Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 17, 2024, 1:25 p.m.	June 17, 2024, 1:28 p.m.

Size	96.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8677376c509f0c66d1f02c6b66d7ef90`
SHA256	`f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96`
CRC32	`97B8BA0F`
ssdeep	`1536:xcUkaFWP1/og2gnKHNk9DsMvWhuZMTz2PdA24LhtpgcIPfuaNZ:xchd1/NKU1u+A0fuQ`
Yara	Network_Downloader - File Downloader IsPE64 - (no description) PE_Header_Zero - PE File Signature

setup222.exe "C:\Users\test22\AppData\Local\Temp\setup222.exe"
2052

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.210.247.48
boredombusters.online	A 104.21.44.95 A 172.67.198.131	104.21.44.95

IP Address	Status	Action
121.254.136.18	Active	Moloch
164.124.101.2	Active	Moloch
172.67.198.131	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49173 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49168 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49169 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49174 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49171 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49170 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49172 172.67.198.131:443	None	None	None
TLSv1 192.168.56.103:49175 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49163 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49167 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\SetupWizard.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 17, 2024, 1:25 p.m.	flags: 15 family: 0		111	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Lionic	Trojan.Win32.Casdet.4!c
Elastic	malicious (high confidence)
ALYac	Trojan.Generic.36329745
VIPRE	Trojan.Generic.36329745
Sangfor	Trojan.Win32.Casdet.Vzf2
BitDefender	Trojan.Generic.36329745
Arcabit	Trojan.Generic.D22A5911
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win64:MalwareX-gen [Trj]
MicroWorld-eScan	Trojan.Generic.36329745
Emsisoft	Trojan.Generic.36329745 (B)
F-Secure	Trojan.TR/Casdet.zzkxf
McAfeeD	ti!F7AFAC39D275
FireEye	Trojan.Generic.36329745
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Generic
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Casdet.zzkxf
MAX	malware (ai score=80)
Gridinsoft	Trojan.Win64.Downloader.cl
Microsoft	Trojan:Win32/Casdet!rfn
GData	Trojan.Generic.36329745
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Agent.AY
TrendMicro-HouseCall	TROJ_GEN.R002H01FD24
Fortinet	W32/PossibleThreat
AVG	Win64:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)

setup222.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All