popup

Report - setupapp.exe

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.04.20 15:50 Machine s1_win7_x6402
Filename setupapp.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
AI Score
5
 Behavior Score
7.0
ZERO API file : malware
VT API (file) 54 detected (AIDetect, malware1, malicious, high confidence, Siggen13, ETWT, Artemis, Unsafe, Save, RanumBot, Eldorado, Glupteba, a variant of WinGo, FileRepMalware, MSShellcode, itxuuo, CLOUD, Behav, Malware@#3r3hhrh1xmw8g, Static AI, Malicious PE, TrojanDDoS, Windigo, hofzi, score, ai score=82, R002C0DDB21, confidence, 100%)
md5 73eb70ca5994df6e2766bb5b799f04ec
sha256 d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c
ssdeep 49152:OQDY27iKqkXNjrRMF0TiBlOagRMs0ogXUaBqhreSM0Z14Dk6I5ZdzREmquDI0A+V:OqqkXsF0TcOlzgXUdK0YDbI5ZdzRy6J
imphash 6ed4f5f04d62b18d96b26d6db7c18840
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn
  Network IP location

Signature (14cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
watch Executes one or more WMI queries
watch Expresses interest in specific running processes
watch Performs a TXT record DNS lookup potentially for command and control or covert channel
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Queries for the computername
info The executable uses a known packer

Rules (5cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info IsPacked Entropy Check binaries (upload)
info IsWindowsGUI (no description) binaries (upload)

Network (21cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7AbuFcy6rVsv90SWbhZYjX%2F1l2smGDcgr940AwiIF4k%3D&spr=https&se=202
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.39.196 clean
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=9UUozfiE%2FOpxeeckU6eKE51prLyA7vjOQSQhv8%2F4Goc%3D&spr=https&se=2
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.84.56.16 clean
https://msdl.microsoft.com/download/symbols/index2.txt
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
sndvoices.com
whois
US CLOUDFLARENET 172.67.216.130 clean
cd525338-6a0f-400b-a98a-ae23e317d921.sndvoices.com
whois
Unknown clean
vsblobprodscussu5shard10.blob.core.windows.net
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.39.196 clean
fotamene.com
whois
US CLOUDFLARENET 172.67.128.242 malware
spolaect.info
whois
US CLOUDFLARENET 172.67.161.225 clean
msdl.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
lalemada.info
whois
US CLOUDFLARENET 172.67.207.106 clean
vsblobprodscussu5shard58.blob.core.windows.net
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.84.56.16 clean
server10.sndvoices.com
whois
US CLOUDFLARENET 172.67.216.130 clean
204.79.197.219
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
172.67.207.106
whois
US CLOUDFLARENET 172.67.207.106 clean
13.84.56.16
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.84.56.16 clean
104.21.16.228
whois
US CLOUDFLARENET 104.21.16.228 clean
172.67.161.225
whois
US CLOUDFLARENET 172.67.161.225 clean
104.21.1.88
whois
US CLOUDFLARENET 104.21.1.88 clean
20.150.39.196
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.39.196 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0xd25028 LoadLibraryA
 0xd2502c ExitProcess
 0xd25030 GetProcAddress
 0xd25034 VirtualProtect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure