popup

Report - OctodadSetup.exe

AntiDebug AntiVM PE File PE32 DLL MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.14 09:50 Machine s1_win7_x6402
Filename OctodadSetup.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score
7
 Behavior Score
9.6
ZERO API file : malware
VT API (file) 52 detected (GenericKD, Artemis, Unsafe, malicious, Score, StartPage, esqoia, ApplicUnwnt@#avud7zvby13y, AGEN, DownloadShield, R002C0OA321, InstallAd, ai score=97, AGeneric, Vittalia, R182412, OpenDownloadManager, Genetic, Eawu, FileRepMalware, confidence)
md5 8860fecf9a64e193bfde8808889f7e48
sha256 972a19b0dc047f482972e513446d3735ea7d41aadaa57e0201a5f0f9a93fedbb
ssdeep 6144:Y0hNLAQF57b5LAWUkV62/sFiv6BtgZHbGYXwE08A:ZMKHzUb2/ssG2ZyYXs
imphash f4fd5e474d548b6e56174e1335f360a9
impfuzzy 48:YBfrOK5YZJqOkOGLblla/7LXEFSv8r+tAl5ylx0QpV74dT+5/1xyACnBoKQ50e4l:YBaK5YZJq1K41UvnvS
  Network IP location

Signature (23cnts)

Level Description
danger File has been identified by 52 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (14cnts)

Level Name Description Collection
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (16cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.freegamer.info/join/
whois
US INCAPSULA 107.154.230.90 clean
http://www.freegamer.info/_Incapsula_Resource?SWKMTFSR=1&e=0.16526160572090975
whois
US INCAPSULA 107.154.230.90 clean
http://www.freegamer.info/favicon.ico
whois
US INCAPSULA 107.154.230.90 clean
http://bat.bing.com/bat.js
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.21.200 clean
http://www.freegamer.info/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=1751958704
whois
US INCAPSULA 107.154.230.90 clean
https://bat.bing.com/p/action/4022064
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.200 clean
https://s.yimg.com/wi/ytc.js
whois
KR Yahoo China Datacenter 119.161.14.18 clean
www.demtxr.com
whois
US DREAMHOST-AS 64.111.117.81 clean
ge.tt
whois
Unknown mailcious
s.yimg.com
whois
KR internet content provider 119.161.5.252 clean
bat.bing.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.21.200 clean
www.freegamer.info
whois
US INCAPSULA 107.154.230.90 malware
204.79.197.200
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.200 clean
64.111.117.81
whois
US DREAMHOST-AS 64.111.117.81 clean
119.161.14.18
whois
KR Yahoo China Datacenter 119.161.14.18 suspicious
107.154.230.90
whois
US INCAPSULA 107.154.230.90 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP invalid response field folding
SURICATA HTTP response header invalid
ET INFO TLS Handshake Failure

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x407064 SearchPathA
 0x407068 GetShortPathNameA
 0x40706c GetFullPathNameA
 0x407070 MoveFileA
 0x407074 SetCurrentDirectoryA
 0x407078 GetFileAttributesA
 0x40707c GetLastError
 0x407080 CreateDirectoryA
 0x407084 SetFileAttributesA
 0x407088 Sleep
 0x40708c GetTickCount
 0x407090 GetFileSize
 0x407094 GetModuleFileNameA
 0x407098 GetCurrentProcess
 0x40709c CopyFileA
 0x4070a0 ExitProcess
 0x4070a4 GetWindowsDirectoryA
 0x4070a8 CompareFileTime
 0x4070ac GetCommandLineA
 0x4070b0 GetVersion
 0x4070b4 SetErrorMode
 0x4070b8 lstrcpynA
 0x4070bc GetDiskFreeSpaceA
 0x4070c0 GlobalUnlock
 0x4070c4 GlobalLock
 0x4070c8 CreateThread
 0x4070cc CreateProcessA
 0x4070d0 CreateFileA
 0x4070d4 GetTempFileNameA
 0x4070d8 lstrlenA
 0x4070dc lstrcatA
 0x4070e0 LoadLibraryA
 0x4070e4 GetSystemDirectoryA
 0x4070e8 RemoveDirectoryA
 0x4070ec SetFileTime
 0x4070f0 CloseHandle
 0x4070f4 lstrcmpiA
 0x4070f8 lstrcmpA
 0x4070fc ExpandEnvironmentStringsA
 0x407100 GlobalAlloc
 0x407104 WaitForSingleObject
 0x407108 GetExitCodeProcess
 0x40710c GlobalFree
 0x407110 GetModuleHandleA
 0x407114 LoadLibraryExA
 0x407118 GetProcAddress
 0x40711c FreeLibrary
 0x407120 MultiByteToWideChar
 0x407124 WritePrivateProfileStringA
 0x407128 GetPrivateProfileStringA
 0x40712c WriteFile
 0x407130 MulDiv
 0x407134 ReadFile
 0x407138 SetFilePointer
 0x40713c FindClose
 0x407140 FindNextFileA
 0x407144 FindFirstFileA
 0x407148 DeleteFileA
 0x40714c GetTempPathA
USER32.dll
 0x407170 GetMessagePos
 0x407174 CallWindowProcA
 0x407178 IsWindowVisible
 0x40717c LoadBitmapA
 0x407180 CloseClipboard
 0x407184 SetClipboardData
 0x407188 EmptyClipboard
 0x40718c OpenClipboard
 0x407190 TrackPopupMenu
 0x407194 GetWindowRect
 0x407198 AppendMenuA
 0x40719c CreatePopupMenu
 0x4071a0 GetSystemMetrics
 0x4071a4 EndDialog
 0x4071a8 EnableMenuItem
 0x4071ac GetSystemMenu
 0x4071b0 SetClassLongA
 0x4071b4 IsWindowEnabled
 0x4071b8 SetWindowPos
 0x4071bc ScreenToClient
 0x4071c0 GetClassInfoA
 0x4071c4 CreateWindowExA
 0x4071c8 SystemParametersInfoA
 0x4071cc RegisterClassA
 0x4071d0 SetDlgItemTextA
 0x4071d4 GetDlgItemTextA
 0x4071d8 MessageBoxIndirectA
 0x4071dc CharPrevA
 0x4071e0 DispatchMessageA
 0x4071e4 PeekMessageA
 0x4071e8 ExitWindowsEx
 0x4071ec DestroyWindow
 0x4071f0 CreateDialogParamA
 0x4071f4 SetTimer
 0x4071f8 SetWindowTextA
 0x4071fc PostQuitMessage
 0x407200 SetForegroundWindow
 0x407204 wsprintfA
 0x407208 SendMessageTimeoutA
 0x40720c CheckDlgButton
 0x407210 LoadCursorA
 0x407214 SetCursor
 0x407218 GetWindowLongA
 0x40721c GetSysColor
 0x407220 DialogBoxParamA
 0x407224 CharNextA
 0x407228 FindWindowExA
 0x40722c IsWindow
 0x407230 GetDlgItem
 0x407234 SetWindowLongA
 0x407238 LoadImageA
 0x40723c GetDC
 0x407240 EnableWindow
 0x407244 InvalidateRect
 0x407248 SendMessageA
 0x40724c DefWindowProcA
 0x407250 BeginPaint
 0x407254 GetClientRect
 0x407258 FillRect
 0x40725c DrawTextA
 0x407260 EndPaint
 0x407264 ShowWindow
GDI32.dll
 0x407040 SetBkColor
 0x407044 GetDeviceCaps
 0x407048 DeleteObject
 0x40704c CreateBrushIndirect
 0x407050 CreateFontIndirectA
 0x407054 SetBkMode
 0x407058 SetTextColor
 0x40705c SelectObject
SHELL32.dll
 0x407154 SHBrowseForFolderA
 0x407158 SHGetPathFromIDListA
 0x40715c SHGetFileInfoA
 0x407160 ShellExecuteA
 0x407164 SHFileOperationA
 0x407168 SHGetSpecialFolderLocation
ADVAPI32.dll
 0x407000 RegOpenKeyExA
 0x407004 RegEnumValueA
 0x407008 RegEnumKeyA
 0x40700c RegCloseKey
 0x407010 SetFileSecurityA
 0x407014 RegDeleteValueA
 0x407018 RegCreateKeyExA
 0x40701c RegSetValueExA
 0x407020 RegDeleteKeyA
 0x407024 RegQueryValueExA
COMCTL32.dll
 0x40702c ImageList_AddMasked
 0x407030 ImageList_Destroy
 0x407034 None
 0x407038 ImageList_Create
ole32.dll
 0x40726c OleUninitialize
 0x407270 OleInitialize
 0x407274 CoTaskMemFree
 0x407278 CoCreateInstance

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure