Report - f5aacf8c46f43d01d08fa79d2d72cfa9.exe

Gen1 Gen2 Generic Malware PE File PE32 OS Processor Check DLL
ScreenShot
Created 2021.07.12 09:50 Machine s1_win7_x6402
Filename f5aacf8c46f43d01d08fa79d2d72cfa9.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
4
Behavior Score
7.6
ZERO API file : clean
VT API (file) 40 detected (AIDetect, malware1, malicious, high confidence, Doina, GenericRXAA, Unsafe, Phonzy, Kryptik, VJVU, HLQQ, MalwareX, Wopz, Inject4, Artemis, woetv, 13QHYFZ, score, ai score=81, R002H0CGA21, confidence, HgIASYIA)
md5 64976dbee1d73fb7765cbec2b3612acc
sha256 b5836dfd74e9e193cb8b3ee99d34f6b93ff5b88fecdc8f0b55928407bd0af376
ssdeep 12288:CcXe9SLN+NH0khUZY+vcvw1PG8QYewwB9gL1xBtiJZcaFh:CcO2Q2ZYu+oel9gLHBtyZcaj
imphash 385b4c734448931d8105f2b8af2a40a5
impfuzzy 24:mDYNCu9eVHOovu4fg7JHniv8ERRv6uk6fcVneJy+KoTPwxQ1EQm:euh449W/fcVneJy+KX5r
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
warning Uses WMI to create a new process
watch Creates or sets a registry key to a long series of bytes
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable uses a known packer

Rules (11cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ol.gamegame.info/report7.4.php US CLOUDFLARENET 172.67.200.215 1518 mailcious
http://ip-api.com/json/?fields=8198 US TUT-AS 208.95.112.1 clean
http://iw.gamegame.info/report7.4.php US CLOUDFLARENET 104.21.21.221 1517 mailcious
ip-api.com US TUT-AS 208.95.112.1 clean
iw.gamegame.info US CLOUDFLARENET 172.67.200.215 mailcious
ol.gamegame.info US CLOUDFLARENET 104.21.21.221 mailcious
google.vrthcobj.com US GOOGLE 34.97.69.225 clean
34.97.69.225 US GOOGLE 34.97.69.225 clean
104.21.21.221 US CLOUDFLARENET 104.21.21.221 mailcious
208.95.112.1 US TUT-AS 208.95.112.1 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x407000 GetProcAddress
 0x407004 lstrlenW
 0x407008 InterlockedDecrement
 0x40700c LoadLibraryA
 0x407010 GetEnvironmentVariableW
 0x407014 InterlockedIncrement
 0x407018 GetStringTypeW
 0x40701c GetStringTypeA
 0x407020 LocalFree
 0x407024 RtlUnwind
 0x407028 GetCommandLineA
 0x40702c GetVersion
 0x407030 ExitProcess
 0x407034 RaiseException
 0x407038 HeapFree
 0x40703c HeapAlloc
 0x407040 GetCurrentThreadId
 0x407044 TlsSetValue
 0x407048 TlsAlloc
 0x40704c SetLastError
 0x407050 TlsGetValue
 0x407054 GetLastError
 0x407058 TerminateProcess
 0x40705c GetCurrentProcess
 0x407060 UnhandledExceptionFilter
 0x407064 GetModuleFileNameA
 0x407068 FreeEnvironmentStringsA
 0x40706c FreeEnvironmentStringsW
 0x407070 WideCharToMultiByte
 0x407074 GetEnvironmentStrings
 0x407078 GetEnvironmentStringsW
 0x40707c SetHandleCount
 0x407080 GetStdHandle
 0x407084 GetFileType
 0x407088 GetStartupInfoA
 0x40708c GetModuleHandleA
 0x407090 GetEnvironmentVariableA
 0x407094 GetVersionExA
 0x407098 HeapDestroy
 0x40709c HeapCreate
 0x4070a0 VirtualFree
 0x4070a4 WriteFile
 0x4070a8 InitializeCriticalSection
 0x4070ac EnterCriticalSection
 0x4070b0 LeaveCriticalSection
 0x4070b4 SetUnhandledExceptionFilter
 0x4070b8 VirtualAlloc
 0x4070bc HeapReAlloc
 0x4070c0 IsBadWritePtr
 0x4070c4 IsBadReadPtr
 0x4070c8 IsBadCodePtr
 0x4070cc GetCPInfo
 0x4070d0 GetACP
 0x4070d4 GetOEMCP
 0x4070d8 MultiByteToWideChar
 0x4070dc LCMapStringA
 0x4070e0 LCMapStringW
USER32.dll
 0x407100 wsprintfW
ole32.dll
 0x407108 CoSetProxyBlanket
 0x40710c CoInitializeSecurity
 0x407110 CoInitialize
 0x407114 CoCreateInstance
 0x407118 CoUninitialize
OLEAUT32.dll
 0x4070e8 SysStringLen
 0x4070ec SysAllocStringLen
 0x4070f0 SysAllocString
 0x4070f4 VariantClear
 0x4070f8 SysFreeString

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure