Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 12, 2024, 8:48 a.m.	Aug. 12, 2024, 9:16 a.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d4e494aac738b34231cb341acb16b961`
SHA256	`eda401786b61b9b555596c6f88f1ea858c8946491b6a37688d6c7c859cb3a04a`
CRC32	`0A8B4B9D`
ssdeep	`98304:XT0oyl9J0T4FdTM4tSpnctPL+EyYLgTjzKlgknJ1g9+JXlxso:XTpg9J0S0nctaQAu9L7so`
PDB Path	C:\agent\_work\66\s\build\ship\x86\burn.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

InstallerPack_20.1.23770_win64.exe "C:\Users\test22\AppData\Local\Temp\InstallerPack_20.1.23770_win64.exe"
884

Name	Response	Post-Analysis Lookup
iili.io	A 104.21.235.69 A 104.21.235.70	104.21.235.69
gcdnb.pbrd.co	A 104.21.68.220 A 172.67.198.249	104.21.68.220

Flow	SID	Signature	Category
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
TCP 192.168.56.103:49162 -> 172.67.198.249:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 104.21.235.70:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 172.67.198.249:443	C=US, O=Google Trust Services, CN=WE1	CN=pbrd.co	79:68:77:d6:5f:0e:f5:de:95:32:8b:ac:71:a4:7b:6d:21:61:a8:3f
TLSv1 192.168.56.103:49164 104.21.235.70:443	C=US, O=Google Trust Services, CN=WE1	CN=iili.io	8f:d4:58:59:55:6a:03:e7:74:8c:f7:04:b1:7d:6a:76:4a:67:63:27

pdb_path

C:\agent\_work\66\s\build\ship\x86\burn.pdb

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 8:48 a.m.		1	1	0

section

.wixburn

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 12, 2024, 8:48 a.m.	stacktrace: installerpack_20+0x4b14 @ 0x404b14 installerpack_20+0x4c0d @ 0x404c0d installerpack_20+0x3a58b @ 0x43a58b exception.instruction_r: 03 51 3c 89 55 f8 8b 45 f8 8b e5 5d c3 cc 55 8b exception.symbol: installerpack_20+0x3f83 exception.instruction: add edx, dword ptr [ecx + 0x3c] exception.module: InstallerPack_20.1.23770_win64.exe exception.exception_code: 0xc0000005 exception.offset: 16259 exception.address: 0x403f83 registers.esp: 35845980 registers.edi: 1971274591 registers.eax: 0 registers.ebp: 35845988 registers.edx: 0 registers.ebx: 3409856685 registers.esi: 4202993 registers.ecx: 0	1	0	0

suspicious_features	GET method with no useragent header				suspicious_request	GET https://gcdnb.pbrd.co/images/6oHgYLgr6bK3.png?o=1
suspicious_features	GET method with no useragent header				suspicious_request	GET https://iili.io/JNYCwle.png

request	GET https://gcdnb.pbrd.co/images/6oHgYLgr6bK3.png?o=1
request	GET https://iili.io/JNYCwle.png

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 process_handle: 0xffffffff	1	0	0

host

91.92.240.41

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Rugmi.4!c
Elastic	malicious (moderate confidence)
CAT-QuickHeal	Trojan.Rugmi
Cylance	Unsafe
Symantec	Trojan.Gen.MBT
ESET-NOD32	Win32/TrojanDownloader.Rugmi.AAN
Avast	Win32:Malware-gen
Kaspersky	UDS:Trojan.Win32.Penguish
F-Secure	Trojan.TR/AVI.Agent.ipyqi
Zillya	Trojan.Penguish.Win32.350
TrendMicro	TrojanSpy.Win32.STEALC.E
McAfeeD	ti!EDA401786B61
Sophos	Mal/Generic-R
Google	Detected
Avira	TR/AVI.Agent.ipyqi
Antiy-AVL	Trojan/Win32.Rugmi
Kingsoft	Win32.Troj.Generic.v
Gridinsoft	Trojan.Win32.Gen.cl
Microsoft	Trojan:Win32/Rugmi!MSR
ZoneAlarm	UDS:Trojan.Win32.Penguish
GData	Win32.Trojan.Agent.VCQGXY
Varist	W32/ABTrojan.DVWK-2455
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.PyengyLoader
Ikarus	Trojan.Win32.Rugmi
TrendMicro-HouseCall	TrojanSpy.Win32.STEALC.E
Tencent	Malware.Win32.Gencirc.14136fff
MaxSecure	Trojan.Malware.116989021.susgen
Fortinet	Malicious_Behavior.SB
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan[downloader]:Win/Rugmi.AMS

InstallerPack_20.1.23770_win64.exe