Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 13, 2023, 8:34 a.m.	Oct. 13, 2023, 8:38 a.m.

Size	5.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`7267c31ceaa3b35c96494360402a4788`
SHA256	`a7cf48b6108e96096026425b964905f2035427c2af97fca0618d5947515f25b2`
CRC32	`24F3C35E`
ssdeep	`98304:Yh0Af9saCDQeXNGUY1WpI1Hgj0hA7cQcPnkWDq0vH6ddW6TktuFfp39sqfMXGqh0:iV0DQKcLQcPnkWDq0vH6ddW6TktuFfpD`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware

stub.exe "C:\Users\test22\AppData\Local\Temp\stub.exe"
1608
- cmd.exe "cmd" /C "netsh wlan show networks mode=bssid"
  2128
  - netsh.exe netsh wlan show networks mode=bssid
    2192

Name	Response	Post-Analysis Lookup
actmin.com
clysma.com
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
103.112.69.92	Active	Moloch
103.6.198.176	Active	Moloch
104.21.46.148	Active	Moloch
104.21.6.168	Active	Moloch
104.21.76.140	Active	Moloch
110.173.135.226	Active	Moloch
113.20.24.100	Active	Moloch
124.150.141.167	Active	Moloch
13.248.169.48	Active	Moloch
13.56.33.8	Active	Moloch
133.125.38.187	Active	Moloch
145.239.5.159	Active	Moloch
15.197.142.173	Active	Moloch
153.126.211.112	Active	Moloch
154.201.225.123	Active	Moloch
156.251.140.23	Active	Moloch
157.7.107.38	Active	Moloch
157.7.107.49	Active	Moloch
160.80.6.36	Active	Moloch
164.132.175.106	Active	Moloch
164.92.82.47	Active	Moloch
173.205.126.33	Active	Moloch
177.73.143.59	Active	Moloch
178.249.70.75	Active	Moloch
185.230.63.107	Active	Moloch
185.230.63.186	Active	Moloch
185.33.216.22	Active	Moloch
192.124.249.12	Active	Moloch
192.124.249.13	Active	Moloch
192.124.249.15	Active	Moloch
192.124.249.9	Active	Moloch
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
194.143.194.23	Active	Moloch
195.128.140.29	Active	Moloch
195.201.246.38	Active	Moloch
198.185.159.144	Active	Moloch
198.49.23.145	Active	Moloch
199.34.228.78	Active	Moloch
202.59.4.2	Active	Moloch
202.94.166.30	Active	Moloch
205.149.134.32	Active	Moloch
207.211.30.242	Active	Moloch
208.100.26.245	Active	Moloch
211.1.226.67	Active	Moloch
216.239.34.21	Active	Moloch
216.46.129.162	Active	Moloch
27.0.174.59	Active	Moloch
3.33.130.190	Active	Moloch
3.33.243.145	Active	Moloch
3.64.163.50	Active	Moloch
31.15.12.103	Active	Moloch
34.224.10.110	Active	Moloch
35.214.171.193	Active	Moloch
35.231.13.148	Active	Moloch
46.242.238.60	Active	Moloch
49.12.155.123	Active	Moloch
5.134.4.115	Active	Moloch
52.194.155.172	Active	Moloch
52.20.84.62	Active	Moloch
54.69.120.26	Active	Moloch
61.200.81.21	Active	Moloch
62.122.170.171	Active	Moloch
65.52.128.33	Active	Moloch
75.2.70.75	Active	Moloch
76.223.27.102	Active	Moloch
76.223.35.103	Active	Moloch
76.223.54.146	Active	Moloch
76.74.184.61	Active	Moloch
77.72.4.226	Active	Moloch
79.96.161.192	Active	Moloch
79.96.32.254	Active	Moloch
83.223.113.46	Active	Moloch
85.128.55.51	Active	Moloch
86.105.245.69	Active	Moloch
89.161.136.188	Active	Moloch
89.161.163.246	Active	Moloch
91.201.52.102	Active	Moloch
91.220.211.163	Active	Moloch
92.42.191.40	Active	Moloch
93.188.2.51	Active	Moloch
93.189.66.202	Active	Moloch
95.174.22.233	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 13, 2023, 8:27 a.m.	stacktrace: stub+0x5c2d2 @ 0x14005c2d2 stub+0x6501d @ 0x14006501d 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 0x2 exception.instruction_r: 0f 0b 0f 0b b9 08 00 00 00 eb 05 b9 18 00 00 00 exception.symbol: stub+0x5c2d2 exception.instruction: ud2 exception.module: stub.exe exception.exception_code: 0xc000001d exception.offset: 377554 exception.address: 0x14005c2d2 registers.r14: 0 registers.r15: 0 registers.rcx: 3649312 registers.rsi: 2977712 registers.r10: 133 registers.rbx: 5 registers.rsp: 1244856 registers.r11: 27 registers.r8: 8594128910 registers.r9: 12887064591 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 2989504 registers.rax: 2940672 registers.r13: 0	1	0	0

Steals private information from local Internet browsers (50 out of 339 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\43
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\2022.9.20.1141
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-633280A1-748.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.91
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\font_unique_name_table.pb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Favicons
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	netsh wlan show networks mode=bssid
cmdline	"cmd" /C "netsh wlan show networks mode=bssid"

Communicates with host for which no DNS query was performed (50 out of 81 events)

host	103.112.69.92
host	103.6.198.176
host	104.21.46.148
host	104.21.6.168
host	104.21.76.140
host	110.173.135.226
host	113.20.24.100
host	124.150.141.167
host	13.248.169.48
host	13.56.33.8
host	133.125.38.187
host	145.239.5.159
host	15.197.142.173
host	153.126.211.112
host	154.201.225.123
host	156.251.140.23
host	157.7.107.38
host	157.7.107.49
host	160.80.6.36
host	164.132.175.106
host	164.92.82.47
host	173.205.126.33
host	177.73.143.59
host	178.249.70.75
host	185.230.63.107
host	185.230.63.186
host	185.33.216.22
host	192.124.249.12
host	192.124.249.13
host	192.124.249.15
host	192.124.249.9
host	194.143.194.23
host	195.128.140.29
host	195.201.246.38
host	198.185.159.144
host	198.49.23.145
host	199.34.228.78
host	202.59.4.2
host	202.94.166.30
host	205.149.134.32
host	207.211.30.242
host	208.100.26.245
host	211.1.226.67
host	216.239.34.21
host	216.46.129.162
host	27.0.174.59
host	3.33.130.190
host	3.33.243.145
host	3.64.163.50
host	31.15.12.103

Attempts to identify installed AV products by installation directory (4 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data\Network\Local State
file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data\LocalPrefs.json
file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data\Local State
file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data\User Data\Local State

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (moderate confidence)
Skyhigh	Artemis!Trojan
Kaspersky	UDS:Trojan-PSW.Win32.Greedy.cej
Webroot	W32.Malware.Gen
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	UDS:Trojan-PSW.Win32.Greedy.cej
Google	Detected
McAfee	Artemis!7267C31CEAA3
Rising	Stealer.Greedy!8.133BA (CLOUD)
Ikarus	Win32.Outbreak

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	192.168.56.103:49811
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49665
dead_host	192.168.56.103:49760
dead_host	192.168.56.103:49911
dead_host	192.168.56.103:49805
dead_host	192.168.56.103:49615
dead_host	192.168.56.103:49285

stub.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All