Summary | ZeroBOX

g.exe

UPX Malicious Library OS Processor Check PE64 PE File
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 25, 2023, 7:36 a.m. Sept. 25, 2023, 7:45 a.m.
Size 438.5KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 ddffc2d90d856636988bf603f0383d9e
SHA256 37162a151d67a271fa53fe8a32805ba3bcafeada5687e25ec55cf1d81840b2fd
CRC32 A3A99842
ssdeep 6144:b2vYg/KfSIBMDgW0L4FWa1yYMOgWQOb+071y6rpz0V:VgGSIu8OshYMUQOe6+
PDB Path H:\Dragon_113x64\src\out\Dragon\Dragon\Release\virtual_mode_helper.exe.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

IP Address Status Action
104.194.8.143 Active Moloch
164.124.101.2 Active Moloch
172.96.160.222 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49164 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49166 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49167 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49165 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 104.194.8.143:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49172 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49175 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49196 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49173 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49178 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49180 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49174 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49199 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49181 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49194 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49184 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49182 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49200 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49188 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49186 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49189 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49198 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49187 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49204 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49207 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49201 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49190 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.96.160.222:443 -> 192.168.56.103:49206 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49205 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49203 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49208 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 104.194.8.143:443 -> 192.168.56.103:49162 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49170 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49176 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49192 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49197 -> 172.96.160.222:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.160.222:443 -> 192.168.56.103:49202 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
pdb_path H:\Dragon_113x64\src\out\Dragon\Dragon\Release\virtual_mode_helper.exe.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .00cfg
section .gxfg
section .retplne
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000013fd5e000
process_handle: 0xffffffffffffffff
1 0 0
Bkav W32.AIDetectMalware.64
Malwarebytes Neshta.Virus.FileInfector.DDS
AhnLab-V3 Malware/Win.Generic.R606856