Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 21, 2024, 7:13 a.m.	March 21, 2024, 7:22 a.m.

Size	288.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`a3cc4a0054f5c47f3513117efaf2f335`
SHA256	`cefe1e1d4b0be963ecf7da33972135afa8920826b7e71fb7281d4e688e4af5bf`
CRC32	`FC6A125E`
ssdeep	`6144:x7u5RwxzF2LrCrQk1tUeJpj/4iM8wangu2+UvQ/KpmOq:x72yxzF2LWrQkL/4lRKMvQ/Kp`
PDB Path	rstrui.pdb
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

rty45.exe "C:\Users\test22\AppData\Local\Temp\rty45.exe"
2552

Name	Response	Post-Analysis Lookup
i.alie3ksgaa.com	A 39.109.117.123	39.109.117.123
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	23.52.33.11

IP Address	Status	Action
104.26.5.15	Active	Moloch
164.124.101.2	Active	Moloch
23.41.113.9	Active	Moloch
39.109.117.123	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 39.109.117.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49165 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49168 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49170 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49175 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49177 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49180 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49182 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49186 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49174 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49184 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49161 39.109.117.123:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	ca:3f:77:18:57:ea:1e:58:26:f4:e0:05:79:5c:16:05:aa:53:de:47
TLSv1 192.168.56.101:49167 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49173 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49164 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49172 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49171 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49179 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49176 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49185 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49178 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49181 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49193 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49183 39.109.117.123:443	None	None	None
TLSv1 192.168.56.101:49187 39.109.117.123:443	None	None	None

This executable has a PDB path (1 event)

pdb_path

rstrui.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MUI

Performs some HTTP requests (1 event)

request

GET http://x1.i.lencr.org/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 21, 2024, 7:06 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000ff7fa000 process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 21, 2024, 7:06 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00019c00', u'virtual_address': u'0x00030000', u'entropy': 7.402428416335863, u'name': u'.rsrc', u'virtual_size': u'0x0001a000'}

entropy

7.40242841634

description

A section with a high entropy has been found

entropy

0.358260869565

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

104.26.5.15

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.HanuwLimziAC.Trojan
Lionic	Trojan.Win32.Fabookie.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.BadFile.dh
Cylance	unsafe
VirIT	Trojan.Win64.Agent.BBA
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.APQ
APEX	Malicious
McAfee	GenericRXAA-FA!A3CC4A0054F5
Avast	Win64:Evo-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Agent!1.F474 (CLASSIC)
F-Secure	Heuristic.HEUR/AGEN.1366905
DrWeb	Trojan.DownLoader45.62122
TrendMicro	Trojan.Win64.PRIVATELOADER.YXECTZ
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Google	Detected
Avira	HEUR/AGEN.1366905
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win64.Gen.tr
Microsoft	Trojan:Win64/PrivateLoader
ViRobot	Trojan.Win.Z.Agent.295424.EU
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win64.Trojan.Agent.P9O46O
AhnLab-V3	Trojan/Win.DropperX-gen.R593159
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
Tencent	Win64.Trojan-Downloader.Oader.Ncnw
Fortinet	W64/Agent.APQ!tr.dldr
AVG	Win64:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan[downloader]:Win/Agent.APQ

rty45.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All