Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 22, 2023, 8:08 a.m.	Dec. 22, 2023, 8:13 a.m.

Size	301.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e23c839edb489081120befe1e44b04db`
SHA256	`f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7`
CRC32	`107B69C4`
ssdeep	`6144:ZjLaN58Awvxfc4Y5YC/j8o74UhOfu8HV/7:tGN5xqtc4Yp/j8o1hUuOF`
PDB Path	C:\boyoxijuxid\suxaxaz1-dazavajafa\32\mofijadapecuni\xesofusoj.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

build2.exe "C:\Users\test22\AppData\Local\Temp\build2.exe"
884
- build2.exe "C:\Users\test22\AppData\Local\Temp\build2.exe"
  2152

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.76.78.101	104.76.78.101

IP Address	Status	Action
104.76.78.101	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
95.216.178.71	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 95.216.178.71:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Dec. 22, 2023, 8:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 22, 2023, 8:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 22, 2023, 8:08 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 22, 2023, 8:08 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\boyoxijuxid\suxaxaz1-dazavajafa\32\mofijadapecuni\xesofusoj.pdb

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	VUJ
resource name	XULABOSIBUBORORILUPEVETIZAVUTU

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 22, 2023, 8:08 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 43 08 56 8b 74 24 0c 57 8b f9 03 47 08 c7 06 exception.symbol: build2+0x12c65 exception.instruction: mov eax, dword ptr [ebx + 8] exception.module: build2.exe exception.exception_code: 0xc0000005 exception.offset: 76901 exception.address: 0x412c65 registers.esp: 1616708 registers.edi: 4294967295 registers.eax: 1 registers.ebp: 1638292 registers.edx: 1943660253 registers.ebx: 1 registers.esi: 1616824 registers.ecx: 1616724	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199583900422

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199583900422

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 22, 2023, 8:08 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0094e000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Dec. 22, 2023, 8:08 a.m.	process_identifier: 884 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00026c00', u'virtual_address': u'0x00001000', u'entropy': 7.406415207847356, u'name': u'.text', u'virtual_size': u'0x00026af6'}

entropy

7.40641520785

description

A section with a high entropy has been found

entropy

0.515806988353

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://steamcommunity.com/profiles/76561199583900422
url	https://t.me/n0sca

Yara rule detected in process memory (16 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

Communicates with host for which no DNS query was performed (1 event)

host

95.216.178.71

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 22, 2023, 8:08 a.m.	process_identifier: 2152 region_size: 2355200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Executes one or more WMI queries (2 events)

wmi	Select * From AntiVirusProductroot\SecurityCente
wmi	Select * From Win32_OperatingSystemRO

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 22, 2023, 8:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2152 process_handle: 0x00000080	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	build2.exe				useragent
process	build2.exe				useragent	Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 Safari/537.36 EdgA/97.0.1072.78

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 884 called NtSetContextThread to modify thread in remote process 2152
NtSetContextThread Dec. 22, 2023, 8:08 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4302864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2152	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 884 resumed a thread in remote process 2152
NtResumeThread Dec. 22, 2023, 8:08 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2152	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 22, 2023, 8:08 a.m.	thread_identifier: 2156 thread_handle: 0x0000007c process_identifier: 2152 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Dec. 22, 2023, 8:08 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Dec. 22, 2023, 8:08 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2152 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Dec. 22, 2023, 8:08 a.m.	process_identifier: 2152 region_size: 2355200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Dec. 22, 2023, 8:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2152 process_handle: 0x00000080	1	1
NtSetContextThread Dec. 22, 2023, 8:08 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4302864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2152	1	0
NtResumeThread Dec. 22, 2023, 8:08 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2152	1	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealerc.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Ransom.Stop.P5
Skyhigh	BehavesLike.Win32.Lockbit.fh
Cylance	unsafe
VIPRE	Trojan.GenericKD.70869457
Sangfor	Ransom.Win32.Save.a
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Trojan.GenericKD.70869457
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.4ac540
Arcabit	Trojan.Generic.D43961D1
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.HVRN
APEX	Malicious
McAfee	Artemis!E23C839EDB48
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerc.gen
NANO-Antivirus	Trojan.Win32.Stealerc.kfrems
MicroWorld-eScan	Trojan.GenericKD.70869457
Rising	Trojan.SmokeLoader!1.EB63 (CLASSIC)
Emsisoft	Trojan.GenericKD.70869457 (B)
F-Secure	Trojan.TR/Crypt.Agent.jfpko
DrWeb	Trojan.Siggen22.42493
TrendMicro	TrojanSpy.Win32.VIDAR.YXDLUZ
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.e23c839edb489081
Sophos	Troj/Krypt-VK
Ikarus	Trojan.Win32.Azorult
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Crypt.Agent.jfpko
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/SmokeLoader.RPX!MTB
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealerc.gen
GData	Win32.Trojan.Agent.JGPNNI
Varist	W32/Kryptik.LHG.gen!Eldorado
AhnLab-V3	Trojan/Win.Injector.R628292
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36608.sq0@amdLxQlG
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.Convagent
Malwarebytes	Trojan.MalPack.GS

build2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All