popup

Report - Setup.exe

Emotet AsyncRAT backdoor PWS .NET framework Gen1 Glupteba BitCoin Generic Malware Anti_VM VMProtect AntiDebug AntiVM PE File PE32 DLL .NET DLL .NET EXE GIF Format OS Processor Check PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.23 10:55 Machine s1_win7_x6402
Filename Setup.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
25.2
ZERO API file : malware
VT API (file) 35 detected (Inject4, Midie, Fabookie, Unsafe, malicious, confidence, BXBK, multiple detections, ivkpkm, Score, AGEN, Wacatac, ai score=87, CLOUD, Crypmod)
md5 d69ad8d2f432e57d4f5ecf5d7e7f9300
sha256 21415b4bd92f908e375ef73e62b8539724488e9372c6df980d91c01e47ebfd15
ssdeep 196608:it8ocoSzMfJbTIiDOVcYtdkk+HiS8pamD:zoSiJbTIiDOVcYtdNs8J
imphash c9adc83b45e363b21cd6b11b5da0501f
impfuzzy 48:8cfpHQrngO0Mw+4QkOK+vreIbuTy5xHGKly1ovzX55nByIVLAHZAQcLAHFrthR9a:8cfpHagO0MJ44bvre4Vgwb3V6RYLMy
  Network IP location

Signature (54cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Checks for the presence of known windows from debuggers and forensic tools
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Creates a windows hook that monitors keyboard input (keylogger)
watch Creates or sets a registry key to a long series of bytes
watch Deletes a large number of files from the system indicative of ransomware
watch Detects VMWare through the presence of a registry key
watch Executes one or more WMI queries
watch Installs itself for autorun at Windows startup
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Tries to unhook Windows functions monitored by Cuckoo
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
watch Zeus P2P (Banking Trojan)
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes labpicv3.tmp
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (27cnts)

Level Name Description Collection
danger Trojan_Win32_Glupteba_1_Zero Trojan Win32 Glupteba binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch VMProtect_Zero VMProtect packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_DLL (no description) binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Virtual_currency_Zero Virtual currency memory
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (68cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ol.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 172.67.200.215 clean
http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe
whois
US NAMECHEAP-NET 198.54.126.101 clean
http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC
whois
CA ACP 162.0.220.187 clean
http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe
whois
US NAMECHEAP-NET 198.54.126.101 clean
http://iw.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 172.67.200.215 clean
http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/PicturesLab.exe
whois
US NAMECHEAP-NET 199.188.201.83 clean
http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/i-record.exe
whois
US NAMECHEAP-NET 199.188.201.83 clean
http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/Picture-Lab.exe
whois
US NAMECHEAP-NET 199.188.201.83 clean
http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/I-Record.exe
whois
US NAMECHEAP-NET 199.188.201.83 clean
http://87.251.71.193//
whois
RU RM Engineering LLC 87.251.71.193 1393 mailcious
http://uyg5wye.2ihsfa.com/api/fbtime
whois
NL ENZUINC 88.218.92.148 1396 mailcious
http://www.google.com/
whois
US GOOGLE 172.217.174.100 clean
http://ipinfo.io/ip
whois
US GOOGLE 34.117.59.81 clean
http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe
whois
US NAMECHEAP-NET 198.54.126.101 clean
http://b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com/BBSbacket.exe
whois
US AMAZON-02 52.219.105.218 malware
http://ip-api.com/json/?fields=8198
whois
US TUT-AS 208.95.112.1 clean
http://ipinfo.io/country
whois
US GOOGLE 34.117.59.81 clean
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1 clean
http://uyg5wye.2ihsfa.com/api/?sid=214117&key=0f51bef1ab2ad0b2ca0fa6f125359da2
whois
NL ENZUINC 88.218.92.148 1396 mailcious
https://iplogger.org/18hh57
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150
whois
US CLOUDFLARENET 104.26.3.60 clean
https://www.facebook.com/
whois
US FACEBOOK 157.240.215.35 clean
https://api.ip.sb/geoip
whois
US CLOUDFLARENET 104.26.13.31 clean
https://connectini.net/Series/SuperNitou.php
whois
CA ACP 162.0.210.44 clean
https://news-systems.xyz/?user=barret2
whois
US CLOUDFLARENET 104.21.33.129 clean
https://news-systems.xyz/?user=barret1
whois
US CLOUDFLARENET 104.21.33.129 clean
https://iplogger.org/1Hpxd7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://ipinfo.io/country
whois
US GOOGLE 34.117.59.81 clean
https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947
whois
RU JSC RTComm.RU 217.107.34.191 clean
news-systems.xyz
whois
US CLOUDFLARENET 104.21.33.129 clean
iw.gamegame.info
whois
US CLOUDFLARENET 104.21.21.221 clean
www.google.com
whois
US GOOGLE 216.58.197.228 clean
c.pycharm3.ru
whois
RU JSC RTComm.RU 217.107.34.191 clean
b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com
whois
US AMAZON-02 52.219.106.138 malware
email.yg9.me
whois
JP AS-CHOOPA 198.13.62.186 clean
google.com
whois
US GOOGLE 172.217.25.78 clean
uyg5wye.2ihsfa.com
whois
NL ENZUINC 88.218.92.148 mailcious
ol.gamegame.info
whois
US CLOUDFLARENET 104.21.21.221 clean
global-sc-ltd.com
whois
US NAMECHEAP-NET 199.188.201.83 clean
connectini.net
whois
CA ACP 162.0.210.44 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
limesfile.com
whois
US NAMECHEAP-NET 198.54.126.101 clean
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
www.facebook.com
whois
US FACEBOOK 157.240.215.35 clean
api.ip.sb
whois
US CLOUDFLARENET 172.67.75.172 clean
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
reportyuwt4sbackv97qarke3.com
whois
CA ACP 162.0.220.187 clean
ipqualityscore.com
whois
US CLOUDFLARENET 104.26.2.60 clean
87.251.71.193
whois
RU RM Engineering LLC 87.251.71.193 mailcious
162.0.220.187
whois
CA ACP 162.0.220.187 clean
52.219.84.224
whois
US AMAZON-02 52.219.84.224 clean
216.58.197.196
whois
US GOOGLE 216.58.197.196 suspicious
88.218.92.148
whois
NL ENZUINC 88.218.92.148 malware
104.26.3.60
whois
US CLOUDFLARENET 104.26.3.60 clean
198.13.62.186
whois
JP AS-CHOOPA 198.13.62.186 clean
104.21.33.129
whois
US CLOUDFLARENET 104.21.33.129 mailcious
199.188.201.83
whois
US NAMECHEAP-NET 199.188.201.83 clean
157.240.215.35
whois
US FACEBOOK 157.240.215.35 clean
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
104.21.21.221
whois
US CLOUDFLARENET 104.21.21.221 clean
162.0.210.44
whois
CA ACP 162.0.210.44 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
217.107.34.191
whois
RU JSC RTComm.RU 217.107.34.191 mailcious
198.54.126.101
whois
US NAMECHEAP-NET 198.54.126.101 clean
216.58.197.206
whois
US GOOGLE 216.58.197.206 mailcious
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
172.67.200.215
whois
US CLOUDFLARENET 172.67.200.215 clean
104.26.13.31
whois
US CLOUDFLARENET 104.26.13.31 clean

Suricata ids

ET POLICY External IP Lookup ip-api.com
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY Possible External IP Lookup ipinfo.io
ET POLICY Executable served from Amazon S3
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SURICATA HTTP unable to match response to request

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x42b1cc DeleteCriticalSection
 0x42b1d0 LeaveCriticalSection
 0x42b1d4 EnterCriticalSection
 0x42b1d8 InitializeCriticalSection
 0x42b1dc VirtualFree
 0x42b1e0 VirtualAlloc
 0x42b1e4 LocalFree
 0x42b1e8 LocalAlloc
 0x42b1ec GetVersion
 0x42b1f0 GetCurrentThreadId
 0x42b1f4 WideCharToMultiByte
 0x42b1f8 GetThreadLocale
 0x42b1fc GetStartupInfoA
 0x42b200 GetLocaleInfoA
 0x42b204 GetCommandLineA
 0x42b208 FreeLibrary
 0x42b20c ExitProcess
 0x42b210 WriteFile
 0x42b214 UnhandledExceptionFilter
 0x42b218 RtlUnwind
 0x42b21c RaiseException
 0x42b220 GetStdHandle
user32.dll
 0x42b228 GetKeyboardType
 0x42b22c MessageBoxA
advapi32.dll
 0x42b234 RegQueryValueExA
 0x42b238 RegOpenKeyExA
 0x42b23c RegCloseKey
oleaut32.dll
 0x42b244 SysFreeString
 0x42b248 SysReAllocStringLen
kernel32.dll
 0x42b250 TlsSetValue
 0x42b254 TlsGetValue
 0x42b258 LocalAlloc
 0x42b25c GetModuleHandleA
advapi32.dll
 0x42b264 RegCloseKey
 0x42b268 OpenThreadToken
 0x42b26c OpenProcessToken
 0x42b270 GetTokenInformation
 0x42b274 FreeSid
 0x42b278 EqualSid
 0x42b27c AllocateAndInitializeSid
 0x42b280 AdjustTokenPrivileges
kernel32.dll
 0x42b288 WriteFile
 0x42b28c WinExec
 0x42b290 WaitForSingleObject
 0x42b294 TerminateProcess
 0x42b298 SystemTimeToFileTime
 0x42b29c Sleep
 0x42b2a0 SetFileTime
 0x42b2a4 SetFilePointer
 0x42b2a8 SetErrorMode
 0x42b2ac SetEndOfFile
 0x42b2b0 ReadFile
 0x42b2b4 OpenProcess
 0x42b2b8 MultiByteToWideChar
 0x42b2bc LocalFileTimeToFileTime
 0x42b2c0 LoadLibraryA
 0x42b2c4 GlobalFree
 0x42b2c8 GlobalAlloc
 0x42b2cc GetVersion
 0x42b2d0 GetUserDefaultLangID
 0x42b2d4 GetProcAddress
 0x42b2d8 GetModuleHandleA
 0x42b2dc GetLocalTime
 0x42b2e0 GetLastError
 0x42b2e4 GetFileTime
 0x42b2e8 GetFileSize
 0x42b2ec GetExitCodeProcess
 0x42b2f0 GetCurrentThread
 0x42b2f4 GetCurrentProcess
 0x42b2f8 FreeLibrary
 0x42b2fc FindClose
 0x42b300 FileTimeToSystemTime
 0x42b304 FileTimeToLocalFileTime
 0x42b308 DosDateTimeToFileTime
 0x42b30c CompareFileTime
 0x42b310 CloseHandle
gdi32.dll
 0x42b318 StretchDIBits
 0x42b31c StretchBlt
 0x42b320 SetWindowOrgEx
 0x42b324 SetTextColor
 0x42b328 SetStretchBltMode
 0x42b32c SetRectRgn
 0x42b330 SetROP2
 0x42b334 SetPixel
 0x42b338 SetDIBits
 0x42b33c SetBrushOrgEx
 0x42b340 SetBkMode
 0x42b344 SetBkColor
 0x42b348 SelectObject
 0x42b34c SaveDC
 0x42b350 RestoreDC
 0x42b354 OffsetRgn
 0x42b358 MoveToEx
 0x42b35c IntersectClipRect
 0x42b360 GetStockObject
 0x42b364 GetPixel
 0x42b368 GetDIBits
 0x42b36c ExtSelectClipRgn
 0x42b370 ExcludeClipRect
 0x42b374 DeleteObject
 0x42b378 DeleteDC
 0x42b37c CreateSolidBrush
 0x42b380 CreateRectRgn
 0x42b384 CreateDIBitmap
 0x42b388 CreateDIBSection
 0x42b38c CreateCompatibleDC
 0x42b390 CreateCompatibleBitmap
 0x42b394 CreateBrushIndirect
 0x42b398 CreateBitmap
 0x42b39c CombineRgn
 0x42b3a0 BitBlt
user32.dll
 0x42b3a8 WaitMessage
 0x42b3ac ValidateRect
 0x42b3b0 TranslateMessage
 0x42b3b4 ShowWindow
 0x42b3b8 SetWindowPos
 0x42b3bc SetTimer
 0x42b3c0 SetParent
 0x42b3c4 SetForegroundWindow
 0x42b3c8 SetFocus
 0x42b3cc SetCursor
 0x42b3d0 SendMessageA
 0x42b3d4 ScreenToClient
 0x42b3d8 ReleaseDC
 0x42b3dc PostQuitMessage
 0x42b3e0 OffsetRect
 0x42b3e4 KillTimer
 0x42b3e8 IsZoomed
 0x42b3ec IsWindowVisible
 0x42b3f0 IsWindowEnabled
 0x42b3f4 IsWindow
 0x42b3f8 IsIconic
 0x42b3fc InvalidateRect
 0x42b400 GetWindowRgn
 0x42b404 GetWindowRect
 0x42b408 GetWindowDC
 0x42b40c GetUpdateRgn
 0x42b410 GetSystemMetrics
 0x42b414 GetSystemMenu
 0x42b418 GetSysColor
 0x42b41c GetParent
 0x42b420 GetWindow
 0x42b424 GetKeyState
 0x42b428 GetFocus
 0x42b42c GetDCEx
 0x42b430 GetDC
 0x42b434 GetCursorPos
 0x42b438 GetClientRect
 0x42b43c GetCapture
 0x42b440 FillRect
 0x42b444 ExitWindowsEx
 0x42b448 EnumWindows
 0x42b44c EndPaint
 0x42b450 EnableWindow
 0x42b454 EnableMenuItem
 0x42b458 DrawIcon
 0x42b45c DestroyWindow
 0x42b460 DestroyIcon
 0x42b464 DeleteMenu
 0x42b468 CopyImage
 0x42b46c ClientToScreen
 0x42b470 BeginPaint
 0x42b474 CharLowerBuffA
winmm.dll
 0x42b47c timeKillEvent
 0x42b480 timeSetEvent
oleaut32.dll
 0x42b488 SysAllocStringLen
ole32.dll
 0x42b490 OleInitialize
comctl32.dll
 0x42b498 ImageList_Draw
 0x42b49c ImageList_SetBkColor
 0x42b4a0 ImageList_Create
 0x42b4a4 InitCommonControls
shell32.dll
 0x42b4ac SHGetFileInfoA
user32.dll
 0x42b4b4 wvsprintfA
 0x42b4b8 SetWindowLongA
 0x42b4bc SetPropA
 0x42b4c0 SendMessageA
 0x42b4c4 RemovePropA
 0x42b4c8 RegisterClassA
 0x42b4cc PostMessageA
 0x42b4d0 PeekMessageA
 0x42b4d4 MessageBoxA
 0x42b4d8 LoadIconA
 0x42b4dc LoadCursorA
 0x42b4e0 GetWindowTextLengthA
 0x42b4e4 GetWindowTextA
 0x42b4e8 GetWindowLongA
 0x42b4ec GetPropA
 0x42b4f0 GetClassLongA
 0x42b4f4 GetClassInfoA
 0x42b4f8 FindWindowA
 0x42b4fc DrawTextA
 0x42b500 DispatchMessageA
 0x42b504 DefWindowProcA
 0x42b508 CreateWindowExA
 0x42b50c CallWindowProcA
gdi32.dll
 0x42b514 GetTextExtentPoint32A
 0x42b518 GetObjectA
 0x42b51c CreateFontIndirectA
 0x42b520 AddFontResourceA
kernel32.dll
 0x42b528 WritePrivateProfileStringA
 0x42b52c SetFileAttributesA
 0x42b530 SetCurrentDirectoryA
 0x42b534 RemoveDirectoryA
 0x42b538 LoadLibraryA
 0x42b53c GetWindowsDirectoryA
 0x42b540 GetVersionExA
 0x42b544 GetTimeFormatA
 0x42b548 GetTempPathA
 0x42b54c GetSystemDirectoryA
 0x42b550 GetShortPathNameA
 0x42b554 GetPrivateProfileStringA
 0x42b558 GetModuleHandleA
 0x42b55c GetModuleFileNameA
 0x42b560 GetFullPathNameA
 0x42b564 GetFileAttributesA
 0x42b568 GetDiskFreeSpaceA
 0x42b56c GetDateFormatA
 0x42b570 GetComputerNameA
 0x42b574 GetCommandLineA
 0x42b578 FindNextFileA
 0x42b57c FindFirstFileA
 0x42b580 ExpandEnvironmentStringsA
 0x42b584 DeleteFileA
 0x42b588 CreateFileA
 0x42b58c CreateDirectoryA
 0x42b590 CompareStringA
advapi32.dll
 0x42b598 RegSetValueExA
 0x42b59c RegQueryValueExA
 0x42b5a0 RegQueryInfoKeyA
 0x42b5a4 RegOpenKeyExA
 0x42b5a8 RegEnumKeyExA
 0x42b5ac RegCreateKeyExA
 0x42b5b0 LookupPrivilegeValueA
 0x42b5b4 GetUserNameA
shell32.dll
 0x42b5bc ShellExecuteExA
 0x42b5c0 ShellExecuteA
cabinet.dll
 0x42b5c8 FDIDestroy
 0x42b5cc FDICopy
 0x42b5d0 FDICreate
ole32.dll
 0x42b5d8 OleInitialize
 0x42b5dc CoTaskMemFree
 0x42b5e0 CoCreateInstance
 0x42b5e4 CoUninitialize
 0x42b5e8 CoInitialize
shell32.dll
 0x42b5f0 SHGetSpecialFolderLocation
 0x42b5f4 SHGetPathFromIDListA
 0x42b5f8 SHGetMalloc
 0x42b5fc SHChangeNotify
 0x42b600 SHBrowseForFolderA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure