popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Apple.exe

UPX Downloader OS Processor Check PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Feb. 1, 2024, 7:50 a.m. Feb. 1, 2024, 7:58 a.m.
Size 10.5KB
Type PE32+ executable (console) x86-64, for MS Windows
MD5 6467c1d4c14b19a50b3e154be9454e5f
SHA256 008e23d54a1e360051a894b171233579d90542580d382a7287d462c2bdad9daa
CRC32 5425D184
ssdeep 192:7Vf9JqzjLxlxs3eq9q6t4PAq3Q5tfMcm:7Vf9JqXLa3p9qp3N
PDB Path C:\Users\Admin\source\repos\Apple\x64\Release\Apple.pdb
Yara
  • Network_Downloader - File Downloader
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
apps.identrust.com
CNAME a1952.dscq.akamai.net
A 23.200.75.107
CNAME identrust.edgesuite.net
23.67.53.17
astervell.fun
A 87.236.16.21
87.236.16.21
IP Address Status Action
164.124.101.2 Active Moloch
23.200.75.107 Active Moloch
87.236.16.21 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 87.236.16.21:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49162
87.236.16.21:443 		C=US, O=Let's Encrypt, CN=R3 CN=astervell.fun 8d:22:5a:06:6f:f0:0f:f7:ed:7b:49:fb:c4:3b:8b:91:e7:56:71:3d

registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path C:\Users\Admin\source\repos\Apple\x64\Release\Apple.pdb
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
file C:\Users\test22\AppData\Local\Temp\ DR12.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: DR12.exe
parameters:
filepath: DR12.exe
0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0