popup

Report - netmount.dll

PE File DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.04.30 09:13 Machine s1_win7_x6401
Filename netmount.dll
Type PE32 executable (DLL) (native) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
5.8
ZERO API file : malware
VT API (file) 24 detected (AIDetect, malware2, malicious, high confidence, GenericKD, confidence, ADAN, Artemis, kcloud, Wacapew, ai score=82, CLOUD)
md5 3f3cb269876273534664a5d37118de14
sha256 b935b9d1b59bacea9c5b308266981c94e81ab5826b3128e2ede8b04f8b9f3ace
ssdeep 12288:LJ2c1V7Hq3iDZH8a6H1cskLQYov/RuMRYK:LdDyaC1cxLQYoYMRYK
imphash dd7a9fcfd98a20212beef73d23eba6f9
impfuzzy 3:siGV2WBJAEPwS9KTXzhAXwEBJJd:KVrBJAEHGDyd
  Network IP location

Signature (13cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://103.54.41.193/net5/TEST22-PC_W617601.ECBBA697DF647B34877FFEF33E641797/5/kps/
whois
BD Md. Manzurul Haque Khan T/A THE NET HEADS 103.54.41.193 clean
103.54.41.193
whois
BD Md. Manzurul Haque Khan T/A THE NET HEADS 103.54.41.193 mailcious
103.66.72.217
whois
IN RailTel Corporation of India Ltd., Internet Service Provider, New Delhi 103.66.72.217 mailcious
117.252.68.211
whois
IN National Internet Backbone 117.252.68.211 mailcious
131.0.112.122
whois
BR Uai Telecom Comunicacao Multimidia Ltda. 131.0.112.122 clean

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x100bd000 VirtualFree
 0x100bd004 LoadLibraryA
 0x100bd008 GetProcAddress
 0x100bd00c VirtualAlloc

EAT(Export Address Table) Library

0x10001fc5 StartW

Similarity measure (PE file only) - Checking for service failure