Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.27 06:04
8937.e9c8f83d94118188....
04.27 06:04
7914.753c477fc6135f24....
04.27 06:04
gtm.js.pobrane
04.27 06:04
7d0bf13e-79a638a0b87a8...
04.27 06:04
webpack-6751726d88b2d8...
04.27 06:04
6814.91bf0d11abffee40....
04.27 06:04
main-292e27553c8f5cb8....
04.27 06:04
framework-ca706bf673a1...
04.27 06:04
ee8b1517-cc4d7300db272...
04.27 06:04
75fc9c18-02b28d24f737c...

Latest News
04.27 06:04
PIF’s Sanabil Backs Mi...
04.27 05:04
Deep Dive on Panel Making
04.27 02:04
Storm-1977 Hits Educat...
04.27 02:04
Creating An Electronic...
04.27 11:04
Another Coil Winder Pr...
04.27 10:04
IT Sicherheitsnews tae...
04.27 10:04
IT Sicherheitsnews tae...
04.27 10:04
북한 라자루스, 한국 금융·IT·통신 분...
04.27 09:04
SAP 넷위버 제로데이 취약점 사이버공격...
04.27 09:04
Updte: zipdump.py Vers...

Summary | ZeroBOX

setup.exe

Generic Malware Malicious Library Antivirus UPX Malicious Packer OS Processor Check PE32 PE File CAB

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 24, 2025, 10:13 a.m.	March 24, 2025, 10:24 a.m.

Size	3.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c2c13e8b677ff2f552b1ded66b87549d`
SHA256	`22a07506913757e97f80ad6b8f1a2a9ec44d18b0e31fdc7adb89e3506c1ffcda`
CRC32	`DB2CF96C`
ssdeep	`98304:z0Fxb8yuO+WFwLId3DUVxaZumRdhfCqcqmP/C1:z0Fxb8yuO+JLA3DUuX`
PDB Path	C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Antivirus - Contains references to security software CAB_file_format - CAB archive file IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2552

Name	Response	Post-Analysis Lookup
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 20.200.245.247:443 -> 192.168.56.101:49163	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2025, 10:13 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	.fptable

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 24, 2025, 10:13 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 24, 2025, 10:13 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72502000 process_handle: 0xffffffff	1	0	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA March 24, 2025, 10:13 a.m.	key_handle: 0x000003a0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Win32.Generic.4!c
ALYac	Gen:Variant.Fragtor.807103
Cylance	Unsafe
VIPRE	Gen:Variant.Fragtor.807103
BitDefender	Gen:Variant.Fragtor.807103
Arcabit	Trojan.Fragtor.DC50BF
Symantec	Trojan.Gen.MBT
Avast	FileRepMalware [Misc]
MicroWorld-eScan	Gen:Variant.Fragtor.807103
Emsisoft	Gen:Variant.Fragtor.807103 (B)
McAfeeD	ti!22A075069137
CTX	exe.trojan.fragtor
Sophos	Generic Reputation PUA (PUA)
FireEye	Gen:Variant.Fragtor.807103
Google	Detected
Xcitium	ApplicUnwnt@#34zjct6ev8lsk
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Fragtor.807103
Varist	W32/ABTrojan.NBGS-2579
AhnLab-V3	Malware/Win.Generic.C5743781
McAfee	Artemis!C2C13E8B677F
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014H09CL25
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]