Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2023, 12:54 p.m.	Sept. 30, 2023, 1:34 p.m.

Size	1023.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`67e741557eaa3124261105bff38bc62a`
SHA256	`b2e6a04435ab8d41a5a259072b6c29dec30caa05ed1ec2a8bae2b2670573981e`
CRC32	`C8326E8F`
ssdeep	`12288:oVDH4arSas0SRUXA5S9ZgvlZW9AxBK8ctBGOKLDcEHDqYocAXrexgPlBo8Ker5+m:24arTs0S2Q5SgitBj+RacAXUUBLeJ4/`
PDB Path	chrome_proxy.exe.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check

Updater.exe "C:\Users\test22\AppData\Local\Temp\Updater.exe"
2540

Name	Response	Post-Analysis Lookup
mayo.edu	A 129.176.1.88	129.176.1.88

IP Address	Status	Action
129.176.1.88	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 129.176.1.88:443 -> 192.168.56.101:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49162	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49189 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49199	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49199 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49195	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49195 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49194	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49200	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49161	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 129.176.1.88:443 -> 192.168.56.101:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 129.176.1.88:443 -> 192.168.56.101:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 129.176.1.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

chrome_proxy.exe.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2023, 12:47 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	.00cfg
section	.gxfg
section	.retplne
section	.voltbl
section	_RDATA

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00006400', u'virtual_address': u'0x00105000', u'entropy': 7.672101767924157, u'name': u'.rsrc', u'virtual_size': u'0x000062ca'}

entropy

7.67210176792

description

A section with a high entropy has been found

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.Common.EE734F0A
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.Generic.34175543
McAfee	Artemis!67E741557EAA
VIPRE	Trojan.Generic.34175543
K7AntiVirus	Riskware ( 00584baa1 )
Alibaba	TrojanDownloader:Win64/Rugmi.239e665f
K7GW	Riskware ( 00584baa1 )
Arcabit	Trojan.Generic.D2097A37
Cyren	W64/ABTrojan.VXOY-1730
ESET-NOD32	a variant of Win64/TrojanDownloader.Rugmi.D
Cynet	Malicious (score: 99)
BitDefender	Trojan.Generic.34175543
Avast	FileRepMalware [Misc]
Emsisoft	Trojan.Generic.34175543 (B)
F-Secure	Trojan.TR/Agent.arcs
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.Generic.34175543
Sophos	Mal/Generic-S
Avira	TR/Agent.arcs
MAX	malware (ai score=80)
Gridinsoft	Trojan.Win64.Agent.sa
Microsoft	Trojan:Win64/Vidar!MTB
GData	Trojan.Generic.34175543
Google	Detected
ALYac	Trojan.Generic.34175543
Cylance	unsafe
Rising	Trojan.Vidar!8.114A8 (CLOUD)
Ikarus	Trojan.Agent
MaxSecure	Trojan.Malware.3411146.susgen
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]
DeepInstinct	MALICIOUS

Updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All