popup

Report - prince_of_persia_P_v4_x86.exe

AsyncRAT backdoor Generic Malware PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.22 18:13 Machine s1_win7_x6402
Filename prince_of_persia_P_v4_x86.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
6.4
ZERO API file : clean
VT API (file) 34 detected (malicious, high confidence, Unsafe, Save, ZexaF, p8Y@aeK1PWl, Attribute, HighConfidence, ENCW, InjectorX, Zenpak, imccim, RDMK, cmRtazrVVPuJckTUjWVpm08mp3oT, Meterpreter, Hijacker, PoshC2, score, R361916, ai score=80, BScope, GdSda, confidence)
md5 28906318e1bfa9949cd086e807a0f220
sha256 3c4c4cb0e9a48e8203ebe67da38dcfdc0d888213424ddd335a767f6a04e798ff
ssdeep 3072:Fw5tuhTTKtpWAFPmM9Kx067MjdfOW7B9tNY12xGLgzONzW:FkgxAFfOWN/o2x8gzONi
imphash 35b5715d1d5b1876f546dbd1eae03180
impfuzzy 12:C+wRJRibJ2cDk85ARZqRLAuzhYPXJ+qRmzT4GQGX5XGXKYmJlk6lTpJqJiZn:jkfiFlDk/cLZzeFmLTX5XGAJlkoDqoZn
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/2ee38670-d342-4fec-99b0-a4f7f4bea0e4/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/jasmina/jaquenette/obscure/dull/dormant?strange=cheerless5039d36f-1fe0-46d6-a3bc-d0d81257b6fe/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/noised/noiseful/malicious/drab/unbeaten/shadow/39152ab9-6ffb-4b19-811e-e9538a897d93/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised994b6e21-8a8f-4128-bfc4-7637963c9483/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/turbulent/Ivette/nova/dull/fighter?fading=isabellaff06fa1a-1992-43ef-9704-2913c9b2299e/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/dreary/dull/Isahella/isobel/cheerless/dull/cheerless/noisefulness/counternoise?spy=champion7312d3e3-fe83-4e36-a09f-2faea02ce400/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/isabelle/Hulda/dark/isabella?crepuscular=isadoradcc4d3c3-0e97-40ed-98bc-e856a5c2f8ca/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardousd1cdbebf-220a-4726-87c6-1c3855c9c262/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/Gizela/unrecognized/noiselessly/colorless/nova?Odilia=janayaeb53ebd1-51a1-41df-8408-4370caceac3e/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/dim/hildagarde/grey/Iseabal/7326892f-c4f3-4728-9b5e-a22d33c3b139/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/subreptice/corrosive/slither/evil/suzie/undiscovered/unbeaten/noiselessly/Isidora/noisemaking/ivy?giustina=dark10f9ba50-c5d1-4e00-ab9e-541e6144061f/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/Hildagard/ivory/spy/evil/Hyacintha/unrecognized/quiet/Hyacintha/ghost/dark/ae029445-9427-40f7-bb59-2b36300b52e6/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardous1e58acfe-6387-4707-b70e-6e95181f902f/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/jaquelyn/stygian/corrosive/drab/jaquith/hyacinthe/hunter/Hope/winterly/joyless?colorless=iviee714bab2-5dfd-491a-a93f-d380656997c1/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/suzie/suzette/nuclear/unknown/metallic/discreet/undercover/dark?ivy=isis7da76ce4-eabc-48f5-b3df-769296a4b738/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/Gizela/ivie/jaquelyn/isabelita/Honor/noiseless/780990e3-289e-448e-9ae9-2674b0e3f3a2/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/noisefulness/Hyacinth/ballistic/hynda?silent=faultyc5390449-e189-426e-a0a4-7167c229cd83/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised1e38d28d-61d7-460d-a3f0-89548c65ef63/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/dolorous/sneaky/janaya/5055beb4-7979-414a-bfc0-644fa8e029fb/?poP7OSkLBNturHY
whois
IS 1984 ehf 185.112.146.165 clean
nidhoggr.club
whois
IS 1984 ehf 185.112.146.165 malware
185.112.146.165
whois
IS 1984 ehf 185.112.146.165 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x42c104 CloseHandle
 0x42c108 CreateProcessA
 0x42c10c CreateRemoteThread
 0x42c110 DeleteCriticalSection
 0x42c114 EnterCriticalSection
 0x42c118 FreeLibrary
 0x42c11c GetLastError
 0x42c120 GetModuleHandleA
 0x42c124 GetProcAddress
 0x42c128 GetProcessId
 0x42c12c GetStartupInfoA
 0x42c130 InitializeCriticalSection
 0x42c134 LeaveCriticalSection
 0x42c138 LoadLibraryA
 0x42c13c OpenProcess
 0x42c140 SetUnhandledExceptionFilter
 0x42c144 Sleep
 0x42c148 TlsGetValue
 0x42c14c VirtualAllocEx
 0x42c150 VirtualProtect
 0x42c154 VirtualQuery
 0x42c158 WriteProcessMemory
msvcrt.dll
 0x42c160 __getmainargs
 0x42c164 __initenv
 0x42c168 __lconv_init
 0x42c16c __p__acmdln
 0x42c170 __p__commode
 0x42c174 __p__fmode
 0x42c178 __set_app_type
 0x42c17c __setusermatherr
 0x42c180 _amsg_exit
 0x42c184 _cexit
 0x42c188 _initterm
 0x42c18c _iob
 0x42c190 _onexit
 0x42c194 abort
 0x42c198 atoi
 0x42c19c calloc
 0x42c1a0 exit
 0x42c1a4 fprintf
 0x42c1a8 free
 0x42c1ac fwrite
 0x42c1b0 malloc
 0x42c1b4 memcpy
 0x42c1b8 signal
 0x42c1bc strlen
 0x42c1c0 strncmp
 0x42c1c4 vfprintf

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure