popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Main.exe

Malicious Library Antivirus UPX PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 25, 2024, 7:46 a.m. June 25, 2024, 7:57 a.m.
Size 208.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 9ec7f08c85bfa1b267761f225b68ab0b
SHA256 9f685df11e2b24e55ae610d8fe4f9ea005b8dba84d4de97be0cce7fc7ae3c5ca
CRC32 AD9D896A
ssdeep 3072:AZWAfSR9CehJX4rRUiAPukFhm8qfuDUM41wvnFsocOHYpk5GK+lGjCQYpY:WDEBbAUUkFhfDs1w/uFrYjCQYp
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
t.me
A 149.154.167.99
149.154.167.99
steamcommunity.com
A 104.76.78.101
104.76.78.101
IP Address Status Action
104.76.78.101 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
5.75.208.137 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 104.76.78.101:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49166 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49164 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49165 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49164 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49164 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49161
104.76.78.101:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
main+0x15e43 @ 0xf5e43
main+0x18333 @ 0xf8333
main+0x18949 @ 0xf8949
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 40 08 03 47 08 89 5d fc 89 46 08 40 50 c7 45
exception.symbol: main+0xffe1
exception.instruction: mov eax, dword ptr [eax + 8]
exception.module: Main.exe
exception.exception_code: 0xc0000005
exception.offset: 65505
exception.address: 0xeffe1
registers.esp: 43622812
registers.edi: 43623216
registers.eax: 1
registers.ebp: 43622840
registers.edx: 1943660253
registers.ebx: 0
registers.esi: 43623204
registers.ecx: 43623216
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://steamcommunity.com/profiles/76561199677575543
request GET https://steamcommunity.com/profiles/76561199677575543
wmi
host 5.75.208.137
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
process Main.exe useragent
process Main.exe useragent Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Vidar.4!c
Elastic Windows.Generic.Threat
Cynet Malicious (score: 99)
Skyhigh BehavesLike.Win32.Dropper.dh
ALYac Gen:Variant.Fragtor.498183
Cylance Unsafe
VIPRE Gen:Variant.Fragtor.498183
Sangfor Trojan.Win32.Fragtor.Vo0i
K7AntiVirus Trojan ( 005a977a1 )
BitDefender Gen:Variant.Fragtor.498183
K7GW Trojan ( 005a977a1 )
Cybereason malicious.c85bfa
Arcabit Trojan.Fragtor.D79A07
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Vidar.A
APEX Malicious
McAfee Artemis!9EC7F08C85BF
Avast Win32:Vidar-A [CryptoStl]
ClamAV Win.Malware.Trojanx-10020177-0
Kaspersky Trojan-PSW.Win32.Stealerc.ksp
Alibaba TrojanPSW:Win32/Stealerc.1aec6c23
NANO-Antivirus Trojan.Win32.Redcap.kmdmfk
MicroWorld-eScan Gen:Variant.Fragtor.498183
Rising Trojan.Vidar!8.114A8 (TFE:4:Cl4R3ucypxL)
Emsisoft Gen:Variant.Fragtor.498183 (B)
F-Secure Trojan.TR/Redcap.xvqpd
DrWeb Trojan.PWS.Stealer.38809
Zillya Trojan.Stealerc.Win32.32963
TrendMicro TrojanSpy.Win32.VIDAR.YXEDXZ
McAfeeD Real Protect-LS!9EC7F08C85BF
Trapmine malicious.high.ml.score
FireEye Generic.mg.9ec7f08c85bfa1b2
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Vidar
Webroot W32.Trojan.Gen
Google Detected
Avira TR/Redcap.xvqpd
MAX malware (ai score=80)
Antiy-AVL Trojan[PSW]/Win32.Vidar
Kingsoft Win32.Troj.Unknown.a
Gridinsoft Spy.Win32.Vidar.tr
Xcitium Malware@#hvhruuheed8l
Microsoft Trojan:Win32/StealC.SZ!MTB
ZoneAlarm Trojan-PSW.Win32.Stealerc.ksp
GData Gen:Variant.Fragtor.498183
Varist W32/ABRisk.IDZY-1452
AhnLab-V3 Trojan/Win.Stealc.C5616315
BitDefenderTheta AI:Packer.FE912C601F
DeepInstinct MALICIOUS
dead_host 192.168.56.103:49163
dead_host 5.75.208.137:443