p.m.	Sept. 11, 2023, 5:58 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c9a2e54e8501a2f6dd57255225999b40`
SHA256	`e2b8091be64890dacb851ae14b76723cff23b48048ec29c7eb5754ed2c89d5c4`
CRC32	`43CA724B`
ssdeep	`24576:eCcJMTx/DszjipRnGKKfiqTJ7WGorsWTnkKRzjIKue1kJIBfFRVzv:UJAx/Dsz2NAi4wbpL3lfueW2FR`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"' & exit
1336
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"'
  2204

Name	Response	Post-Analysis Lookup
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	172.67.34.170

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.34.170	Active	Moloch
195.58.51.109	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49165 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49178 172.67.34.170:443	None	None	None
TLS 1.2 192.168.56.101:49168 172.67.34.170:443	None	None	None
TLS 1.2 192.168.56.101:49170 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49177 172.67.34.170:443	None	None	None
TLS 1.2 192.168.56.101:49171 172.67.34.170:443	None	None	None
TLS 1.2 192.168.56.101:49181 172.67.34.170:443	None	None	None
TLS 1.2 192.168.56.101:49179 172.67.34.170:443	None	None	None
TLS 1.2 192.168.56.101:49176 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49173 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49169 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49180 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49174 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 11, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 11, 2023, 5:57 p.m.	buffer: SUCCESS: The scheduled task "mdconfig_01" has successfully been created. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	\x00
section	.idata
section
section	biyclhoc
section	ydkemxvc

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://pastebin.com/raw/pdRjLLjy

Performs some HTTP requests (1 event)

request

GET https://pastebin.com/raw/pdRjLLjy

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"'

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00008800', u'virtual_address': u'0x00002000', u'entropy': 7.9688270567333594, u'name': u' \\x00 ', u'virtual_size': u'0x00012000'}

entropy

7.96882705673

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0013de00', u'virtual_address': u'0x00234000', u'entropy': 7.952969592314331, u'name': u'biyclhoc', u'virtual_size': u'0x0013e000'}

entropy

7.95296959231

description

A section with a high entropy has been found

entropy

0.997326203209

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"'

Communicates with host for which no DNS query was performed (1 event)

host

195.58.51.109

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "mdconfig_01" /tr '"C:\Users\test22\AppData\Roaming\mdconfig_01.exe"'

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

195.58.51.109:4449

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Darkrat.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.483087
FireEye	Generic.mg.c9a2e54e8501a2f6
ALYac	Gen:Variant.Zusy.483087
Malwarebytes	Generic.Malware.AI.DDS
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zusy.D75F0F
BitDefenderTheta	Gen:NN.ZexaF.36662.sz0aa0kM5rd
Cyren	W32/Themida.B.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.BEK
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.DInvoke.gen
BitDefender	Gen:Variant.Zusy.483087
Avast	Win32:Malware-gen
Tencent	Win32.Risktool.Generic.Osmw
Emsisoft	Gen:Variant.Zusy.483087 (B)
F-Secure	Heuristic.HEUR/AGEN.1313458
VIPRE	Gen:Variant.Zusy.483087
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1313458
MAX	malware (ai score=80)
Gridinsoft	Trojan.Heur!.038100A1
Microsoft	Backdoor:Win32/Bladabindi!ml
ZoneAlarm	UDS:Trojan.Win32.DInvoke.gen
GData	Gen:Variant.Zusy.483087
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5473877
McAfee	Artemis!C9A2E54E8501
Cylance	unsafe
Zoner	Probably Heur.ExeHeaderL
Rising	Trojan.Generic@AI.100 (RDML:wCt8w7kFjG/5ff5IKkx3YQ)
Ikarus	Trojan.Win32.Themida
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS

install.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All