Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 15, 2024, 5:28 p.m.	Dec. 15, 2024, 5:30 p.m.

Size	465.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`760370c2aa2829b5fec688d12da0535f`
SHA256	`a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3`
CRC32	`04E69FCA`
ssdeep	`6144:fVpxoBb+6pIE70i+cif0o5HDl5nUnOpvJ3wpUfcx+43+jyQ/DmPvugK/alI1DB4E:6Ii+cni3h3wpUy+5jyqevlMfQWt`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

TPB-1.exe "C:\Users\test22\AppData\Local\Temp\TPB-1.exe"
1280

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.76.74.15	104.76.74.15

IP Address	Status	Action
104.76.74.15	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
37.27.43.98	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.99:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49178 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49174 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49174 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49171 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49168 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49175 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49175 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49184 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49185 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49184 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49167 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49168 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49175 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49174 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49178 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49171 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49166 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49188 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 15, 2024, 5:28 p.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.00cfg

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199804377619

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199804377619

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 15, 2024, 5:28 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0004a800', u'virtual_address': u'0x00001000', u'entropy': 6.86418826015134, u'name': u'.text', u'virtual_size': u'0x0004a7f4'}

entropy

6.86418826015

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000f800', u'virtual_address': u'0x0004c000', u'entropy': 7.856089730506249, u'name': u'.rdata', u'virtual_size': u'0x0000f618'}

entropy

7.85608973051

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000ee00', u'virtual_address': u'0x0005c000', u'entropy': 7.135286617410666, u'name': u'.data', u'virtual_size': u'0x00222144'}

entropy

7.13528661741

description

A section with a high entropy has been found

entropy

0.904094827586

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

37.27.43.98

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	TPB-1.exe				useragent
process	TPB-1.exe				useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

37.27.43.98:443

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Vidar.4!c
Cynet	Malicious (score: 100)
CTX	exe.trojan.selfdel
CAT-QuickHeal	Trojan.Selfdel
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Gen:Variant.Lazy.627727
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.627727
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanPSW:Win32/SelfDel.da338a29
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
VirIT	Trojan.Win32.GenusT.EDYQ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/PSW.Agent.OGR
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Lazy-10038709-0
Kaspersky	Trojan.Win32.SelfDel.ivky
BitDefender	Gen:Variant.Lazy.627727
NANO-Antivirus	Virus.Win32.Gen.ccmw
MicroWorld-eScan	Gen:Variant.Lazy.627727
Rising	Stealer.Stealerc!8.17BE0 (TFE:3:AoJmJPuispO)
Emsisoft	Gen:Variant.Lazy.627727 (B)
F-Secure	Trojan.TR/PSW.Agent.bzhvf
Zillya	Trojan.SelfDel.Win32.70563
McAfeeD	Real Protect-LS!760370C2AA28
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.760370c2aa2829b5
Webroot	Win.Trojan.Gen
Google	Detected
Avira	TR/PSW.Agent.bzhvf
Antiy-AVL	Trojan/Win32.SelfDel
Kingsoft	Win32.HeurC.KVMH017.a
Gridinsoft	Ransom.Win32.Wacatac.sa
Arcabit	Trojan.Lazy.D9940F
ViRobot	Trojan.Win.Z.Lazy.476160.A
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Infostealer/Win.Vidar.R684336
McAfee	Artemis!760370C2AA28
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.Vidar
Malwarebytes	Trojan.Dropper
Ikarus	Trojan-PSW.Agent
Tencent	Malware.Win32.Gencirc.10c07d9c

TPB-1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All