Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.11 06:07
Books_A0UJKO.pdf.url
07.11 05:07
reg.jpg.vbs
07.11 05:07
vd.txt.vbs
07.11 05:07
ghj.ghj.ghj.ghj.doc
07.11 05:07
hy.hy.hy.hyhyhy.doc
07.11 05:07
mk.mk.mk.mkmkmk.doc
07.11 02:07
doh.exe
07.11 02:07
et.exe
07.11 02:07
Pillager.exe
07.11 01:07
mk.mk.mk.mkmkmk.doc

Latest News
07.12 05:07
Most Websites and Apps...
07.12 05:07
BlastRADIUS Vulnerabil...
07.12 05:07
USENIX Security ’23 – ...
07.12 04:07
Emulating the Long-Ter...
07.12 04:07
Comic Agilé – Mikkel N...
07.12 04:07
OIDC vs SAML: A Compre...
07.12 04:07
Liquidmatrix Security ...
07.12 04:07
Enhancing PAM Solution...
07.12 04:07
The New Role of Digita...
07.12 04:07
Join Sam's Club for $2...

Summary | ZeroBOX

rty37.exe

UPX Malicious Library OS Processor Check PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 24, 2024, 7:53 a.m.	Jan. 24, 2024, 8:04 a.m.

Size	326.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5403c7f25701c2f3880998784e78b2f9`
SHA256	`e2c50c779a1ef7e2f8ec1470fc1dc3e85b2886da0b514a9e0f2862d8648b2aa9`
CRC32	`86809096`
ssdeep	`6144:kj83kXffMIwywVvUKBrcisb765kohreOySYA/U:j3yfU3V1BrcdEko2Cc`
PDB Path	c:\Users\Administrator\Jenkins\workspace\ccx-libraries-windows\build\Release\CCLibrary.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rty37.exe "C:\Users\test22\AppData\Local\Temp\rty37.exe"
2556

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.144 A 182.162.106.33 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.50.121.153
i.alie3ksgaa.com	A 154.92.15.189	154.92.15.189

IP Address	Status	Action
154.92.15.189	Active	Moloch
164.124.101.2	Active	Moloch
182.162.106.144	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49162 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

c:\Users\Administrator\Jenkins\workspace\ccx-libraries-windows\build\Release\CCLibrary.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MUI

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 24, 2024, 7:46 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f8da000 process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Jan. 24, 2024, 7:46 a.m.	process_identifier: 2556 region_size: 31084544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 24, 2024, 7:46 a.m.	flags: 15 family: 0		111	0