Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 30, 2025, 2:09 p.m.	March 30, 2025, 2:13 p.m.

Size	3.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`835a2a0a948ed3464df9c5811d56a310`
SHA256	`e26ededbe9b8f3d8d61d9d8f60ef652df642b51547d9ca2dee23f2cf3f67bebe`
CRC32	`044584C8`
ssdeep	`98304:z0Fxb8yuO+WFwLId3DUVxaZumRdhfCqcqmP/CT:z0Fxb8yuO+JLA3DUut`
PDB Path	C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library Antivirus - Contains references to security software CAB_file_format - CAB archive file IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
pub-cba497f350194e308a09f98ef358c552.r2.dev	A 172.66.0.235 A 162.159.140.237	172.66.0.235
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.52.33.11	23.52.33.11

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 172.66.0.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 172.66.0.235:443	C=US, O=Let's Encrypt, CN=R11	CN=*.r2.dev	aa:79:da:cd:20:a6:72:e4:79:6f:4a:2a:74:7a:e5:95:5e:1c:21:4e

pdb_path

C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2025, 2:09 p.m.		1	1	0

section	.didat
section	.fptable

request

GET http://x1.i.lencr.org/

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 30, 2025, 2:09 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 30, 2025, 2:09 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72502000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 30, 2025, 2:09 p.m.	flags: 15 family: 0		111	0

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA March 30, 2025, 2:09 p.m.	key_handle: 0x000003a4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

ALYac	Gen:Variant.Fragtor.807103
Cylance	Unsafe
VIPRE	Gen:Variant.Fragtor.807103
BitDefender	Gen:Variant.Fragtor.807103
Arcabit	Trojan.Fragtor.DC50BF
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.DXMLDYZ
Avast	FileRepMalware [Misc]
MicroWorld-eScan	Gen:Variant.Fragtor.807103
Emsisoft	Gen:Variant.Fragtor.807103 (B)
DrWeb	Trojan.Lyrics.2419
McAfeeD	ti!E26EDEDBE9B8
CTX	exe.trojan.fragtor
Sophos	Generic Reputation PUA (PUA)
FireEye	Gen:Variant.Fragtor.807103
Webroot	W32.Trojan.Gen
Google	Detected
Microsoft	Program:Win32/Wacapew.C!ml
GData	Gen:Variant.Fragtor.807103
Varist	W32/ABTrojan.WTQB-6621
AhnLab-V3	Malware/Win.Generic.C5743781
McAfee	Artemis!835A2A0A948E
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09CO25
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]

setup.exe