Report - sogoubmbd.e

Gen2 Gen1
ScreenShot
Created 2021.04.07 14:54 Machine s1_win7_x6402
Filename sogoubmbd.e
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
Behavior Score
8.6
ZERO API file : malware
VT API (file) 43 detected (HfsAdware, MauvaiseRI, S5244821, Unsafe, SogouCRTD, Sogou, Eldorado, Attribute, HighConfidence, Malicious, Chir, Gbot, fgypno, Chindo, C@6e9656, wqqyp, R002C0PJJ19, PWSZbot, Malicious PE, Score, high confidence, R180775, susgen, confidence)
md5 a57644fd92464f84b407a671faf519bd
sha256 4d6a9dc1a53e7b973da056a9bb900ee7b3047bdcc4d165c132562b78d39afc03
ssdeep 49152:KuuE7AnqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFWd:sE7AqrlyutLxC3sEwwMd
imphash e1ca64229bf6b618126d05f47e655044
impfuzzy 48:kjoDd1UX+ZtHRHK9JcRfMiZSKdmXVOCQN3vi5jUXjE6:z1UuZtHRHQJcRfMKSGmXVcr
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 43 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Communicates with host for which no DNS query was performed
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process sogousoftware.exe
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (66cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Str_Win32_Http_API Match Windows Http API call binaries (download)
notice Str_Win32_Http_API Match Windows Http API call binaries (upload)
notice Str_Win32_Internet_API Match Windows Inet API call binaries (download)
notice Str_Win32_Internet_API Match Windows Inet API call binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (download)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info escalate_priv Escalade priviledges binaries (download)
info escalate_priv Escalade priviledges binaries (upload)
info escalate_priv Escalade priviledges memory
info HasDebugData DebugData Check binaries (download)
info HasDebugData DebugData Check binaries (upload)
info HasDigitalSignature DigitalSignature Check binaries (download)
info HasDigitalSignature DigitalSignature Check binaries (upload)
info HasOverlay Overlay Check binaries (download)
info HasOverlay Overlay Check binaries (upload)
info HasRichSignature Rich Signature Check binaries (download)
info HasRichSignature Rich Signature Check binaries (upload)
info IsConsole (no description) binaries (download)
info IsPacked Entropy Check binaries (download)
info IsPacked Entropy Check binaries (upload)
info IsWindowsGUI (no description) binaries (download)
info IsWindowsGUI (no description) binaries (upload)
info network_dns Communications use DNS binaries (download)
info network_dropper File downloader/dropper binaries (download)
info network_http Communications over HTTP binaries (download)
info network_http Communications over HTTP binaries (upload)
info network_tcp_listen Listen for incoming communication binaries (download)
info network_tcp_socket Communications over RAW socket binaries (download)
info network_udp_sock Communications over UDP network binaries (download)
info screenshot Take screenshot binaries (download)
info screenshot Take screenshot binaries (upload)
info screenshot Take screenshot memory
info Str_Win32_Wininet_Library Match Windows Inet API library declaration binaries (download)
info Str_Win32_Wininet_Library Match Windows Inet API library declaration binaries (upload)
info Str_Win32_Winsock2_Library Match Winsock 2 API library declaration binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info win_files_operation Affect private profile binaries (download)
info win_files_operation Affect private profile binaries (upload)
info win_files_operation Affect private profile memory
info win_mutex Create or check mutex binaries (download)
info win_mutex Create or check mutex binaries (upload)
info win_private_profile Affect private profile binaries (download)
info win_private_profile Affect private profile binaries (upload)
info win_private_profile Affect private profile memory
info win_registry Affect system registries binaries (download)
info win_registry Affect system registries binaries (upload)
info win_registry Affect system registries memory
info win_token Affect system token binaries (download)
info win_token Affect system token binaries (upload)
info win_token Affect system token memory

Network (14cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ping.t.sogou.com/pingd?srctype=sogousoftware&gid=ajPvVhluZC6COd4TfDjHgh0000o60f--&unc=sogousoftware_normal&t=10&rand=1617785359 CN Shenzhen Tencent Computer Systems Company Limited 211.159.235.216 clean
http://yze.t.sogou.com/externalapp/3.2.2.58/SogouSoftwareExternalApp.exe KR Korea Telecom 119.206.200.180 clean
http://xz.sogou.com/handleUserIdDb256?userid=293cdfe5155ef661a6c8d1373e74eb41&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend CN Guangzhou navigation information technology co., LTD 118.191.216.57 clean
http://yz.app.sogou.com/appinfo?num=7187 SG Tencent Building, Kejizhongyi Avenue 119.28.109.132 clean
https://img02.sogoucdn.com/v2/thumb/retype/ext/jpg/cls/imagick?appid=200504&url=http://dl.app.sogou.com/pc_logo/-9210862937994770673.png CN Tencent Building, Kejizhongyi Avenue 211.152.132.122 clean
yz.app.sogou.com SG Tencent Building, Kejizhongyi Avenue 119.28.109.132 clean
img02.sogoucdn.com CN Tencent Building, Kejizhongyi Avenue 211.152.132.122 clean
xz.sogou.com CN Guangzhou navigation information technology co., LTD 118.191.216.57 clean
ping.t.sogou.com CN Shenzhen Tencent Computer Systems Company Limited 211.159.235.216 clean
yze.t.sogou.com KR Korea Telecom 119.206.200.180 malware
211.152.132.122 CN Tencent Building, Kejizhongyi Avenue 211.152.132.122 clean
118.191.216.57 CN Guangzhou navigation information technology co., LTD 118.191.216.57 clean
119.206.200.180 KR Korea Telecom 119.206.200.180 malware
211.159.235.216 CN Shenzhen Tencent Computer Systems Company Limited 211.159.235.216 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x42d020 CloseHandle
 0x42d024 DebugBreak
 0x42d028 GetCommandLineW
 0x42d02c GetTempPathW
 0x42d030 CompareStringW
 0x42d034 GetProcessHeap
 0x42d038 SetEndOfFile
 0x42d03c WriteConsoleW
 0x42d040 SetStdHandle
 0x42d044 SetFilePointer
 0x42d048 lstrlenW
 0x42d04c PeekNamedPipe
 0x42d050 GetFileInformationByHandle
 0x42d054 GetFullPathNameW
 0x42d058 GetTimeZoneInformation
 0x42d05c FlushFileBuffers
 0x42d060 GetConsoleMode
 0x42d064 GetConsoleCP
 0x42d068 FindFirstFileExW
 0x42d06c GetDriveTypeW
 0x42d070 FileTimeToLocalFileTime
 0x42d074 FileTimeToSystemTime
 0x42d078 CreateThread
 0x42d07c ExitThread
 0x42d080 MultiByteToWideChar
 0x42d084 CreateFileW
 0x42d088 WriteFile
 0x42d08c OutputDebugStringW
 0x42d090 InterlockedDecrement
 0x42d094 InterlockedIncrement
 0x42d098 lstrlenA
 0x42d09c LockResource
 0x42d0a0 SizeofResource
 0x42d0a4 GetModuleHandleW
 0x42d0a8 LoadResource
 0x42d0ac FindResourceW
 0x42d0b0 GetCurrentDirectoryW
 0x42d0b4 FreeResource
 0x42d0b8 CreateFileA
 0x42d0bc CreateMutexW
 0x42d0c0 lstrcmpW
 0x42d0c4 GetSystemDirectoryW
 0x42d0c8 DeviceIoControl
 0x42d0cc ReadFile
 0x42d0d0 CopyFileW
 0x42d0d4 GetLastError
 0x42d0d8 HeapFree
 0x42d0dc HeapSetInformation
 0x42d0e0 GetStartupInfoW
 0x42d0e4 RaiseException
 0x42d0e8 TerminateProcess
 0x42d0ec GetCurrentProcess
 0x42d0f0 UnhandledExceptionFilter
 0x42d0f4 SetUnhandledExceptionFilter
 0x42d0f8 IsDebuggerPresent
 0x42d0fc HeapAlloc
 0x42d100 IsProcessorFeaturePresent
 0x42d104 EncodePointer
 0x42d108 DecodePointer
 0x42d10c HeapCreate
 0x42d110 GetCPInfo
 0x42d114 GetACP
 0x42d118 GetOEMCP
 0x42d11c IsValidCodePage
 0x42d120 TlsAlloc
 0x42d124 TlsGetValue
 0x42d128 TlsSetValue
 0x42d12c TlsFree
 0x42d130 SetLastError
 0x42d134 GetCurrentThreadId
 0x42d138 GetProcAddress
 0x42d13c LCMapStringW
 0x42d140 GetStringTypeW
 0x42d144 ExitProcess
 0x42d148 GetStdHandle
 0x42d14c GetModuleFileNameW
 0x42d150 FreeEnvironmentStringsW
 0x42d154 GetEnvironmentStringsW
 0x42d158 SetHandleCount
 0x42d15c InitializeCriticalSectionAndSpinCount
 0x42d160 GetFileType
 0x42d164 DeleteCriticalSection
 0x42d168 QueryPerformanceCounter
 0x42d16c GetTickCount
 0x42d170 GetCurrentProcessId
 0x42d174 GetSystemTimeAsFileTime
 0x42d178 LeaveCriticalSection
 0x42d17c EnterCriticalSection
 0x42d180 RtlUnwind
 0x42d184 Sleep
 0x42d188 HeapSize
 0x42d18c WideCharToMultiByte
 0x42d190 GetUserDefaultLCID
 0x42d194 GetLocaleInfoW
 0x42d198 GetLocaleInfoA
 0x42d19c EnumSystemLocalesA
 0x42d1a0 IsValidLocale
 0x42d1a4 FreeLibrary
 0x42d1a8 InterlockedExchange
 0x42d1ac LoadLibraryW
 0x42d1b0 HeapReAlloc
 0x42d1b4 GetEnvironmentVariableW
 0x42d1b8 CreateDirectoryW
 0x42d1bc GetPrivateProfileStringW
 0x42d1c0 WaitForSingleObject
 0x42d1c4 OutputDebugStringA
 0x42d1c8 InitializeCriticalSection
 0x42d1cc FindFirstFileW
 0x42d1d0 FindNextFileW
 0x42d1d4 FindClose
 0x42d1d8 GetVersionExW
 0x42d1dc GetLocalTime
 0x42d1e0 CreateEventW
 0x42d1e4 CreateSemaphoreW
 0x42d1e8 ResetEvent
 0x42d1ec ReleaseSemaphore
 0x42d1f0 SetEvent
 0x42d1f4 WaitForMultipleObjects
 0x42d1f8 DeleteFileW
 0x42d1fc lstrcpynW
 0x42d200 lstrcpyW
 0x42d204 GetFileSize
 0x42d208 SetEnvironmentVariableA
USER32.dll
 0x42d258 wvsprintfW
 0x42d25c wsprintfW
 0x42d260 CharNextW
 0x42d264 LoadStringW
SHELL32.dll
 0x42d228 ShellExecuteExW
 0x42d22c ShellExecuteW
 0x42d230 SHGetSpecialFolderPathW
 0x42d234 SHFileOperationW
ole32.dll
 0x42d2a8 CoInitialize
 0x42d2ac CoGetClassObject
 0x42d2b0 CoCreateGuid
 0x42d2b4 CoUninitialize
SHLWAPI.dll
 0x42d23c StrCpyW
 0x42d240 PathIsDirectoryW
 0x42d244 PathFileExistsW
 0x42d248 SHSetValueW
 0x42d24c SHGetValueW
 0x42d250 PathAppendW
PSAPI.DLL
 0x42d220 GetModuleBaseNameW
WININET.dll
 0x42d27c InternetConnectW
 0x42d280 InternetCloseHandle
 0x42d284 InternetOpenW
 0x42d288 InternetSetOptionW
 0x42d28c InternetQueryDataAvailable
 0x42d290 HttpQueryInfoW
 0x42d294 InternetCrackUrlW
 0x42d298 HttpSendRequestW
 0x42d29c HttpOpenRequestW
 0x42d2a0 InternetReadFile
VERSION.dll
 0x42d26c VerQueryValueW
 0x42d270 GetFileVersionInfoSizeW
 0x42d274 GetFileVersionInfoW
NETAPI32.dll
 0x42d210 NetApiBufferFree
 0x42d214 NetWkstaTransportEnum
 0x42d218 Netbios
ADVAPI32.dll
 0x42d000 RegOpenKeyExA
 0x42d004 RegCloseKey
 0x42d008 OpenSCManagerW
 0x42d00c OpenServiceW
 0x42d010 QueryServiceStatus
 0x42d014 CloseServiceHandle
 0x42d018 RegQueryValueExA

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure