popup

Report - mobianshi.txt

AntiDebug AntiVM .NET EXE OS Processor Check PE File PE32 GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.12 12:16 Machine s1_win7_x6401
Filename mobianshi.txt
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
12
 Behavior Score
6.0
ZERO API file : malware
VT API (file) 49 detected (malicious, high confidence, GenericKD, Artemis, Unsafe, Save, confidence, 100%, Tnega, PZMP, Attribute, HighConfidence, Kryptik, AASQ, Razy, Mokes, PWSX, Malware@#2280eu45sleiq, Spynet, GenKryptik, USASHDM21, rdrtq, ai score=88, kcloud, score, ZemsilF, iqW@aio5iaoO, TScope, CLOUD, GdSda)
md5 c5b088a8ef675fa7576197f7faa07b40
sha256 10f9863a0c087a93b465eb4c17e5a006add72acf87747603d2caff4b011f7bd7
ssdeep 3072:NI0YC4NW+e4X2U1fvN7jDARDnxSRgLyIio18WaedeeNNzyOBODYGCTCZ:NDO8+tXpVN0RDnxSRgLyIio18WaedeeO
imphash c76f28adc3f86b4ba395f3066c0671bd
impfuzzy 96:wJn7jIA0OOIt6BycwJqahV8+D4TRDoGVQc2Vu69qHeg4coTpPbNapZN2:wJn7czO/a5wbGiHg4cupNaPY
  Network IP location

Signature (14cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Connects to a Dynamic DNS Domain
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Executes one or more WMI queries
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (12cnts)

Level Name Description Collection
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info Lnk_Format_Zero LNK Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
modoba.duckdns.org
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.133.105.179 clean
103.133.105.179
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.133.105.179 mailcious

Suricata ids

ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Bladabindi/njRAT CnC Command (ll)

PE API

IAT(Import Address Table) Library

MSVCR90.dll
 0x4050fc fclose
 0x405100 realloc
 0x405104 __CxxQueryExceptionSize
 0x405108 free
 0x40510c __CxxExceptionFilter
 0x405110 __CxxRegisterExceptionObject
 0x405114 __CxxDetectRethrow
 0x405118 __CxxUnregisterExceptionObject
 0x40511c memmove_s
 0x405120 ??2@YAPAXI@Z
 0x405124 _invalid_parameter_noinfo
 0x405128 fwrite
 0x40512c _crt_debugger_hook
 0x405130 _controlfp_s
 0x405134 _invoke_watson
 0x405138 _except_handler4_common
 0x40513c _decode_pointer
 0x405140 _onexit
 0x405144 _lock
 0x405148 __dllonexit
 0x40514c _unlock
 0x405150 ?_type_info_dtor_internal_method@type_info@@QAEXXZ
 0x405154 ?terminate@@YAXXZ
 0x405158 __set_app_type
 0x40515c _encode_pointer
 0x405160 _CxxThrowException
 0x405164 ??0exception@std@@QAE@XZ
 0x405168 ??_V@YAXPAX@Z
 0x40516c ??0exception@std@@QAE@ABQBD@Z
 0x405170 __p__fmode
 0x405174 __p__commode
 0x405178 _adjust_fdiv
 0x40517c __setusermatherr
 0x405180 _encoded_null
 0x405184 abort
 0x405188 __FrameUnwindFilter
 0x40518c printf
 0x405190 sprintf
 0x405194 _configthreadlocale
 0x405198 _initterm_e
 0x40519c _initterm
 0x4051a0 _wcmdln
 0x4051a4 exit
 0x4051a8 _XcptFilter
 0x4051ac _exit
 0x4051b0 _cexit
 0x4051b4 __wgetmainargs
 0x4051b8 _amsg_exit
 0x4051bc ??3@YAXPAX@Z
 0x4051c0 ??0exception@std@@QAE@ABV01@@Z
 0x4051c4 ?what@exception@std@@UBEPBDXZ
 0x4051c8 ??1exception@std@@UAE@XZ
KERNEL32.dll
 0x40503c IsProcessorFeaturePresent
 0x405040 GetNativeSystemInfo
 0x405044 CompareFileTime
 0x405048 FileTimeToSystemTime
 0x40504c LocalFileTimeToFileTime
 0x405050 GetSystemTimes
 0x405054 GetSystemRegistryQuota
 0x405058 ExitProcess
 0x40505c VirtualProtect
 0x405060 GetLastError
 0x405064 GetProcessId
 0x405068 GetModuleHandleW
 0x40506c SetLastError
 0x405070 GetFileInformationByHandle
 0x405074 GetTapeParameters
 0x405078 InterlockedExchange
 0x40507c Sleep
 0x405080 InterlockedCompareExchange
 0x405084 GetStartupInfoW
 0x405088 SetUnhandledExceptionFilter
 0x40508c QueryPerformanceCounter
 0x405090 GetTickCount
 0x405094 GetCurrentThreadId
 0x405098 GetCurrentProcessId
 0x40509c GetSystemTimeAsFileTime
 0x4050a0 TerminateProcess
 0x4050a4 GetCurrentProcess
 0x4050a8 UnhandledExceptionFilter
 0x4050ac IsDebuggerPresent
 0x4050b0 GlobalAlloc
USER32.dll
 0x4051e0 CreateWindowExA
 0x4051e4 ShowWindow
 0x4051e8 UpdateWindow
 0x4051ec CreateCaret
 0x4051f0 GetCursor
 0x4051f4 AnyPopup
 0x4051f8 AdjustWindowRect
 0x4051fc GetWindowRect
 0x405200 GetClientRect
 0x405204 LoadIconA
 0x405208 GetWindowTextLengthW
GDI32.dll
 0x405008 CreateDIBPatternBrush
 0x40500c CreateDIBitmap
 0x405010 CreateEllipticRgn
 0x405014 SetPolyFillMode
 0x405018 CreateDCA
 0x40501c BeginPath
 0x405020 EndPath
 0x405024 BitBlt
 0x405028 PlayMetaFileRecord
 0x40502c StretchBlt
 0x405030 FillPath
 0x405034 SetWinMetaFileBits
ADVAPI32.dll
 0x405000 RegSetValueW
SHELL32.dll
 0x4051d0 DragAcceptFiles
 0x4051d4 DragQueryPoint
 0x4051d8 ShellExecuteA
MSIMG32.dll
 0x4050b8 TransparentBlt
 0x4050bc AlphaBlend
 0x4050c0 GradientFill
WINHTTP.dll
 0x405210 WinHttpConnect
 0x405214 WinHttpOpen
 0x405218 WinHttpSetOption
 0x40521c WinHttpReadData
MSVCP90.dll
 0x4050c8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
 0x4050cc ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
 0x4050d0 ??0?$allocator@_W@std@@QAE@ABV01@@Z
 0x4050d4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
 0x4050d8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
 0x4050dc ??_D?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
 0x4050e0 ??_F?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
 0x4050e4 ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
 0x4050e8 ?_Decref@facet@locale@std@@QAEPAV123@XZ
 0x4050ec ?_Lockit_dtor@_Lockit@std@@SAXH@Z
 0x4050f0 ?_Lockit_ctor@_Lockit@std@@SAXH@Z
 0x4050f4 ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
msvcm90.dll
 0x40522c ?RegisterModuleUninitializer@@@YAXP$AAVEventHandler@System@@@Z
 0x405230 ?DoDllLanguageSupportValidation@@@YAXXZ
 0x405234 ?ThrowModuleLoadException@@@YAXP$AAVString@System@@P$AAVException@3@@Z
 0x405238 ?DoCallBackInDefaultDomain@@@YAXP6GJPAX@Z0@Z
 0x40523c ?ThrowModuleLoadException@@@YAXP$AAVString@System@@@Z
 0x405240 ?ThrowNestedModuleLoadException@@@YAXP$AAVException@System@@0@Z
mscoree.dll
 0x405224 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure