popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

release.rar

KeyLogger PWS Escalate priviledges AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Jan. 11, 2024, 10:09 a.m. Jan. 11, 2024, 10:11 a.m.
Size 7.9MB
Type RAR archive data, v5
MD5 055bfe6e7bbf803236c3b1552f2ca0b1
SHA256 baa06057a238e7417c4a544875c85b8d4d408a2c4585631206530cd2360a713e
CRC32 D1D3FED3
ssdeep 196608:juqMF1FTRFBVltwEi790gw4RsYPdgoR2twuANg9QAFb:iqmLLBm8gw98BQwujP
Yara None matched

Name Response Post-Analysis Lookup
api.myip.com
A 172.67.75.163
A 104.26.9.59
A 104.26.8.59
172.67.75.163
vk.com
A 87.240.129.133
A 87.240.132.72
A 87.240.132.67
A 87.240.137.164
A 93.186.225.194
A 87.240.132.78
93.186.225.194
sun6-23.userapi.com
A 95.142.206.3
95.142.206.3
ipinfo.io
A 34.117.186.192
34.117.186.192
IP Address Status Action
104.26.8.59 Active Moloch
164.124.101.2 Active Moloch
195.20.16.45 Active Moloch
34.117.186.192 Active Moloch
87.240.129.133 Active Moloch
95.142.206.3 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49180 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 34.117.186.192:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49183 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49186 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 87.240.129.133:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49179 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49182 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49182 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49189 -> 95.142.206.3:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49188
87.240.129.133:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49179
104.26.8.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49189
95.142.206.3:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://195.20.16.45/api/bing_release.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://195.20.16.45/api/flash.php
request GET http://195.20.16.45/api/bing_release.php
request POST http://195.20.16.45/api/flash.php
request GET https://api.myip.com/
request GET https://vk.com/doc418490229_670513616?hash=Rnz6mh1plmmQeRvLs9F8CK7xp1IzayhFDkq5VtfO7zL&dl=vqdYEy1z0yzb7VGu1G6kvdqbamVKV6KZryFk0aAy5M0&api=1&no_preview=1
request GET https://sun6-23.userapi.com/c909618/u418490229/docs/d51/1e80248cc5f3/8jccr.bmp?extra=I1B0d7qHmDrWBBQTgm6DCsfs_HxefbRVRDBMMl1mndN_42h_EOO-DEO4b1R5C8HYMiNVOCOnamxYlk9-My5bAFSfIzgZKrI9NoLJwJbBGG34aojGE1MEDXU_gW3h2-UJPHThE-0hKCfIk70-NA
request POST http://195.20.16.45/api/flash.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74062000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x721c3000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\lgc_api — копия (3).dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\setup.exe
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\ResIL.dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\ResIL — копия (2).dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\dbghelp.dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\chrome_elf.dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\lgc_api — копия (2).dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\ResIL — копия (3).dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\chrome_elf — копия.dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\lgc_api.dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\lgc_api — копия.dll
file C:\Users\test22\AppData\Local\Temp\7zEC887D668\PROPAMAT\ResIL — копия.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 195.20.16.45