popup

Report - pepwn.exe

PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.03 17:08 Machine s1_win7_x6401
Filename pepwn.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
12.6
ZERO API file : malware
VT API (file) 37 detected (AIDetect, malware2, malicious, high confidence, HLLW, Autoruner3, SFYd, Artemis, Unsafe, Save, ZexaF, guW@ae1FM0ki, Attribute, HighConfidence, Phorpiex, CoinminerX, Zard, ClipBanker, iusbkc, Static AI, Malicious PE, AGEN, KVMH017, kcloud, Hynamer, score, BScope, Skeeyah, ai score=81, CLOUD, confidence, 100%)
md5 ee0a1ec859b753abc30847157d81f37c
sha256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
ssdeep 3072:UlmICQuNwVOv/8I6WruEPJZDUXA2M1CUci6sUJW51TrFS83Fo:WmICRmgMtWruEhZDCA2M1CUci6sUJW5D
imphash 23ab644c44593e426ea915e5618d637d
impfuzzy 96:bE+RGcv+uDl+/uYiyIejncp+MrHr/TvEd3K/:bE9cv+fujyIeUP/TvEA/
  Network IP location

Signature (22cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Disables Windows Security features
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Modifies security center warnings
watch Network activity contains more than one unique useragent
watch Network communications indicative of possible code injection originated from the process lsass.exe
watch One or more of the buffers contains an embedded PE file
watch Operates on local firewall's policies and settings
notice A process attempted to delay the analysis task.
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
info The executable uses a known packer
info This executable has a PDB path
info Uses Windows APIs to generate a cryptographic key

Rules (4cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (21cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.93/cc22
whois
Unknown 185.215.113.93 clean
http://api.wipmania.com/
whois
FR Online S.a.s. 212.83.168.196 clean
http://95.143.193.125/tor/status-vote/current/consensus.z
whois
SE Internetport Sweden AB 95.143.193.125 clean
http://193.11.164.243:9030/tor/status-vote/current/consensus.z
whois
SE SUNET SUNET Swedish University Network 193.11.164.243 clean
http://185.215.113.93/cc11
whois
Unknown 185.215.113.93 clean
http://23.129.64.201/tor/server/fp/0011bd2485ad45d984ec4159c88fc066e5e3300e+005079a42356183cea5a3add239303f44f12e7ea+00cc4ac22501360c541185ee7e4466efb7032cae+00cce6a84e6d63a1a42e105839bc8ed5d4b16669+00e1649e69ff91d7f01e74a5e62ef14f7d9915e4+019feb22ce04cbd
whois
US EMERALD-ONION 23.129.64.201 clean
http://86.59.21.38/tor/server/fp/d5f09497548a39071d14ac9e9aa926a0f8a748f2+d5f5502c1762a0b737a81a6bdb78ddbf7efc7725+d60c2d85ead93d23f1c00874d334bbf8a96cd529.z
whois
AT Hutchison Drei Austria GmbH 86.59.21.38 clean
api.wipmania.com
whois
FR Online S.a.s. 212.83.168.196 clean
95.217.42.50
whois
FI Hetzner Online GmbH 95.217.42.50 clean
212.83.168.196
whois
FR Online S.a.s. 212.83.168.196 clean
213.32.71.116
whois
FR OVH SAS 213.32.71.116 clean
23.129.64.201
whois
US EMERALD-ONION 23.129.64.201 clean
195.201.103.59
whois
DE Hetzner Online GmbH 195.201.103.59 clean
95.217.229.211
whois
FI Hetzner Online GmbH 95.217.229.211 clean
45.66.156.176
whois
US ENZUINC 45.66.156.176 clean
95.143.193.125
whois
SE Internetport Sweden AB 95.143.193.125 clean
162.247.74.201
whois
US CALYX-AS 162.247.74.201 clean
141.255.162.34
whois
CH Private Layer INC 141.255.162.34 clean
193.11.164.243
whois
SE SUNET SUNET Swedish University Network 193.11.164.243 clean
185.215.113.93
whois
Unknown 185.215.113.93 malware
86.59.21.38
whois
AT Hutchison Drei Austria GmbH 86.59.21.38 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578
ET TOR Known Tor Exit Node Traffic group 74
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75
ET COMPROMISED Known Compromised or Hostile Host Traffic group 109
ET POLICY External IP Lookup Attempt To Wipmania
ET TOR Known Tor Exit Node Traffic group 105
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY TLS possible TOR SSL traffic
SURICATA HTTP gzip decompression failed
ET P2P Tor Get Server Request
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Exit Node Traffic group 16
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16
ET COMPROMISED Known Compromised or Hostile Host Traffic group 61
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 810
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303

PE API

IAT(Import Address Table) Library

MSVCRT.dll
 0x415178 _controlfp
 0x41517c memmove
 0x415180 _except_handler3
 0x415184 __set_app_type
 0x415188 __p__fmode
 0x41518c __p__commode
 0x415190 _adjust_fdiv
 0x415194 __setusermatherr
 0x415198 _initterm
 0x41519c __getmainargs
 0x4151a0 _acmdln
 0x4151a4 exit
 0x4151a8 _XcptFilter
 0x4151ac _exit
 0x4151b0 wcscmp
 0x4151b4 srand
 0x4151b8 rand
 0x4151bc mbstowcs
 0x4151c0 strchr
 0x4151c4 strcmp
 0x4151c8 _wfopen
 0x4151cc fseek
 0x4151d0 ftell
 0x4151d4 fclose
 0x4151d8 memset
 0x4151dc _mbsstr
 0x4151e0 strlen
 0x4151e4 isalpha
 0x4151e8 isdigit
 0x4151ec wcsstr
 0x4151f0 wcslen
 0x4151f4 iswalpha
 0x4151f8 iswdigit
 0x4151fc memcpy
 0x415200 ??3@YAXPAX@Z
 0x415204 ??2@YAPAXI@Z
 0x415208 strtol
 0x41520c memchr
 0x415210 memcmp
WININET.dll
 0x41526c InternetCloseHandle
 0x415270 InternetOpenUrlA
 0x415274 InternetOpenA
 0x415278 HttpQueryInfoA
 0x41527c InternetOpenUrlW
 0x415280 InternetOpenW
 0x415284 InternetReadFile
urlmon.dll
 0x4152fc URLDownloadToFileW
SHLWAPI.dll
 0x415220 PathMatchSpecW
 0x415224 StrCmpNW
 0x415228 PathFileExistsW
 0x41522c PathFindFileNameW
 0x415230 PathFileExistsA
WS2_32.dll
 0x41528c setsockopt
 0x415290 send
 0x415294 getaddrinfo
 0x415298 recv
 0x41529c socket
 0x4152a0 connect
 0x4152a4 closesocket
 0x4152a8 listen
 0x4152ac ind
 0x4152b0 htonl
 0x4152b4 htons
 0x4152b8 inet_pton
 0x4152bc ntohl
 0x4152c0 shutdown
 0x4152c4 WSACleanup
 0x4152c8 WSAStartup
 0x4152cc getsockname
 0x4152d0 ntohs
 0x4152d4 WSAAccept
 0x4152d8 WSARecv
 0x4152dc WSASend
 0x4152e0 WSAGetLastError
 0x4152e4 freeaddrinfo
 0x4152e8 inet_ntop
KERNEL32.dll
 0x415060 GlobalAlloc
 0x415064 GlobalLock
 0x415068 GlobalUnlock
 0x41506c WaitForMultipleObjects
 0x415070 GetQueuedCompletionStatus
 0x415074 PostQueuedCompletionStatus
 0x415078 LoadLibraryA
 0x41507c GetProcAddress
 0x415080 lstrlenW
 0x415084 TerminateThread
 0x415088 CloseHandle
 0x41508c CreateIoCompletionPort
 0x415090 SleepEx
 0x415094 SetLastError
 0x415098 GlobalFree
 0x41509c GetSystemTimeAsFileTime
 0x4150a0 GetTickCount
 0x4150a4 lstrcpynA
 0x4150a8 ExitThread
 0x4150ac SetEndOfFile
 0x4150b0 SetFilePointer
 0x4150b4 UnmapViewOfFile
 0x4150b8 MapViewOfFile
 0x4150bc CreateFileMappingA
 0x4150c0 GetFileSize
 0x4150c4 CreateFileW
 0x4150c8 CreateProcessW
 0x4150cc GetLocaleInfoA
 0x4150d0 DeleteFileW
 0x4150d4 WriteFile
 0x4150d8 ExpandEnvironmentStringsW
 0x4150dc lstrcpyW
 0x4150e0 QueryDosDeviceW
 0x4150e4 GetDriveTypeW
 0x4150e8 GetLogicalDrives
 0x4150ec RemoveDirectoryW
 0x4150f0 FindClose
 0x4150f4 FindNextFileW
 0x4150f8 MoveFileExW
 0x4150fc lstrcmpW
 0x415100 WaitForSingleObject
 0x415104 GetLastError
 0x415108 GetStartupInfoA
 0x41510c GetModuleHandleA
 0x415110 MoveFileW
 0x415114 MoveFileA
 0x415118 DeleteFileA
 0x41511c ExitProcess
 0x415120 CreateMutexA
 0x415124 CopyFileA
 0x415128 CreateThread
 0x41512c GetTempPathW
 0x415130 GetModuleFileNameW
 0x415134 GetVolumeInformationW
 0x415138 SetFileAttributesW
 0x41513c CopyFileW
 0x415140 lstrcmpiW
 0x415144 CreateDirectoryW
 0x415148 lstrlenA
 0x41514c Sleep
 0x415150 HeapReAlloc
 0x415154 HeapAlloc
 0x415158 HeapFree
 0x41515c GetProcessHeap
 0x415160 EnterCriticalSection
 0x415164 LeaveCriticalSection
 0x415168 InitializeCriticalSection
 0x41516c DeleteCriticalSection
 0x415170 FindFirstFileW
USER32.dll
 0x415238 FindWindowA
 0x41523c ShowWindow
 0x415240 SetForegroundWindow
 0x415244 CloseWindow
 0x415248 SetFocus
 0x41524c wsprintfA
 0x415250 wsprintfW
 0x415254 GetClipboardData
 0x415258 CloseClipboard
 0x41525c SetClipboardData
 0x415260 EmptyClipboard
 0x415264 OpenClipboard
ADVAPI32.dll
 0x415000 CryptReleaseContext
 0x415004 CryptGenRandom
 0x415008 CryptEncrypt
 0x41500c CryptDestroyKey
 0x415010 CryptGetKeyParam
 0x415014 CryptImportKey
 0x415018 CryptSetKeyParam
 0x41501c CryptDestroyHash
 0x415020 CryptHashData
 0x415024 CryptCreateHash
 0x415028 CryptGetHashParam
 0x41502c CryptDuplicateHash
 0x415030 CryptExportKey
 0x415034 CryptVerifySignatureA
 0x415038 RegCloseKey
 0x41503c RegQueryValueExW
 0x415040 RegOpenKeyExW
 0x415044 RegCreateKeyExA
 0x415048 RegSetValueExA
 0x41504c RegOpenKeyExA
 0x415050 RegSetValueExW
 0x415054 CryptAcquireContextW
 0x415058 CryptAcquireContextA
SHELL32.dll
 0x415218 ShellExecuteW
ole32.dll
 0x4152f0 CoInitializeEx
 0x4152f4 CoCreateInstance

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure