popup

Report - 97e6dac4.exe

Netfilter rootkit AntiDebug AntiVM PE32 PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.29 10:42 Machine s1_win7_x6401
Filename 97e6dac4.exe
Type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
11
 Behavior Score
6.2
ZERO API file : clean
VT API (file) 56 detected (malicious, high confidence, DownLoader40, Doina, Stantinko, Unsafe, Save, confidence, 100%, NOPC, TrojanX, gjwx, iwcpys, kYXw, Efky, Malware@#bsi9vm83cw79, FETNILTER, ejntd, ai score=83, ASMalwS, kcloud, Retliften, score, NetFilter, CLASSIC, HtkSy, PossibleThreat, susgen)
md5 8bf00ef4dd6bb308c76849901b03ccbd
sha256 a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4
ssdeep 192:oCaQ3qaG3GO/pfg9m3CJ3Mc+YeZBkvmKI7H:o5Nt/Vg9m3CJ3qZ0jI7
imphash 7e3bbc4aa48a3d61a7b995aba939311c
impfuzzy 6:dBJAEHGDfj77AUAajVOarOZETO4Emyf5XnlJ8iPEcJA0IpJqhQJrEkH5XD4sIWG:VA/Dfj7dObdJmiJltPXJuJq+JX5zy
  Network IP location

Signature (11cnts)

Level Description
danger File has been identified by 56 AntiVirus engines on VirusTotal as malicious
warning Stops Windows services
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Loads a driver
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice An executable file was downloaded by the process 97e6dac4.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Yara rule detected in process memory
info Command line console output was observed

Rules (15cnts)

Level Name Description Collection
danger MAL_Netfilter_Dropper_Jun_2021_1 Detect the dropper of Netfilter rootkit binaries (download)
danger MAL_Netfilter_Dropper_Jun_2021_1 Detect the dropper of Netfilter rootkit binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://45.113.202.180:608/d6
whois
CN CHINATELECOM JiangSu YangZhou IDC networkdescr: YangZhouJiangsu Province, P.R.China. 45.113.202.180 clean
45.113.202.180
whois
CN CHINATELECOM JiangSu YangZhou IDC networkdescr: YangZhouJiangsu Province, P.R.China. 45.113.202.180 clean

Suricata ids

ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x4034bc LoadLibraryA
 0x4034c0 GetProcAddress
 0x4034c4 WaitForSingleObject
 0x4034c8 CreateFileA
 0x4034cc WriteFile
 0x4034d0 CloseHandle
 0x4034d4 WideCharToMultiByte
 0x4034d8 Sleep
 0x4034dc DeleteFileA
 0x4034e0 GetCurrentProcess
 0x4034e4 TerminateProcess
 0x4034e8 GetModuleHandleA
 0x4034ec GetFileAttributesExA
 0x4034f0 lstrlenW
 0x4034f4 GetProcessHeap
 0x4034f8 HeapAlloc
 0x4034fc GetLastError
 0x403500 HeapFree
 0x403504 SetUnhandledExceptionFilter
msvcrt.dll
 0x40350c memset
 0x403510 strlen
 0x403514 wcslen
 0x403518 malloc
 0x40351c strcmp
 0x403520 free
 0x403524 strstr
 0x403528 memcpy
 0x40352c _controlfp
 0x403530 __set_app_type
 0x403534 __getmainargs
 0x403538 exit

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure