Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 3, 2024, 9:27 a.m.	Sept. 3, 2024, 9:40 a.m.

Size	12.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`06f13f50c4580846567a644eb03a11f2`
SHA256	`0636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9`
CRC32	`90CFFF6F`
ssdeep	`192:cDnQvi7auc35nuKdhAWVIanaLvmr/XKTxnTc1BREVXLGDlNjA:cDn97auc35tAKIanayzKto1jEVQzj`
PDB Path	C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

SolaraBootstrapper.exe "C:\Users\test22\AppData\Local\Temp\SolaraBootstrapper.exe"
1700

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.199.109.133	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 185.199.109.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 3, 2024, 9:27 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:27 a.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: ,gg, i8""8i ,dPYb, `8,,8' IP'`Yb `88' I8 8I console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: dP"8, I8 8' dP' `8a ,ggggg, I8 dP ,gggg,gg ,gggggg, ,gggg,gg dP' `Yb dP" "Y8gggI8dP dP" "Y8I dP""""8I dP" "Y8I _ ,dP' I8 i8' ,8I I8P console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: i8' ,8I ,8' 8I i8' ,8I "888,,____,dP,d8, ,d8' ,d8b,_ ,d8, ,d8b,,dP Y8,,d8, ,d8b, a8P"Y88888P" P"Y8888P" 8P'"Y88P"Y8888P"`Y88P `Y8P"Y8888P"`Y8 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: [-] Downloading latest version... console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: [-] Downloading dependencies... console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: Error downloading or extracting latest version: The request was aborted: Could not create SSL/TLS secure channel. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: [ -- ] Error getting current version. Contact @quivings with the error message: Could not find a part of the path 'C:\Users\test22\AppData\Local\Temp\Solara.Dir\bin\version.txt'. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: [ -- ] Error getting latest version. Contact @quivings with the error message: The request was aborted: Could not create SSL/TLS secure channel. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: [-] Downloading latest version... console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: [-] Downloading dependencies... console_handle: 0x00000007	1	1
WriteConsoleA Sept. 3, 2024, 9:28 a.m.	buffer: Error downloading or extracting latest version: The request was aborted: Could not create SSL/TLS secure channel. console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 3, 2024, 9:27 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 3, 2024, 9:27 a.m.	process_identifier: 1700 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:27 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:27 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:27 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:27 a.m.	process_identifier: 1700 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:27 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:27 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:28 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 3, 2024, 9:28 a.m.	flags: 15 family: 0		111	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Lionic	Trojan.Win32.GameHack.4!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.73909637
VIPRE	Trojan.GenericKD.73909637
Sangfor	PUP.Win32.Gamehack.Vu4d
K7AntiVirus	Adware ( 005693e61 )
BitDefender	Trojan.GenericKD.73909637
K7GW	Adware ( 005693e61 )
Cybereason	malicious.0c4580
Arcabit	Trojan.Generic.D467C585
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GameHack.BZR potentially unsafe
McAfee	Artemis!06F13F50C458
MicroWorld-eScan	Trojan.GenericKD.73909637
Emsisoft	Trojan.GenericKD.73909637 (B)
McAfeeD	ti!0636E8F9816B
FireEye	Trojan.GenericKD.73909637
Sophos	Generic Reputation PUA (PUA)
Webroot	W32.Adware.Gen
MAX	malware (ai score=88)
Gridinsoft	Trojan.Win32.GameHack.sa
Microsoft	PUA:Win32/Packunwan
GData	Trojan.GenericKD.73909637
Varist	W32/ABApplication.CWEO-7179
DeepInstinct	MALICIOUS
Malwarebytes	RiskWare.GameHack
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Adware/GameHack
Paloalto	generic.ml

SolaraBootstrapper.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All