Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12
10.05 09:10
segura.vbs

Latest News
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...
10.05 09:10
타이거다즐러, 올리브영 온라인몰 입점… ...
10.05 09:10
Ben Horowitz Will Dona...
10.05 09:10
5G-Ausbau: Zwei Bundes...

Summary | ZeroBOX

4.exe

Vidar Malicious Library UPX PE File OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 15, 2024, 7:53 a.m.	Jan. 15, 2024, 7:57 a.m.

Size	291.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e4153c1acc9bab930996d7ee3b148f57`
SHA256	`35178ea71fd6bc4c15e2c302613f3c0ff5579b0669e800a24dc30d68e0328942`
CRC32	`E7440A2E`
ssdeep	`6144:NiKNqzy8JFjVSZSJOyB6CmL5QZXNKNSQIQfKViOdTbDyJPfp3Kn:Ni+q9I9GQxKVDCJwn`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

4.exe "C:\Users\test22\AppData\Local\Temp\4.exe"
2552

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.76.78.101	104.76.78.101

IP Address	Status	Action
104.76.78.101	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
65.109.241.139	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49162 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49161 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49162 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 65.109.241.139:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49162 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 15, 2024, 7:53 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 15, 2024, 7:53 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 15, 2024, 7:53 a.m.	stacktrace: 4+0x1b973 @ 0x125b973 4+0x1dea4 @ 0x125dea4 4+0x1e309 @ 0x125e309 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 08 03 47 08 89 5d fc 89 46 08 40 50 c7 45 exception.symbol: 4+0x15931 exception.instruction: mov eax, dword ptr [eax + 8] exception.module: 4.exe exception.exception_code: 0xc0000005 exception.offset: 88369 exception.address: 0x1255931 registers.esp: 3252588 registers.edi: 3252992 registers.eax: 1 registers.ebp: 3252616 registers.edx: 1925375709 registers.ebx: 0 registers.esi: 3252980 registers.ecx: 3252992	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199601319247

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199601319247

Communicates with host for which no DNS query was performed (1 event)

host

65.109.241.139

Executes one or more WMI queries (2 events)

wmi
wmi	Select * From AntiVirusProductroot\SecurityCente

Network activity contains more than one unique useragent (2 events)

process	4.exe				useragent
process	4.exe				useragent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0 uacq