Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 22, 2023, 2:57 p.m.	Dec. 22, 2023, 2:59 p.m.

Size	11.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`46431992aa566007949fc4acbc058856`
SHA256	`846f5e52aa6b4f11a29cab1f505463938938c3c5ad8d753fe70a148200c8c446`
CRC32	`F8D6AAD3`
ssdeep	`3072:3+fKfLxPq+l/AGDF+FUN9TgPC543HaHJSp8Bb8EGF9N7:OfKfI+l4GDCACS4Kz8EGF9N`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware

OperaGXSetup.exe "C:\Users\test22\AppData\Local\Temp\OperaGXSetup.exe"
2556

Name	Response	Post-Analysis Lookup
www.msk-post.com	A 91.228.225.55	91.228.225.55

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.228.225.55	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.228.225.55:443 -> 192.168.56.101:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.228.225.55:443 -> 192.168.56.101:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.228.225.55:443 -> 192.168.56.101:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 91.228.225.55:443 -> 192.168.56.101:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 91.228.225.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 22, 2023, 2:57 p.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.msk-post.com/server/init.php

Performs some HTTP requests (1 event)

request

GET http://www.msk-post.com/server/init.php

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75831000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 22, 2023, 2:57 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d51000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001c800', u'virtual_address': u'0x00001000', u'entropy': 7.558097814259351, u'name': u'.text', u'virtual_size': u'0x0001d000'}

entropy

7.55809781426

description

A section with a high entropy has been found

entropy

0.676557863501

description

Overall entropy of this PE file is high

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Coins.ts97
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Trojan.wz
ALYac	Gen:Variant.Lazy.450349
Cylance	unsafe
VIPRE	Gen:Variant.Lazy.450349
Sangfor	Suspicious.Win32.Save.a
BitDefender	Gen:Variant.Lazy.450349
Cybereason	malicious.f48e51
Arcabit	Trojan.Lazy.D6DF2D
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OMJ
APEX	Malicious
McAfee	Artemis!46431992AA56
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Malware.Lazy-9958170-0
Kaspersky	UDS:Trojan-PSW.Win32.Stealerc
Alibaba	TrojanPSW:Win32/MarsStealer.b59a6909
NANO-Antivirus	Virus.Win32.Gen.ccmw
MicroWorld-eScan	Gen:Variant.Lazy.450349
Rising	Stealer.Agent!8.C2 (TFE:5:AHgOndhlWFN)
Emsisoft	Gen:Variant.Lazy.450349 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.PWS.Stealer.32841
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.46431992aa566007
Sophos	Mal/EncPk-AQH
Ikarus	Trojan-PSW.Agent
Jiangmin	Trojan.PSW.Vidar.pm
Google	Detected
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win32.Vindor
Microsoft	Trojan:Win32/MarsStealer!pz
GData	Gen:Variant.Lazy.450349
Varist	W32/Infostealer.BMST-4262
AhnLab-V3	Trojan/Win.KL.C5061527
BitDefenderTheta	Gen:NN.ZexaF.36608.@BZ@aSTMiMm
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.CoreBot
Malwarebytes	Generic.Spyware.Stealer.DDS
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.OMJ!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

OperaGXSetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All