popup

Report - prince_of_persia_P_v4_x64.exe

AsyncRAT backdoor Generic Malware PE File PE64 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.22 18:14 Machine s1_win7_x6402
Filename prince_of_persia_P_v4_x64.exe
Type PE32+ executable (console) x86-64, for MS Windows
AI Score
3
 Behavior Score
7.2
ZERO API file : clean
VT API (file) 33 detected (malicious, high confidence, Unsafe, Save, Raktu, Eldorado, TrojanX, Kryplod, BadFile, Static AI, Suspicious PE, quve, Score, AGEN, PoshC2, Artemis, ai score=83, susgen, confidence)
md5 b7605ff2f14efbd06844cc4473711fa9
sha256 8ba619e1fb38bc0232347892b8fa0f0a3350be8d7397179de74549c07d684bab
ssdeep 3072:wtE6LoJJnmMJ/vmMZvlN1dt9NF9NFtV9lN1dFtVwzl3Mw6oTdfO27B9lnU6zNdSb:8EgoSMJ/vdoPnO2NnnBNw++
imphash a5aa1f6f1c13d9e5a34bc47ad2785366
impfuzzy 12:C+wRJRJJr85ARZqRZzhYPXJ+qRm0MHHG95XGXViEG6eGJOJlk6lTpJqJiZn:jkfjr/cZzeFm0MG95XG66ZoJlkoDqoZn
  Network IP location

Signature (16cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 33 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (14cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://nidhoggr.club/horatia/alpha/colorless/stealthy/evil/honoria/outnoise/collapsar/sneaky/39152ab9-6ffb-4b19-811e-e9538a897d93/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/horatia/alpha/colorless/stealthy/evil/honoria/outnoise/collapsar/sneaky/7da76ce4-eabc-48f5-b3df-769296a4b738/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/unnoised/strange?ballistic=greyish780990e3-289e-448e-9ae9-2674b0e3f3a2/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/ultimate/giustina/collapsar/10f9ba50-c5d1-4e00-ab9e-541e6144061f/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/ivie/soundless/Adelina/cheerless/gray/ivett?nameless=subrepticedcc4d3c3-0e97-40ed-98bc-e856a5c2f8ca/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/undercover/atomic?hyacinthe=Gizelaff06fa1a-1992-43ef-9704-2913c9b2299e/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/noiseproof/greyish/turbulent/turbulent/Hyacinthia/isabelle/Hildagard?glad=noisemakerd1cdbebf-220a-4726-87c6-1c3855c9c262/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/anonymous/issie/nuclear/twilit/Iseabal/noiseful/bilious/glad/Sybil/Hyacinth/darkened?atomic=izabel5039d36f-1fe0-46d6-a3bc-d0d81257b6fe/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/noised/noiseful/malicious/drab/unbeaten/shadow/1e58acfe-6387-4707-b70e-6e95181f902f/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/noiselessly/crepuscular/winterly/metallic/antinoise/quiet/7326892f-c4f3-4728-9b5e-a22d33c3b139/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
https://nidhoggr.club/Gizela/unrecognized/noiselessly/colorless/nova?Odilia=janaya7312d3e3-fe83-4e36-a09f-2faea02ce400/?XU8IQz27epJ6sln
whois
IS 1984 ehf 185.112.146.165 clean
nidhoggr.club
whois
IS 1984 ehf 185.112.146.165 malware
185.112.146.165
whois
IS 1984 ehf 185.112.146.165 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x4301b4 CloseHandle
 0x4301bc CreateProcessA
 0x4301c4 CreateRemoteThread
 0x4301cc DeleteCriticalSection
 0x4301d4 EnterCriticalSection
 0x4301dc GetLastError
 0x4301e4 GetProcessId
 0x4301ec GetStartupInfoA
 0x4301f4 InitializeCriticalSection
 0x4301fc LeaveCriticalSection
 0x430204 OpenProcess
 0x43020c SetUnhandledExceptionFilter
 0x430214 Sleep
 0x43021c TlsGetValue
 0x430224 VirtualAllocEx
 0x43022c VirtualProtect
 0x430234 VirtualQuery
 0x43023c WriteProcessMemory
msvcrt.dll
 0x43024c __C_specific_handler
 0x430254 __getmainargs
 0x43025c __initenv
 0x430264 __iob_func
 0x43026c __lconv_init
 0x430274 __set_app_type
 0x43027c __setusermatherr
 0x430284 _acmdln
 0x43028c _amsg_exit
 0x430294 _cexit
 0x43029c _commode
 0x4302a4 _fmode
 0x4302ac _initterm
 0x4302b4 _onexit
 0x4302bc abort
 0x4302c4 atoi
 0x4302cc calloc
 0x4302d4 exit
 0x4302dc fprintf
 0x4302e4 free
 0x4302ec fwrite
 0x4302f4 malloc
 0x4302fc memcpy
 0x430304 signal
 0x43030c strlen
 0x430314 strncmp
 0x43031c vfprintf

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure