Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 4, 2023, 10:49 a.m.	Nov. 4, 2023, 10:51 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`993c85b5b1c94bfa3b7f45117f567d09`
SHA256	`cb6c640fbc6289b261bca0ee881bfcc8c4df2e89baaab7a4fed4e0e3b0dc9d37`
CRC32	`DFD326B1`
ssdeep	`12288:1SCFweWT8xCrC9ihr40AZWUBmEYvWe0kRUj8apA331/ZLGpn2OZ4H3ro:1lFweWT8x/9Ir40O8FvWeEJy3JZY63r`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

TEST32.exe "C:\Users\test22\AppData\Local\Temp\TEST32.exe"
1872

Name	Response	Post-Analysis Lookup
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	64.185.227.156

IP Address	Status	Action
149.40.62.171	Active	Moloch
164.124.101.2	Active	Moloch
64.185.227.156	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49163 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49164 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49163 -> 64.185.227.156:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 64.185.227.156:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49164 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 64.185.227.156:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.40.62.171:15666 -> 192.168.56.103:49161	2260003	SURICATA Applayer Protocol detection skipped	Generic Protocol Command Decode
TCP 192.168.56.103:49163 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49164 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 4, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files\Mozilla Firefox\nss3.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2023, 10:49 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Steals private information from local Internet browsers (50 out of 282 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dfmbcapkkeejcpmfhpnglndfkgmalhik
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gehmmocbbkpblljhkekmfhjpfbkclbph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhhldecdfagpbfggphklkaeiocfnaafm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Ya Passman Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\apnehcjmnengpnmccpaibjmhhoadaico
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\UC Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\dppgmdbiimibapkepcbdbmkaabgiofem
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\nhhldecdfagpbfggphklkaeiocfnaafm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\naepdomgkenhinolocfifgehidddafch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje

Looks up the external IP address (1 event)

domain

api.ipify.org

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000f200', u'virtual_address': u'0x00107000', u'entropy': 6.832130813055755, u'name': u'.reloc', u'virtual_size': u'0x0000f15c'}

entropy

6.83213081306

description

A section with a high entropy has been found

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Nov. 4, 2023, 10:49 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1		2	0
RegOpenKeyExA Nov. 4, 2023, 10:49 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1		2	0

Communicates with host for which no DNS query was performed (1 event)

host

149.40.62.171

Attempts to identify installed AV products by installation directory (7 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser
file	C:\Users\test22\AppData\Roaming\AVAST Software\Browser
file	C:\Users\test22\AppData\Local\AVG\Browser
file	C:\Users\test22\AppData\Roaming\AVG\Browser
file	C:\ProgramData\Microsoft\Microsoft Antimalware
file	C:\Windows\Sandboxie.ini
file	C:\ProgramData\Microsoft\Microsoft Security Client

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\config
file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to detect Cuckoo Sandbox through the presence of a file (3 events)

file	C:\Python27\agent.pyw
file	C:\tmpvmqcut\analyzer.py
file	C:\tmp6o6lvv\analyzer.py

Creates known Dapato Trojan files, registry keys and/or mutexes (1 event)

file	C:\Windows\debug\PASSWD.LOG

Creates known Dyreza Banking Trojan files, registry keys and/or mutexes (1 event)

file	C:\Windows\SysWOW64\mfcsubs.dll

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	C:\Windows\bootstat.dat

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Local\Thunderbird\Profiles\hzkyl8yo.default
file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\HTTPMail Password
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP User Name

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Windows\System32\qcap.dll

Detects VirtualBox through the presence of a file (2 events)

file	C:\Windows\SysWOW64\VBoxOGL.dll
file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.103:49161

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
MicroWorld-eScan	Gen:Variant.Lazy.410140
FireEye	Generic.mg.993c85b5b1c94bfa
CAT-QuickHeal	TrojanPWS.Stealer
Skyhigh	BehavesLike.Win32.Generic.th
ALYac	Gen:Variant.Lazy.410140
Malwarebytes	Trojan.Injector.RND
Zillya	Trojan.Injector.Win32.1713955
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 005361961 )
BitDefender	Gen:Variant.Lazy.410140
K7GW	Trojan ( 005361961 )
Cybereason	malicious.d65621
BitDefenderTheta	Gen:NN.ZexaF.36792.evW@auZunKki
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.DYZI
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Stealer.gen
Alibaba	TrojanPSW:Win32/Stealer.e5a0ac4c
NANO-Antivirus	Trojan.Win32.Bobik.kcmzgg
ViRobot	Trojan.Win.Z.Injector.1116160
Tencent	Malware.Win32.Gencirc.11b7b02d
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Injector.llsbr
VIPRE	Gen:Variant.Lazy.410140
TrendMicro	Trojan.Win32.SMOKELOADER.YXDJ3Z
Trapmine	suspicious.low.ml.score
Emsisoft	Gen:Variant.Lazy.410140 (B)
Ikarus	Trojan.Win32.Injector
GData	Gen:Variant.Lazy.410140
Google	Detected
Avira	TR/Injector.llsbr
Varist	W32/ABRisk.NVSZ-4091
Antiy-AVL	Trojan/Win32.Injector
Kingsoft	Win32.Trojan-PSW.Stealer.gen
Gridinsoft	Ransom.Win32.Sabsik.ca
Arcabit	Trojan.Lazy.D6421C
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealer.gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5518247
McAfee	Artemis!993C85B5B1C9
MAX	malware (ai score=87)
DeepInstinct	MALICIOUS
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXDJ3Z
Rising	Stealer.Meduza!8.186B4 (TFE:5:q6bwEsZ7J7M)

TEST32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All