ScreenShot
Created | 2021.05.03 17:08 | Machine | s1_win7_x6401 |
Filename | pepwn.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 37 detected (AIDetect, malware2, malicious, high confidence, HLLW, Autoruner3, SFYd, Artemis, Unsafe, Save, ZexaF, guW@ae1FM0ki, Attribute, HighConfidence, Phorpiex, CoinminerX, Zard, ClipBanker, iusbkc, Static AI, Malicious PE, AGEN, KVMH017, kcloud, Hynamer, score, BScope, Skeeyah, ai score=81, CLOUD, confidence, 100%) | ||
md5 | ee0a1ec859b753abc30847157d81f37c | ||
sha256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 | ||
ssdeep | 3072:UlmICQuNwVOv/8I6WruEPJZDUXA2M1CUci6sUJW51TrFS83Fo:WmICRmgMtWruEhZDCA2M1CUci6sUJW5D | ||
imphash | 23ab644c44593e426ea915e5618d637d | ||
impfuzzy | 96:bE+RGcv+uDl+/uYiyIejncp+MrHr/TvEd3K/:bE9cv+fujyIeUP/TvEA/ |
Network IP location
Signature (22cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | Disables Windows Security features |
danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Attempts to remove evidence of file being downloaded from the Internet |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | Modifies security center warnings |
watch | Network activity contains more than one unique useragent |
watch | Network communications indicative of possible code injection originated from the process lsass.exe |
watch | One or more of the buffers contains an embedded PE file |
watch | Operates on local firewall's policies and settings |
notice | A process attempted to delay the analysis task. |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
info | The executable uses a known packer |
info | This executable has a PDB path |
info | Uses Windows APIs to generate a cryptographic key |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (21cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578
ET TOR Known Tor Exit Node Traffic group 74
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75
ET COMPROMISED Known Compromised or Hostile Host Traffic group 109
ET POLICY External IP Lookup Attempt To Wipmania
ET TOR Known Tor Exit Node Traffic group 105
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY TLS possible TOR SSL traffic
SURICATA HTTP gzip decompression failed
ET P2P Tor Get Server Request
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Exit Node Traffic group 16
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16
ET COMPROMISED Known Compromised or Hostile Host Traffic group 61
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 810
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578
ET TOR Known Tor Exit Node Traffic group 74
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75
ET COMPROMISED Known Compromised or Hostile Host Traffic group 109
ET POLICY External IP Lookup Attempt To Wipmania
ET TOR Known Tor Exit Node Traffic group 105
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY TLS possible TOR SSL traffic
SURICATA HTTP gzip decompression failed
ET P2P Tor Get Server Request
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Exit Node Traffic group 16
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16
ET COMPROMISED Known Compromised or Hostile Host Traffic group 61
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 810
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x415178 _controlfp
0x41517c memmove
0x415180 _except_handler3
0x415184 __set_app_type
0x415188 __p__fmode
0x41518c __p__commode
0x415190 _adjust_fdiv
0x415194 __setusermatherr
0x415198 _initterm
0x41519c __getmainargs
0x4151a0 _acmdln
0x4151a4 exit
0x4151a8 _XcptFilter
0x4151ac _exit
0x4151b0 wcscmp
0x4151b4 srand
0x4151b8 rand
0x4151bc mbstowcs
0x4151c0 strchr
0x4151c4 strcmp
0x4151c8 _wfopen
0x4151cc fseek
0x4151d0 ftell
0x4151d4 fclose
0x4151d8 memset
0x4151dc _mbsstr
0x4151e0 strlen
0x4151e4 isalpha
0x4151e8 isdigit
0x4151ec wcsstr
0x4151f0 wcslen
0x4151f4 iswalpha
0x4151f8 iswdigit
0x4151fc memcpy
0x415200 ??3@YAXPAX@Z
0x415204 ??2@YAPAXI@Z
0x415208 strtol
0x41520c memchr
0x415210 memcmp
WININET.dll
0x41526c InternetCloseHandle
0x415270 InternetOpenUrlA
0x415274 InternetOpenA
0x415278 HttpQueryInfoA
0x41527c InternetOpenUrlW
0x415280 InternetOpenW
0x415284 InternetReadFile
urlmon.dll
0x4152fc URLDownloadToFileW
SHLWAPI.dll
0x415220 PathMatchSpecW
0x415224 StrCmpNW
0x415228 PathFileExistsW
0x41522c PathFindFileNameW
0x415230 PathFileExistsA
WS2_32.dll
0x41528c setsockopt
0x415290 send
0x415294 getaddrinfo
0x415298 recv
0x41529c socket
0x4152a0 connect
0x4152a4 closesocket
0x4152a8 listen
0x4152ac ind
0x4152b0 htonl
0x4152b4 htons
0x4152b8 inet_pton
0x4152bc ntohl
0x4152c0 shutdown
0x4152c4 WSACleanup
0x4152c8 WSAStartup
0x4152cc getsockname
0x4152d0 ntohs
0x4152d4 WSAAccept
0x4152d8 WSARecv
0x4152dc WSASend
0x4152e0 WSAGetLastError
0x4152e4 freeaddrinfo
0x4152e8 inet_ntop
KERNEL32.dll
0x415060 GlobalAlloc
0x415064 GlobalLock
0x415068 GlobalUnlock
0x41506c WaitForMultipleObjects
0x415070 GetQueuedCompletionStatus
0x415074 PostQueuedCompletionStatus
0x415078 LoadLibraryA
0x41507c GetProcAddress
0x415080 lstrlenW
0x415084 TerminateThread
0x415088 CloseHandle
0x41508c CreateIoCompletionPort
0x415090 SleepEx
0x415094 SetLastError
0x415098 GlobalFree
0x41509c GetSystemTimeAsFileTime
0x4150a0 GetTickCount
0x4150a4 lstrcpynA
0x4150a8 ExitThread
0x4150ac SetEndOfFile
0x4150b0 SetFilePointer
0x4150b4 UnmapViewOfFile
0x4150b8 MapViewOfFile
0x4150bc CreateFileMappingA
0x4150c0 GetFileSize
0x4150c4 CreateFileW
0x4150c8 CreateProcessW
0x4150cc GetLocaleInfoA
0x4150d0 DeleteFileW
0x4150d4 WriteFile
0x4150d8 ExpandEnvironmentStringsW
0x4150dc lstrcpyW
0x4150e0 QueryDosDeviceW
0x4150e4 GetDriveTypeW
0x4150e8 GetLogicalDrives
0x4150ec RemoveDirectoryW
0x4150f0 FindClose
0x4150f4 FindNextFileW
0x4150f8 MoveFileExW
0x4150fc lstrcmpW
0x415100 WaitForSingleObject
0x415104 GetLastError
0x415108 GetStartupInfoA
0x41510c GetModuleHandleA
0x415110 MoveFileW
0x415114 MoveFileA
0x415118 DeleteFileA
0x41511c ExitProcess
0x415120 CreateMutexA
0x415124 CopyFileA
0x415128 CreateThread
0x41512c GetTempPathW
0x415130 GetModuleFileNameW
0x415134 GetVolumeInformationW
0x415138 SetFileAttributesW
0x41513c CopyFileW
0x415140 lstrcmpiW
0x415144 CreateDirectoryW
0x415148 lstrlenA
0x41514c Sleep
0x415150 HeapReAlloc
0x415154 HeapAlloc
0x415158 HeapFree
0x41515c GetProcessHeap
0x415160 EnterCriticalSection
0x415164 LeaveCriticalSection
0x415168 InitializeCriticalSection
0x41516c DeleteCriticalSection
0x415170 FindFirstFileW
USER32.dll
0x415238 FindWindowA
0x41523c ShowWindow
0x415240 SetForegroundWindow
0x415244 CloseWindow
0x415248 SetFocus
0x41524c wsprintfA
0x415250 wsprintfW
0x415254 GetClipboardData
0x415258 CloseClipboard
0x41525c SetClipboardData
0x415260 EmptyClipboard
0x415264 OpenClipboard
ADVAPI32.dll
0x415000 CryptReleaseContext
0x415004 CryptGenRandom
0x415008 CryptEncrypt
0x41500c CryptDestroyKey
0x415010 CryptGetKeyParam
0x415014 CryptImportKey
0x415018 CryptSetKeyParam
0x41501c CryptDestroyHash
0x415020 CryptHashData
0x415024 CryptCreateHash
0x415028 CryptGetHashParam
0x41502c CryptDuplicateHash
0x415030 CryptExportKey
0x415034 CryptVerifySignatureA
0x415038 RegCloseKey
0x41503c RegQueryValueExW
0x415040 RegOpenKeyExW
0x415044 RegCreateKeyExA
0x415048 RegSetValueExA
0x41504c RegOpenKeyExA
0x415050 RegSetValueExW
0x415054 CryptAcquireContextW
0x415058 CryptAcquireContextA
SHELL32.dll
0x415218 ShellExecuteW
ole32.dll
0x4152f0 CoInitializeEx
0x4152f4 CoCreateInstance
EAT(Export Address Table) is none
MSVCRT.dll
0x415178 _controlfp
0x41517c memmove
0x415180 _except_handler3
0x415184 __set_app_type
0x415188 __p__fmode
0x41518c __p__commode
0x415190 _adjust_fdiv
0x415194 __setusermatherr
0x415198 _initterm
0x41519c __getmainargs
0x4151a0 _acmdln
0x4151a4 exit
0x4151a8 _XcptFilter
0x4151ac _exit
0x4151b0 wcscmp
0x4151b4 srand
0x4151b8 rand
0x4151bc mbstowcs
0x4151c0 strchr
0x4151c4 strcmp
0x4151c8 _wfopen
0x4151cc fseek
0x4151d0 ftell
0x4151d4 fclose
0x4151d8 memset
0x4151dc _mbsstr
0x4151e0 strlen
0x4151e4 isalpha
0x4151e8 isdigit
0x4151ec wcsstr
0x4151f0 wcslen
0x4151f4 iswalpha
0x4151f8 iswdigit
0x4151fc memcpy
0x415200 ??3@YAXPAX@Z
0x415204 ??2@YAPAXI@Z
0x415208 strtol
0x41520c memchr
0x415210 memcmp
WININET.dll
0x41526c InternetCloseHandle
0x415270 InternetOpenUrlA
0x415274 InternetOpenA
0x415278 HttpQueryInfoA
0x41527c InternetOpenUrlW
0x415280 InternetOpenW
0x415284 InternetReadFile
urlmon.dll
0x4152fc URLDownloadToFileW
SHLWAPI.dll
0x415220 PathMatchSpecW
0x415224 StrCmpNW
0x415228 PathFileExistsW
0x41522c PathFindFileNameW
0x415230 PathFileExistsA
WS2_32.dll
0x41528c setsockopt
0x415290 send
0x415294 getaddrinfo
0x415298 recv
0x41529c socket
0x4152a0 connect
0x4152a4 closesocket
0x4152a8 listen
0x4152ac ind
0x4152b0 htonl
0x4152b4 htons
0x4152b8 inet_pton
0x4152bc ntohl
0x4152c0 shutdown
0x4152c4 WSACleanup
0x4152c8 WSAStartup
0x4152cc getsockname
0x4152d0 ntohs
0x4152d4 WSAAccept
0x4152d8 WSARecv
0x4152dc WSASend
0x4152e0 WSAGetLastError
0x4152e4 freeaddrinfo
0x4152e8 inet_ntop
KERNEL32.dll
0x415060 GlobalAlloc
0x415064 GlobalLock
0x415068 GlobalUnlock
0x41506c WaitForMultipleObjects
0x415070 GetQueuedCompletionStatus
0x415074 PostQueuedCompletionStatus
0x415078 LoadLibraryA
0x41507c GetProcAddress
0x415080 lstrlenW
0x415084 TerminateThread
0x415088 CloseHandle
0x41508c CreateIoCompletionPort
0x415090 SleepEx
0x415094 SetLastError
0x415098 GlobalFree
0x41509c GetSystemTimeAsFileTime
0x4150a0 GetTickCount
0x4150a4 lstrcpynA
0x4150a8 ExitThread
0x4150ac SetEndOfFile
0x4150b0 SetFilePointer
0x4150b4 UnmapViewOfFile
0x4150b8 MapViewOfFile
0x4150bc CreateFileMappingA
0x4150c0 GetFileSize
0x4150c4 CreateFileW
0x4150c8 CreateProcessW
0x4150cc GetLocaleInfoA
0x4150d0 DeleteFileW
0x4150d4 WriteFile
0x4150d8 ExpandEnvironmentStringsW
0x4150dc lstrcpyW
0x4150e0 QueryDosDeviceW
0x4150e4 GetDriveTypeW
0x4150e8 GetLogicalDrives
0x4150ec RemoveDirectoryW
0x4150f0 FindClose
0x4150f4 FindNextFileW
0x4150f8 MoveFileExW
0x4150fc lstrcmpW
0x415100 WaitForSingleObject
0x415104 GetLastError
0x415108 GetStartupInfoA
0x41510c GetModuleHandleA
0x415110 MoveFileW
0x415114 MoveFileA
0x415118 DeleteFileA
0x41511c ExitProcess
0x415120 CreateMutexA
0x415124 CopyFileA
0x415128 CreateThread
0x41512c GetTempPathW
0x415130 GetModuleFileNameW
0x415134 GetVolumeInformationW
0x415138 SetFileAttributesW
0x41513c CopyFileW
0x415140 lstrcmpiW
0x415144 CreateDirectoryW
0x415148 lstrlenA
0x41514c Sleep
0x415150 HeapReAlloc
0x415154 HeapAlloc
0x415158 HeapFree
0x41515c GetProcessHeap
0x415160 EnterCriticalSection
0x415164 LeaveCriticalSection
0x415168 InitializeCriticalSection
0x41516c DeleteCriticalSection
0x415170 FindFirstFileW
USER32.dll
0x415238 FindWindowA
0x41523c ShowWindow
0x415240 SetForegroundWindow
0x415244 CloseWindow
0x415248 SetFocus
0x41524c wsprintfA
0x415250 wsprintfW
0x415254 GetClipboardData
0x415258 CloseClipboard
0x41525c SetClipboardData
0x415260 EmptyClipboard
0x415264 OpenClipboard
ADVAPI32.dll
0x415000 CryptReleaseContext
0x415004 CryptGenRandom
0x415008 CryptEncrypt
0x41500c CryptDestroyKey
0x415010 CryptGetKeyParam
0x415014 CryptImportKey
0x415018 CryptSetKeyParam
0x41501c CryptDestroyHash
0x415020 CryptHashData
0x415024 CryptCreateHash
0x415028 CryptGetHashParam
0x41502c CryptDuplicateHash
0x415030 CryptExportKey
0x415034 CryptVerifySignatureA
0x415038 RegCloseKey
0x41503c RegQueryValueExW
0x415040 RegOpenKeyExW
0x415044 RegCreateKeyExA
0x415048 RegSetValueExA
0x41504c RegOpenKeyExA
0x415050 RegSetValueExW
0x415054 CryptAcquireContextW
0x415058 CryptAcquireContextA
SHELL32.dll
0x415218 ShellExecuteW
ole32.dll
0x4152f0 CoInitializeEx
0x4152f4 CoCreateInstance
EAT(Export Address Table) is none