Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 7, 2024, 9:49 a.m.	Aug. 7, 2024, 9:57 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fc99ddf185aa553bf30c431cc897c903`
SHA256	`48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939`
CRC32	`FE0717FB`
ssdeep	`49152:Uk8BMMcyO6uzNJbIdNJbnwppkcWAta0PH1i:HasZ6uJJb6UJNa0`
Yara	ftp_command - ftp command Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
1440

Name	Response	Post-Analysis Lookup
myexternalip.com	A 34.160.111.145	34.160.111.145
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
34.160.111.145	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 34.160.111.145:80	2019980	ET POLICY External IP Check myexternalip.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Aug. 7, 2024, 9:49 a.m.	ip_address: 127.0.0.1 socket: 808 port: 0	1	0
listen Aug. 7, 2024, 9:49 a.m.	socket: 808 backlog: 1	1	0
accept Aug. 7, 2024, 9:49 a.m.	ip_address: socket: 808 port: 0	1	816

Performs some HTTP requests (1 event)

request

GET http://myexternalip.com/raw

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 1440 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 1440 region_size: 1495040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

myexternalip.com

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0016d000', u'virtual_address': u'0x000b2000', u'entropy': 7.700502993550364, u'name': u'.rsrc', u'virtual_size': u'0x0016ce28'}

entropy

7.70050299355

description

A section with a high entropy has been found

entropy

0.669264267706

description

Overall entropy of this PE file is high

Terminates another process (20 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2192 process_handle: 0x0000032c
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2192 process_handle: 0x0000032c	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2228 process_handle: 0x0000037c
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2228 process_handle: 0x0000037c	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2268 process_handle: 0x00000384
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2268 process_handle: 0x00000384	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2316 process_handle: 0x0000039c
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2316 process_handle: 0x0000039c	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2404 process_handle: 0x000003a0
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2404 process_handle: 0x000003a0	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2440 process_handle: 0x000003a8
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2440 process_handle: 0x000003a8	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2476 process_handle: 0x000003b0
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2476 process_handle: 0x000003b0	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2512 process_handle: 0x000003b8
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2512 process_handle: 0x000003b8	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2688 process_handle: 0x000003c0
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2688 process_handle: 0x000003c0	1
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2824 process_handle: 0x000003c8
NtTerminateProcess Aug. 7, 2024, 9:49 a.m.	status_code: 0x00000000 process_identifier: 2824 process_handle: 0x000003c8	1

Allocates execute permission to another process indicative of possible code injection (10 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2192 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000032c	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2228 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000037c	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2268 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000384	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2316 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2404 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2440 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2476 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b0	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2512 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b8	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2688 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c0	3221225496
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2824 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c8	3221225496

Manipulates memory of a non-child process indicative of process injection (20 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1440 manipulating memory of non-child process 2192
Process injection	Process 1440 manipulating memory of non-child process 2228
Process injection	Process 1440 manipulating memory of non-child process 2268
Process injection	Process 1440 manipulating memory of non-child process 2316
Process injection	Process 1440 manipulating memory of non-child process 2404
Process injection	Process 1440 manipulating memory of non-child process 2440
Process injection	Process 1440 manipulating memory of non-child process 2476
Process injection	Process 1440 manipulating memory of non-child process 2512
Process injection	Process 1440 manipulating memory of non-child process 2688
Process injection	Process 1440 manipulating memory of non-child process 2824
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2192 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000032c	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2228 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000037c	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2268 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000384	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2316 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2404 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2440 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2476 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b0	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2512 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b8	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2688 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c0	3221225496	0
NtAllocateVirtualMemory Aug. 7, 2024, 9:49 a.m.	process_identifier: 2824 region_size: 1515520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c8	3221225496	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Aug. 7, 2024, 9:49 a.m.	ordinal: 0 function_address: 0x004824f8 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Fragtor.599953
Cylance	Unsafe
VIPRE	Gen:Variant.Fragtor.599953
K7AntiVirus	Trojan ( 005b83401 )
BitDefender	Gen:Variant.Fragtor.599953
K7GW	Trojan ( 005b83401 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/DarkGate.N
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Strab.gen
MicroWorld-eScan	Gen:Variant.Fragtor.599953
Emsisoft	Gen:Variant.Fragtor.599953 (B)
McAfeeD	Real Protect-LS!FC99DDF185AA
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.fc99ddf185aa553b
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Google	Detected
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.Sonbokli
Microsoft	Trojan:Win32/DarkGate.BAN!MTB
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Gen:Variant.Fragtor.599953
Varist	W32/Dropper.gen8!Maximus
BitDefenderTheta	Gen:NN.ZexaF.36810.iwW@a493owhi
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.2940456612
Tencent	Malware.Win32.Gencirc.1412caa7
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_90% (D)

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All