Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 30, 2021, 10:47 a.m.	March 30, 2021, 10:57 a.m.

Size	734.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`ef80e35e5a0f4c12933955423dad720c`
SHA256	`5b3e57fdf14cfa4d7688faecfa29c77974b8c92c97fffd786e82b0d582325315`
CRC32	`4BDD1360`
ssdeep	`12288:Fbd2oj1dgx82oWP/8YALurvih4YjfLS2NDEfa5wurfi6Hafu5VSWMSav:b7gx82oW8YAL2VEj5eXu5c`
Yara	PE_Header_Zero - PE File Signature Zero Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasRichSignature - Rich Signature Check UPX_Zero - UPX packed file

md4_4igk.exe "C:\Users\test22\AppData\Local\Temp\md4_4igk.exe"
8768

Name	Response	Post-Analysis Lookup
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
101.36.107.74	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2021, 10:47 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://101.36.107.74/seemorebty/il.php?e=md4_4igk

Performs some HTTP requests (2 events)

request	GET http://101.36.107.74/seemorebty/il.php?e=md4_4igk
request	GET https://iplogger.org/Zn4V3

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Foreign language identified in PE resource (16 events)

name

AFX_DIALOG_LAYOUT

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013b438

size

0x00000002

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019c010

size

0x00007cb1

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013b3a0

size

0x00000094

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001a3cc8

size

0x000000bc

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008a400', u'virtual_address': u'0x000ec000', u'entropy': 7.9290103118276525, u'name': u'UPX1', u'virtual_size': u'0x0008b000'}

entropy

7.92901031183

description

A section with a high entropy has been found

entropy

0.753919563736

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (2 events)

host	101.36.107.74
host	172.217.25.14

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA March 30, 2021, 10:47 a.m.	key_handle: 0x000004e8 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Generates some ICMP traffic

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetect.malware1
DrWeb	Trojan.DownLoader38.7231
MicroWorld-eScan	Trojan.GenericKD.45966118
FireEye	Generic.mg.ef80e35e5a0f4c12
CAT-QuickHeal	Trojan.Multi
ALYac	Trojan.GenericKD.45966118
Cylance	Unsafe
K7AntiVirus	Password-Stealer ( 0055912f1 )
Alibaba	TrojanBanker:Win32/Passteal.af7de133
K7GW	Password-Stealer ( 0055912f1 )
Cybereason	malicious.0d7675
Arcabit	Trojan.Generic.D2BD6326
BitDefenderTheta	Gen:NN.ZexaF.34628.TmGfaC0z7oeb
Cyren	W32/AdAgent.BB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OHG
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Trojan-Banker.Win32.Passteal.hj
BitDefender	Trojan.GenericKD.45966118
NANO-Antivirus	Trojan.Win32.Dwn.iquala
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.45966118
Emsisoft	Trojan.GenericKD.45966118 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PCO21
McAfee-GW-Edition	BehavesLike.Win32.Generic.bc
Sophos	Mal/Generic-S
Ikarus	Trojan-PSW.Agent
Jiangmin	Trojan.Banker.Passteal.bb
eGambit	Unsafe.AI_Score_99%
Avira	TR/PSW.Agent.owqft
Kingsoft	Win32.Troj.Banker.(kcloud)
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Win32/Ymacco.AA5B
AegisLab	Trojan.Multi.Generic.4!c
GData	Trojan.GenericKD.45966118
Cynet	Malicious (score: 100)
McAfee	Artemis!EF80E35E5A0F
MAX	malware (ai score=82)
VBA32	BScope.Trojan.CryptInject
Malwarebytes	Trojan.Crypt
TrendMicro-HouseCall	TROJ_GEN.R002H0CCM21
Rising	Stealer.FBAdsCard!1.CE06 (CLOUD)
Fortinet	W32/Agent.OHG!tr
Webroot	W32.Trojan.Gen
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Trojan.Generic.HgIASRQA

md4_4igk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All