Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

truever0510dn.exe

Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer Anti_VM ftp PE64 PNG Format dll PE File OS Processor Check PE32 CAB DLL DllRegisterServer

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 20, 2023, 7:27 a.m.	Oct. 20, 2023, 7:31 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`93556130a3846a62780b2b331cd19ea0`
SHA256	`8c12d821cae4d797fece228c0f433a007b8ad0643b778de8fa8a20b01504a522`
CRC32	`81FB53D6`
ssdeep	`24576:puEOfDlEUKWfOmTPn5Yw/noda9Kul5dF4ip8W0zZcqzCDx:0fU4LbxouKul5dC7zzZY`
PDB Path	C:\agent\_work\8\s\build\ship\x86\burn.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware

truever0510dn.exe "C:\Users\test22\AppData\Local\Temp\truever0510dn.exe"
2556

Name	Response	Post-Analysis Lookup
i.imgur.com	CNAME ipv4.imgur.map.fastly.net A 146.75.92.193	146.75.92.193
i.ibb.co	A 172.96.160.210 A 172.96.160.222 A 104.194.8.120 A 104.194.8.143	172.96.160.210
ctrip.com	A 180.163.115.16 A 117.131.27.7 A 114.80.56.121 A 211.95.54.121 A 117.186.233.61 A 220.196.164.16	114.80.56.121

IP Address	Status	Action
104.194.8.143	Active	Moloch
114.80.56.121	Active	Moloch
146.75.92.193	Active	Moloch
164.124.101.2	Active	Moloch
51.15.65.182	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 104.194.8.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 114.80.56.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 146.75.92.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.194.8.143:443 -> 192.168.56.101:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49162 114.80.56.121:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=CN, ST=Shanghai, L=Shanghai, O=Shanghai Ctrip Commerce Co., Ltd., CN=*.ctrip.com	53:d0:92:1f:b9:1e:9f:7d:20:52:f2:94:de:2a:c2:44:45:3c:c2:62
TLSv1 192.168.56.101:49166 146.75.92.193:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.imgur.com	d6:4d:45:03:6d:38:f8:fd:ea:af:e5:92:b3:4d:85:a5:6b:af:5c:ec

Queries for the computername (5 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 20, 2023, 7:27 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 20, 2023, 7:27 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 20, 2023, 7:27 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 20, 2023, 7:27 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 20, 2023, 7:27 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\agent\_work\8\s\build\ship\x86\burn.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2023, 7:27 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.wixburn

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://i.imgur.com/pRZqSZX.png

Performs some HTTP requests (1 event)

request

GET https://i.imgur.com/pRZqSZX.png

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 20, 2023, 7:27 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 20, 2023, 7:27 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c61000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 20, 2023, 7:27 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c66000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 20, 2023, 7:27 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c61000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Roaming\Lfp_Install_v2\VBoxDDU.dll
file	C:\Users\test22\AppData\Roaming\Lfp_Install_v2\VBoxSVC.exe
file	C:\Users\test22\AppData\Roaming\Lfp_Install_v2\msvcr100.dll
file	C:\Users\test22\AppData\Roaming\Lfp_Install_v2\VBoxRT.dll
file	C:\Users\test22\AppData\Roaming\Lfp_Install_v2\msvcp100.dll

Communicates with host for which no DNS query was performed (1 event)

host

51.15.65.182