popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Firefox_Installer.exe

NSIS Generic Malware UPX Malicious Library PE File DLL OS Processor Check PE32 JPEG Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 19, 2023, 10:29 a.m. Sept. 19, 2023, 10:32 a.m.
Size 341.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 655878c402fe774ad4af71d78ea7d30f
SHA256 95b3ca4e561980e5c145b4d327799b8a1a3c545fc35e9692cc721b1dbeb93c45
CRC32 50B0606E
ssdeep 6144:maVWdyzOxeA1DfdwX3MmIOiqIRiuDN+L6WiEK5BfBG69AWsY2XITpJ7C5Y5+68:mMROxdDfOnMmXjEp+L6WifD5reRY/Tp+
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
product-details.mozilla.org
A 54.230.176.2
A 54.230.176.73
CNAME productdetails-prod.prod.mozaws.net
A 54.230.176.87
A 54.230.176.24
54.230.176.24
IP Address Status Action
164.124.101.2 Active Moloch
54.230.176.24 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49164 -> 54.230.176.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49164
54.230.176.24:443 		C=US, O=Amazon, CN=Amazon RSA 2048 M01 CN=product-details.mozilla.org e9:f8:03:a4:e1:6f:d5:ec:46:21:f9:10:29:45:9b:85:f5:b4:87:e0

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
file C:\Program Files\Mozilla Firefox\nsp4D61.tmp\
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\105.0.1 (x64 en-US)\Main\PathToExe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
request GET https://product-details.mozilla.org/1.0/firefox_versions.json
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741f2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74263000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ec5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741f2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04900000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04900000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04900000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04900000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04900000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04900000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04901000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9120813056
free_bytes_available: 9120813056
root_path: C:\Program Files\Mozilla Firefox\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9120813056
free_bytes_available: 9120813056
root_path: C:\Program Files\Mozilla Firefox\
total_number_of_bytes: 34252779520
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\105.0.1 (x64 en-US)\Main\PathToExe
registry HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\105.0.1 (x64 en-US)\Main
registry HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\CityHash.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\nsJSON.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\stub_common.js
file C:\Users\test22\AppData\Local\Temp\7zS4EBD3D2D\setup-stub.exe
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\WebBrowser.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\InetBgDL.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\profile_cleanup.js
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\UAC.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\UserInfo.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\nsJSON.dll
file C:\Users\test22\AppData\Local\Temp\7zS4EBD3D2D\setup-stub.exe
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\InetBgDL.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\UAC.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\CityHash.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\UserInfo.dll
file C:\Users\test22\AppData\Local\Temp\nsu4D31.tmp\WebBrowser.dll
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 16 (PAGE_EXECUTE)
base_address: 0x04900000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00010200', u'virtual_address': u'0x00025000', u'entropy': 7.877993042803192, u'name': u'UPX1', u'virtual_size': u'0x00011000'} entropy 7.8779930428 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000fc00', u'virtual_address': u'0x00036000', u'entropy': 7.527250363417489, u'name': u'.rsrc', u'virtual_size': u'0x00010000'} entropy 7.52725036342 description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX