Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2023, 7:36 a.m.	Sept. 25, 2023, 7:45 a.m.

Size	438.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`ddffc2d90d856636988bf603f0383d9e`
SHA256	`37162a151d67a271fa53fe8a32805ba3bcafeada5687e25ec55cf1d81840b2fd`
CRC32	`A3A99842`
ssdeep	`6144:b2vYg/KfSIBMDgW0L4FWa1yYMOgWQOb+071y6rpz0V:VgGSIu8OshYMUQOe6+`
PDB Path	H:\Dragon_113x64\src\out\Dragon\Dragon\Release\virtual_mode_helper.exe.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

g.exe "C:\Users\test22\AppData\Local\Temp\g.exe"
1488

Name	Response	Post-Analysis Lookup
i.ibb.co	A 172.96.160.210 A 172.96.160.222 A 104.194.8.120 A 104.194.8.143	172.96.160.222

IP Address	Status	Action
104.194.8.143	Active	Moloch
164.124.101.2	Active	Moloch
172.96.160.222	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 104.194.8.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49194	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49200	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49204	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49207 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49205 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.194.8.143:443 -> 192.168.56.103:49162	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49197 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 25, 2023, 7:29 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 25, 2023, 7:29 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

H:\Dragon_113x64\src\out\Dragon\Dragon\Release\virtual_mode_helper.exe.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2023, 7:29 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.00cfg
section	.gxfg
section	.retplne

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 25, 2023, 7:29 a.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013fd5e000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Bkav	W32.AIDetectMalware.64
Malwarebytes	Neshta.Virus.FileInfector.DDS
AhnLab-V3	Malware/Win.Generic.R606856

g.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All