popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sss.exe

Generic Malware .NET framework(MSIL) Malicious Library UPX Malicious Packer Anti_VM PE File OS Processor Check JPEG Format PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 17, 2024, 10:12 p.m. Aug. 17, 2024, 10:16 p.m.
Size 175.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 f93a30378f7682e1bf9f4adfbe5729be
SHA256 22490241e703aecb478572122c4dd5b1adf2fba6ea17b5922daf207fc7e0cc29
CRC32 DC00261B
ssdeep 3072:Ne8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTJwARE+WpCc:R6ewwIwQJ6vKX0c5MlYZ0b2C
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • Is_DotNET_EXE - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
icanhazip.com
A 104.16.184.241
A 104.16.185.241
104.16.184.241
api.mylnikov.org
A 172.67.196.114
A 104.21.44.66
104.21.44.66
api.telegram.org
A 149.154.167.220
149.154.167.220
IP Address Status Action
104.16.184.241 Active Moloch
104.21.44.66 Active Moloch
149.154.167.220 Active Moloch
164.124.101.2 Active Moloch
194.58.114.223 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2033966 ET HUNTING Telegram API Domain in DNS Lookup Misc activity
TCP 149.154.167.220:443 -> 192.168.56.103:49180 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 104.16.184.241:80 2017398 ET POLICY IP Check Domain (icanhazip. com in HTTP Host) Attempted Information Leak
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2054169 ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49180 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.220:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49180 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 149.154.167.220:443 -> 192.168.56.103:49181 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.220:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49181 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 192.168.56.103:49179 -> 104.21.44.66:443 2033010 ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 104.21.44.66:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49181 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.103:49179
104.21.44.66:443 		C=US, O=Google Trust Services, CN=WE1 CN=mylnikov.org 02:37:7c:02:dd:73:81:8e:66:ea:4a:15:58:23:d8:bd:6d:a6:d0:39

suspicious_features GET method with no useragent header suspicious_request GET http://icanhazip.com/
suspicious_features GET method with no useragent header suspicious_request GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00
request GET http://icanhazip.com/
request GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00
domain icanhazip.com
cmdline chcp 65001
cmdline netsh wlan show networks mode=bssid
cmdline netsh wlan show profile
host 194.58.114.223
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.AsyncRAT.i!c
Elastic Windows.Generic.Threat
MicroWorld-eScan Gen:Variant.Jalapeno.1652
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
Skyhigh BehavesLike.Win32.Generic.cm
ALYac Gen:Variant.Jalapeno.1652
Cylance Unsafe
VIPRE Gen:Variant.Jalapeno.1652
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0059277e1 )
BitDefender Gen:Variant.Jalapeno.1652
K7GW Trojan ( 0059277e1 )
Cybereason malicious.78f768
Arcabit Trojan.Jalapeno.D674
VirIT Trojan.Win32.GenusT.DTXQ
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Agent.DWJ
APEX Malicious
McAfee FE_Trojan_MSIL_Generic_257
Avast Win32:KeyloggerX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Stealer.gen
Alibaba Backdoor:MSIL/AsyncRat.652903db
NANO-Antivirus Trojan.Win32.Stealer.kbmvdo
SUPERAntiSpyware Trojan.Agent/Gen-Crypt
Rising Stealer.Agent!1.D483 (CLASSIC)
Emsisoft Gen:Variant.Jalapeno.1652 (B)
F-Secure Heuristic.HEUR/AGEN.1365342
DrWeb Trojan.PWS.Stealer.39534
Zillya Trojan.Agent.Win32.2981387
McAfeeD Real Protect-LS!F93A30378F76
FireEye Generic.mg.f93a30378f7682e1
Sophos Mal/AsyncRat-C
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.MSIL.amfgq
Google Detected
Avira HEUR/AGEN.1365342
MAX malware (ai score=83)
Antiy-AVL Trojan[Backdoor]/MSIL.Crysan
Kingsoft MSIL.Trojan-PSW.Stealer.gen
Gridinsoft Trojan.Win32.Agent.sa
Microsoft Backdoor:MSIL/AsyncRat!atmn
ZoneAlarm HEUR:Trojan-PSW.MSIL.Stealer.gen
GData MSIL.Backdoor.DCRat.D
Varist W32/MSIL_Agent.BTI.gen!Eldorado
AhnLab-V3 Backdoor/Win.AsyncRAT.C4932402
BitDefenderTheta Gen:NN.ZemsilF.36812.km0@a4dXiEh
TACHYON Backdoor/W32.DN-Crysan.179200
DeepInstinct MALICIOUS
VBA32 Trojan.MSIL.InfoStealer.gen.D