Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2024, 7:47 a.m.	Aug. 9, 2024, 7:55 a.m.

Size	2.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`6a60f6fbd451bfb11d0c943706ceda0a`
SHA256	`82c2f0af2f595ff2656f3c418246ffd7f8daa22d0cc38605977def4e42fd32bd`
CRC32	`B28E7321`
ssdeep	`49152:BYdvcy8kcu0RxBU+89fH341MhWCDlRA6BXuhb4cFxcuUo:BYdcl/3RxeH3dhV4LhUcFxcuUo`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

bsso_launcher_v1.exe "C:\Users\test22\AppData\Local\Temp\bsso_launcher_v1.exe"
2544
- bsso_tor.exe "C:\Users\test22\AppData\Local\Temp\\bsso_tor.exe"
  2712

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
137.226.34.45	Active	Moloch
145.239.136.129	Active	Moloch
178.33.36.64	Active	Moloch
199.195.253.180	Active	Moloch
84.240.60.234	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 199.195.253.180:9000 -> 192.168.56.101:49170	2520069	ET TOR Known Tor Exit Node Traffic group 70	Misc Attack
TCP 199.195.253.180:9000 -> 192.168.56.101:49170	2522069	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70	Misc Attack
TCP 178.33.36.64:8080 -> 192.168.56.101:49175	2522257	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258	Misc Attack
TCP 145.239.136.129:8080 -> 192.168.56.101:49171	2522193	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194	Misc Attack
TCP 84.240.60.234:9001 -> 192.168.56.101:49172	2522787	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 788	Misc Attack
TCP 137.226.34.45:9008 -> 192.168.56.101:49174	2522169	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170	Misc Attack
TCP 137.226.34.45:9008 -> 192.168.56.101:49182	2522169	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170	Misc Attack

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49170 199.195.253.180:9000	None	None	None
TLS 1.3 192.168.56.101:49175 178.33.36.64:8080	None	None	None
TLS 1.3 192.168.56.101:49171 145.239.136.129:8080	None	None	None
TLS 1.3 192.168.56.101:49172 84.240.60.234:9001	None	None	None
TLS 1.3 192.168.56.101:49177 178.33.36.64:8080	None	None	None
TLS 1.3 192.168.56.101:49174 137.226.34.45:9008	None	None	None
TLS 1.3 192.168.56.101:49180 178.33.36.64:8080	None	None	None
TLS 1.3 192.168.56.101:49178 137.226.34.45:9008	None	None	None
TLS 1.3 192.168.56.101:49182 137.226.34.45:9008	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2024, 7:40 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2024, 7:40 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 9, 2024, 7:40 a.m.	stacktrace: 0x170004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x170004 registers.r14: 5357484480 registers.r15: 0 registers.rcx: 468 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 86766744 registers.r11: 86767536 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 472 registers.r12: 0 registers.rbp: 86766880 registers.rdi: 0 registers.rax: 1507328 registers.r13: 0	1	0	0

Starts servers listening (8 events)

Time & API	Arguments	Status	Return
bind Aug. 9, 2024, 7:47 a.m.	ip_address: 127.0.0.1 socket: 344 port: 0	1	0
listen Aug. 9, 2024, 7:47 a.m.	socket: 344 backlog: 1	1	0
accept Aug. 9, 2024, 7:47 a.m.	ip_address: 127.0.0.1 socket: 344 port: 49166	1	376
bind Aug. 9, 2024, 7:47 a.m.	ip_address: 127.0.0.1 socket: 344 port: 9050	1	0
listen Aug. 9, 2024, 7:47 a.m.	socket: 344 backlog: 2147483647	1	0
bind Aug. 9, 2024, 7:47 a.m.	ip_address: 127.0.0.1 socket: 388 port: 0	1	0
listen Aug. 9, 2024, 7:47 a.m.	socket: 388 backlog: 1	1	0
accept Aug. 9, 2024, 7:47 a.m.	ip_address: 127.0.0.1 socket: 388 port: 49168	1	396

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	137.226.34.45
ip	145.239.136.129
ip	178.33.36.64
ip	199.195.253.180
ip	84.240.60.234

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 9, 2024, 7:40 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\bsso_tor.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 9, 2024, 7:40 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 9, 2024, 7:47 a.m.	flags: 14 family: 2	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00279600', u'virtual_address': u'0x00012000', u'entropy': 7.999801760102147, u'name': u'.data', u'virtual_size': u'0x0027c120'}

entropy

7.9998017601

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003600', u'virtual_address': u'0x0028f000', u'entropy': 7.898432288310628, u'name': u'.rsrc', u'virtual_size': u'0x00003548'}

entropy

7.89843228831

description

A section with a high entropy has been found

entropy

0.974928229665

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (5 events)

host	137.226.34.45
host	145.239.136.129
host	178.33.36.64
host	199.195.253.180
host	84.240.60.234

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\bsso_tor.exe

Installs Tor on the machine (6 events)

file	C:\Users\test22\AppData\Roaming\tor\cached-certs
file	C:\Users\test22\AppData\Roaming\tor\cached-consensus
file	C:\Users\test22\AppData\Roaming\tor\cached-descriptors
file	C:\Users\test22\AppData\Roaming\tor\geoip
file	C:\Users\test22\AppData\Roaming\tor\state
file	C:\Users\test22\AppData\Roaming\tor\torrc

bsso_launcher_v1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All