Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2023, 4:35 p.m.	Oct. 17, 2023, 4:38 p.m.

Size	26.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a60c2e8459387329e1dbe2d3625ee2c8`
SHA256	`02668d2f92b7ad5863a377be0dafdf605b137b0cb4e07fd95bf494b76e58e40c`
CRC32	`0A8FAAB3`
ssdeep	`384:nLd6cufEYAA/XgWeyoHzCYe/iBY2OzRLTm3yilqr63+bNtVvGD:Ll8AA/6T5e/gsEEVvGD`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

bQGy.exe "C:\Users\test22\AppData\Local\Temp\bQGy.exe"
2548

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.33 CNAME a1952.dscq.akamai.net A 182.162.106.32 CNAME identrust.edgesuite.net	23.67.53.27
pt.textbin.net	CNAME textbin.net A 148.72.177.212	148.72.177.212

IP Address	Status	Action
148.72.177.212	Active	Moloch
164.124.101.2	Active	Moloch
182.162.106.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49168 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49166 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49169 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49173 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49174 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49187 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49184 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49193 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49201 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49198 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49206 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49164 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49220 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49200 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49225 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49203 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49226 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49165 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49182 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49183 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49205 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49185 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49208 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49209 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49188 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49211 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49162 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49170 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49191 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49171 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49194 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49172 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49176 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49195 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49213 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49175 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49217 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49199 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49221 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49223 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49177 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49202 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49181 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49207 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49186 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49178 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49190 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49192 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49212 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49196 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49222 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49204 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49179 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49210 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49214 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49224 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49216 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49180 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49218 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49189 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49197 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49215 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc
TLS 1.2 192.168.56.101:49219 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=pt.textbin.net	1d:23:54:67:33:68:c9:3a:86:52:9e:a1:51:50:39:64:8e:b5:c2:cc

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 17, 2023, 4:35 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:35 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2023, 4:35 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 17, 2023, 4:35 p.m.	stacktrace: 0x5b05c0 mscorlib+0x30c9ff @ 0x71aec9ff mscorlib+0x302367 @ 0x71ae2367 mscorlib+0x3022a6 @ 0x71ae22a6 mscorlib+0x302261 @ 0x71ae2261 mscorlib+0x30ca7c @ 0x71aeca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728407d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72840694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 09 ff 49 71 8b c8 e8 61 61 65 72 8b f0 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b0b9c registers.esp: 85652556 registers.edi: 36643984 registers.eax: 36639272 registers.ebp: 85652592 registers.edx: 36643984 registers.ebx: 36799016 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 17, 2023, 4:35 p.m.

stacktrace:

0x5b05c0
mscorlib+0x30c9ff @ 0x71aec9ff
mscorlib+0x302367 @ 0x71ae2367
mscorlib+0x3022a6 @ 0x71ae22a6
mscorlib+0x302261 @ 0x71ae2261
mscorlib+0x30ca7c @ 0x71aeca7c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x728407d8
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf
DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x72840694
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 e8 09 ff 49 71 8b c8 e8 61 61 65 72 8b f0
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5b0b9c
registers.esp: 85652556
registers.edi: 36643984
registers.eax: 36639272
registers.ebp: 85652592
registers.edx: 36643984
registers.ebx: 36799016
registers.esi: 0
registers.ecx: 0

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:35 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

bQGy.exe tried to sleep 241 seconds, actually delayed analysis time by 241 seconds

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 17, 2023, 4:35 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 17, 2023, 4:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Trojan.Win32.SpyGate.4!c
MicroWorld-eScan	Generic.MSIL.Bladabindi.134BC814
ClamAV	Win.Trojan.B-468
Skyhigh	BehavesLike.Win32.Generic.mm
McAfee	Trojan-FJXA
Malwarebytes	Bladabindi.Backdoor.Bot.DDS
Zillya	Trojan.Bladabindi.Win32.150595
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
Alibaba	Backdoor:MSIL/Bladabindi.234b924f
K7GW	Trojan ( 700000121 )
Cybereason	malicious.0b28fc
Arcabit	Generic.MSIL.Bladabindi.134BC814
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Trojan.Win32.Genus.PRT
Symantec	Backdoor.Ratenjay
Elastic	Windows.Trojan.Njrat
ESET-NOD32	a variant of MSIL/Bladabindi.BC
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.MSIL.SpyGate.gen
BitDefender	Generic.MSIL.Bladabindi.134BC814
Avast	Win32:RATX-gen [Trj]
Tencent	Trojan.Win32.Bladabindi.16000442
Emsisoft	Generic.MSIL.Bladabindi.134BC814 (B)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	BackDoor.BladabindiNET.27
VIPRE	Generic.MSIL.Bladabindi.134BC814
TrendMicro	BKDR_BLADABI.SMC
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.a60c2e8459387329
Sophos	Troj/Bbindi-W
Ikarus	Trojan.MSIL.Bladabindi
Google	Detected
Avira	TR/Dropper.Gen7
Kingsoft	malware.kb.c.1000
Microsoft	Backdoor:MSIL/Bladabindi.B
ViRobot	Backdoor.Win32.Bladabindi.Gen.A
ZoneAlarm	HEUR:Backdoor.MSIL.SpyGate.gen
GData	MSIL.Backdoor.Bladabindi.AV
Varist	W32/MSIL_Agent.AQ.gen!Eldorado
AhnLab-V3	Malware/Win32.RL_SpyGate.C3495328
BitDefenderTheta	Gen:NN.ZemsilF.36738.bm0@a4jVUQh
ALYac	Generic.MSIL.Bladabindi.134BC814
MAX	malware (ai score=88)
VBA32	Trojan.MSIL.Bladabindi.Heur
Cylance	unsafe
Panda	Trj/GdSda.A
Rising	Backdoor.njRAT!1.9E49 (CLASSIC)
SentinelOne	Static AI - Malicious PE

bQGy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All