Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 23, 2023, 9:29 a.m.	Sept. 23, 2023, 9:36 a.m.

Size	4.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e8a7ed6986b1178188c27b9761f39762`
SHA256	`e7df475c90b173430ea4bc85e2006a7e03b7ada50323c1e9fc6dc85d6265a18f`
CRC32	`7AF9393A`
ssdeep	`98304:B3CNpyBPtb7dRfe/HEkxUzTFDxbIVZNjn98ftpkHf:B2Itb7dRfe/HEeUzTXYbu7`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware

App1234.exe "C:\Users\test22\AppData\Local\Temp\App1234.exe"
872

Name	Response	Post-Analysis Lookup
o4505838714748928.ingest.sentry.io	A 34.120.195.249	34.120.195.249
cacerts.digicert.com	CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
152.195.38.76	Active	Moloch
164.124.101.2	Active	Moloch
174.138.6.99	Active	Moloch
34.120.195.249	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 104.26.4.15:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 34.120.195.249:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 174.138.6.99:8880	2039097	ET HUNTING PNG in HTTP POST (Outbound)	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49164 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	14:d1:82:6d:f5:6d:75:19:f1:c8:06:f3:b0:28:0a:2e:a8:63:c5:8b
TLS 1.2 192.168.56.103:49162 34.120.195.249:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Sentry, CN=ingest.sentry.io	e6:02:79:bf:9c:ef:53:c1:5d:ba:58:f5:2b:59:51:19:ee:9d:70:91

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 23, 2023, 9:29 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 23, 2023, 9:29 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.db-ip.com/v2/free/self

Performs some HTTP requests (2 events)

request	GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
request	GET https://api.db-ip.com/v2/free/self

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 23, 2023, 9:29 a.m.	total_number_of_free_bytes: 9930461184 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Sept. 23, 2023, 9:29 a.m.	total_number_of_free_bytes: 9930461184 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (50 out of 150 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkddgncdjgjfcddamfgcmfnlhccnimig
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\phkbamefinggmakgklpkljjmgibohnba
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\egjidjbpglichdcondbcbdnbeeppgdph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdadjkfkgcafgbceimcpbkalnfnepbnk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM MSAcpi_ThermalZoneTemperature

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 23, 2023, 9:29 a.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

174.138.6.99

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 23, 2023, 9:29 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Local\Thunderbird\Profiles\hzkyl8yo.default

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Trojan.GenericKD.69420957
FireEye	Trojan.GenericKD.69420957
Cylance	unsafe
Sangfor	Infostealer.Win32.Agent.Vyiv
Alibaba	TrojanPSW:Win32/Stealerc.3b5cb798
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/PSW.Agent.ORM
Kaspersky	Trojan-PSW.Win32.Stealerc.byn
BitDefender	Trojan.GenericKD.69420957
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan-QQPass.QQRob.Tsmw
DrWeb	Trojan.DownLoader46.18451
McAfee-GW-Edition	BehavesLike.Win32.Generic.rh
Sophos	Mal/Generic-S
MAX	malware (ai score=81)
Antiy-AVL	Trojan[PSW]/Win32.Agent
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	Trojan-PSW.Win32.Stealerc.byn
Google	Detected
McAfee	Artemis!E8A7ED6986B1
Panda	Trj/Chgt.AD
Rising	Trojan.Generic@AI.100 (RDML:/kbVL+J8TC8ghpSn2hNewg)
Ikarus	Trojan-PSW.Agent
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

App1234.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All