popup

Report - KYKeoxe.exe

AsyncRAT backdoor PWS .NET framework Gen2 Generic Malware PE File .NET EXE PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.24 19:59 Machine s1_win7_x6401
Filename KYKeoxe.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
4
 Behavior Score
10.2
ZERO API file : clean
VT API (file)
md5 3b25b4407e5343c55f87a0325aad2e9f
sha256 29c1b0c37cc26128214d5cd1b13120ad78bfc4fe4e195d0d0d180a3b95e937d0
ssdeep 98304:lltsYQgTO1ihLx+mxYe6HhCZFKL6HtEGjNNMLd2le6B2R7qy0Zl9g8bh1:/tq+4a6HhCZFKLMtEmNN8Z6BU7qy0ZlV
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (23cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Creates a windows hook that monitors keyboard input (keylogger)
watch Looks for the Windows Idle Time to determine the uptime
watch Manipulates memory of a non-child process indicative of process injection
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (10cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
info Is_DotNET_EXE (no description) binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (30cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://kimyen.info/kykeoxe/1quangcao/KYQuangcao.txt
whois
VN NhanHoa Software company 103.28.36.10 clean
http://kimyen.net/kykeoxe/1quangcao/KYKeoxePb.txt
whois
VN VNPT Corp 103.255.237.239 clean
http://kimyen.info/kykeoxe/1quangcao/KYKeoxePb.txt
whois
VN NhanHoa Software company 103.28.36.10 clean
http://free.timeanddate.com/clock/i3jl68nm/n246/tlir/tt0/tw0/tm3/th1
whois
US FASTLY 151.101.1.176 clean
http://kimyen.net/kykeoxe/1quangcao/KYQuangcao.txt
whois
VN VNPT Corp 103.255.237.239 clean
http://kimyen.net/kykeoxe/phimhuongdan_kykeoxe.txt
whois
VN VNPT Corp 103.255.237.239 clean
http://kimyen.net/kykeoxe/1quangcao/KYMayphu.txt
whois
VN VNPT Corp 103.255.237.239 clean
https://jxhoitu.com/home/static/uploads/userfiles/images/quangcao.gif
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.90.224.168 clean
https://i0.wp.com/s1.uphinh.org/2021/06/06/hoa6.gif
whois
US AUTOMATTIC 192.0.77.2 clean
https://i0.wp.com/s1.uphinh.org/2021/05/18/lamhoa.gif
whois
US AUTOMATTIC 192.0.77.2 clean
https://i0.wp.com/s1.uphinh.org/2021/01/31/autokimyen.gif
whois
US AUTOMATTIC 192.0.77.2 clean
time.nist.gov
whois
US US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGY 132.163.97.1 clean
kimyen.info
whois
VN NhanHoa Software company 103.28.36.10 clean
utcnist.colorado.edu
whois
US COLORADO-AS 128.138.140.44 clean
jxhoitu.com
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.90.224.168 clean
ptbtime1.ptb.de
whois
DE Verein zur Foerderung eines Deutschen Forschungsnetzes e.V. 192.53.103.108 clean
i0.wp.com
whois
US AUTOMATTIC 192.0.77.2 clean
free.timeanddate.com
whois
US FASTLY 151.101.193.176 clean
time.ien.it
whois
IT Consortium GARR 193.204.114.105 clean
kimyen.net
whois
VN VNPT Corp 103.255.237.239 malware
103.90.224.168
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.90.224.168 clean
151.101.77.176
whois
HK FASTLY 151.101.77.176 clean
103.28.36.10
whois
VN NhanHoa Software company 103.28.36.10 clean
192.0.77.2
whois
US AUTOMATTIC 192.0.77.2 mailcious
128.138.140.44
whois
US COLORADO-AS 128.138.140.44 clean
112.213.89.26
whois
VN SUPERDATA 112.213.89.26 phishing
128.138.141.172
whois
US COLORADO-AS 128.138.141.172 clean
103.255.237.239
whois
VN VNPT Corp 103.255.237.239 malware
192.53.103.108
whois
DE Verein zur Foerderung eines Deutschen Forschungsnetzes e.V. 192.53.103.108 clean
193.204.114.105
whois
IT Consortium GARR 193.204.114.105 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure