Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 1, 2025, 8:34 a.m.	May 1, 2025, 8:37 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a1c4ce46b5789a6df061d489b7844b7e`
SHA256	`aa6832f460dda6faebf7db1d21d9214ab2ad28ad8348f59700fb062074a5595e`
CRC32	`23CF117E`
ssdeep	`49152:OnsHyjtk2MYC5GDOr3/5PkO553eEQwtqxl:Onsmtk2aJr/5PkOD3ejwtqxl`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer ASPack_Zero - ASPack packed file mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

b.exe "C:\Users\test22\AppData\Local\Temp\b.exe"
2560
- ._cache_b.exe "C:\Users\test22\AppData\Local\Temp\._cache_b.exe"
  2692
  - csrss2.exe C:\Users\test22\AppData\Local\Temp\csrss2.exe
    2740
- Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2800

Name	Response	Post-Analysis Lookup
www.dropbox.com	CNAME www-env.dropbox-dns.com A 162.125.84.18	162.125.84.18
xred.mooo.com
drive.usercontent.google.com	A 142.250.206.193	142.250.206.193
docs.google.com	A 142.250.206.206	172.217.161.206
freedns.afraid.org	A 69.42.215.252	69.42.215.252

IP Address	Status	Action
142.250.197.65	Active	Moloch
142.250.71.238	Active	Moloch
142.250.206.193	Active	Moloch
142.250.206.206	Active	Moloch
162.125.84.18	Active	Moloch
164.124.101.2	Active	Moloch
69.42.215.252	Active	Moloch
38.147.172.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2015633	ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 142.250.206.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 142.250.206.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49172 142.250.206.193:443	C=US, O=Google Trust Services, CN=WE2	CN=*.usercontent.google.com	e2:75:33:38:ea:c5:6b:07:01:99:0c:e5:64:b0:63:79:cc:b5:d4:83
TLSv1 192.168.56.101:49171 142.250.206.206:443	C=US, O=Google Trust Services, CN=WE2	CN=*.google.com	67:52:2f:ab:93:de:39:da:94:50:11:ae:8b:37:cb:88:8f:dc:56:7d

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 1, 2025, 8:34 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ May 1, 2025, 8:34 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x959fc @ 0x4959fc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 60161500 registers.edi: 60161688 registers.eax: 60161500 registers.ebp: 60161580 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ May 1, 2025, 8:34 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95a83 @ 0x495a83 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 60159312 registers.edi: 60159500 registers.eax: 60159312 registers.ebp: 60159392 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11004 registers.ecx: 7	1
__exception__ May 1, 2025, 8:34 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95b0a @ 0x495b0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 60157124 registers.edi: 60157312 registers.eax: 60157124 registers.ebp: 60157204 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1

Connects to a Dynamic DNS Domain (1 event)

domain

xred.mooo.com

Performs some HTTP requests (5 events)

request	GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 1, 2025, 8:34 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2025, 8:34 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2025, 8:34 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2025, 8:34 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2025, 8:34 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2025, 8:34 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (12 events)

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x002471b8

size

0x000047d3

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0024ba18

size

0x00000014

name

RT_VERSION

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0024ba2c

size

0x00000304

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\csrss2.exe
file	C:\Users\test22\AppData\Local\Temp\._cache_b.exe
file	C:\ProgramData\Synaptics\Synaptics.dll

Looks up the Dropbox cloud service (1 event)

domain

www.dropbox.com

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\._cache_b.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\._cache_b.exe
file	C:\Users\test22\AppData\Local\Temp\25264562\TemporaryFile\TemporaryFile

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW May 1, 2025, 8:34 a.m.	snapshot_handle: 0x000000fc process_name: pw.exe process_identifier: 2284	1	1
Process32NextW May 1, 2025, 8:34 a.m.	snapshot_handle: 0x000000fc process_name: mobsync.exe process_identifier: 2292	1	1
Process32NextW May 1, 2025, 8:34 a.m.	snapshot_handle: 0x000000fc process_name: b.exe process_identifier: 2560	1	1
Process32NextW May 1, 2025, 8:34 a.m.	snapshot_handle: 0x000000fc process_name: csrss2.exe process_identifier: 2740	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 1, 2025, 8:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (3 events)

host	142.250.197.65
host	142.250.71.238
host	38.147.172.248

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

reg_value

C:\ProgramData\Synaptics\Synaptics.exe

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 1, 2025, 8:34 a.m.	thread_identifier: 0 callback_function: 0x039a3540 hook_identifier: 2 (WH_KEYBOARD) module_address: 0x039a0000	1	393703	0

Network activity contains more than one unique useragent (2 events)

process	Synaptics.exe				useragent	MyApp
process	Synaptics.exe				useragent	Synaptics.exe

Generates some ICMP traffic

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.DarkKomet.tp6k
Cynet	Malicious (score: 100)
CAT-QuickHeal	W32.Delf.NB4
Skyhigh	BehavesLike.Win32.Synaptics.vh
ALYac	Trojan.GenericKD.76268480
Cylance	Unsafe
VIPRE	Trojan.GenericKD.76268480
Sangfor	Virus.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.76268480
K7GW	Trojan ( 000112511 )
K7AntiVirus	Trojan ( 000112511 )
Arcabit	HEUR.VBA.Trojan.d
VirIT	Trojan.Win32.Dnldr22.OHM
Symantec	W32.Zorex
Elastic	Windows.Generic.Threat
ESET-NOD32	Win32/Delf.NBX
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Trojan.Emotet-9850453-0
Kaspersky	Backdoor.Win32.DarkKomet.hqxy
Alibaba	Backdoor:Win32/DarkKomet.353
NANO-Antivirus	Trojan.Win32.DarkKomet.fazbwq
MicroWorld-eScan	Trojan.GenericKD.76268480
Rising	Virus.Synaptics!1.E51C (CLASSIC)
Emsisoft	Trojan.GenericKD.76268480 (B)
F-Secure	Malware.W2000M/Dldr.Agent.17651006
DrWeb	Win32.HLLW.Siggen.10555
Zillya	Trojan.Delf.Win32.76144
TrendMicro	Virus.Win32.NAPWHICH.B
McAfeeD	ti!AA6832F460DD
CTX	exe.trojan.delf
Sophos	ElReceptor Keyboard Hook (PUA)
SentinelOne	Static AI - Malicious PE
Jiangmin	Win32/Synaptics.Gen
Webroot	W32.Malware.gen
Google	Detected
Avira	TR/ATRAPS.Gen
Antiy-AVL	Virus/Win32.DarkKomet.a
Gridinsoft	Trojan.Win32.Downloader.mz!n
Xcitium	Virus.Win32.Agent.DE@74b38h
Microsoft	Worm:Win32/AutoRun!atmn
ViRobot	Win32.Zorex.A
GData	Win32.Backdoor.Agent.AXS
Varist	W32/Trojan.YMOP-5085
AhnLab-V3	Win32/Zorex.X1799
Acronis	suspicious
McAfee	W32/Synaptics
DeepInstinct	MALICIOUS

b.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All