popup

Report - 0694b1714768f441a6827c5776da3cdc.exe

Gen2 Gen1 Generic Malware UPX PE File OS Processor Check PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.19 10:51 Machine s1_win7_x6402
Filename 0694b1714768f441a6827c5776da3cdc.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
7.6
ZERO API file : malware
VT API (file) 53 detected (AIDetect, malware1, malicious, high confidence, score, GenericKD, Unsafe, Kryptik, MJLZ, Attribute, HighConfidence, HLQQ, Zusy, MalwareX, Gencirc, Malware@#16byuxsj06xy0, Inject4, R002C0WGD21, bfxxa, kcloud, Ymacco, 13QHYFZ, R431137, GenericRXAA, ai score=88, fECXbpTI758, susgen, PossibleThreat, confidence, 100%, HgIASYIA)
md5 7a7c47733423a46f83eab77d230a0e12
sha256 948bd9774b0dfad1762f459a078f55426780b722585aa701941e95b188a552de
ssdeep 12288:CcXL9SLN+NH0khUZY+vcvw1VU8QYewwB9gL1xBYjJZcaFZ:Cc72Q2ZYuKoel9gLHBY9Zcar
imphash 385b4c734448931d8105f2b8af2a40a5
impfuzzy 24:mDYNCu9eVHOovu4fg7JHniv8ERRv6uk6fcVneJy+KoTPwxQ1EQm:euh449W/fcVneJy+KX5r
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 53 AntiVirus engines on VirusTotal as malicious
warning Uses WMI to create a new process
watch Creates or sets a registry key to a long series of bytes
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable uses a known packer

Rules (13cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ol.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 104.21.21.221 1518 mailcious
http://ip-api.com/json/?fields=8198
whois
US TUT-AS 208.95.112.1 clean
http://by.dirfgame.com/report7.4.php
whois
US CLOUDFLARENET 172.67.215.92 2900 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
google.vrthcobj.com
whois
US GOOGLE 34.97.69.225 mailcious
by.dirfgame.com
whois
US CLOUDFLARENET 104.21.78.28 mailcious
ol.gamegame.info
whois
US CLOUDFLARENET 172.67.200.215 mailcious
34.97.69.225
whois
US GOOGLE 34.97.69.225 mailcious
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
104.21.21.221
whois
US CLOUDFLARENET 104.21.21.221 mailcious
104.21.78.28
whois
US CLOUDFLARENET 104.21.78.28 mailcious

Suricata ids

ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x407000 GetProcAddress
 0x407004 lstrlenW
 0x407008 InterlockedDecrement
 0x40700c LoadLibraryA
 0x407010 GetEnvironmentVariableW
 0x407014 InterlockedIncrement
 0x407018 GetStringTypeW
 0x40701c GetStringTypeA
 0x407020 LocalFree
 0x407024 RtlUnwind
 0x407028 GetCommandLineA
 0x40702c GetVersion
 0x407030 ExitProcess
 0x407034 RaiseException
 0x407038 HeapFree
 0x40703c HeapAlloc
 0x407040 GetCurrentThreadId
 0x407044 TlsSetValue
 0x407048 TlsAlloc
 0x40704c SetLastError
 0x407050 TlsGetValue
 0x407054 GetLastError
 0x407058 TerminateProcess
 0x40705c GetCurrentProcess
 0x407060 UnhandledExceptionFilter
 0x407064 GetModuleFileNameA
 0x407068 FreeEnvironmentStringsA
 0x40706c FreeEnvironmentStringsW
 0x407070 WideCharToMultiByte
 0x407074 GetEnvironmentStrings
 0x407078 GetEnvironmentStringsW
 0x40707c SetHandleCount
 0x407080 GetStdHandle
 0x407084 GetFileType
 0x407088 GetStartupInfoA
 0x40708c GetModuleHandleA
 0x407090 GetEnvironmentVariableA
 0x407094 GetVersionExA
 0x407098 HeapDestroy
 0x40709c HeapCreate
 0x4070a0 VirtualFree
 0x4070a4 WriteFile
 0x4070a8 InitializeCriticalSection
 0x4070ac EnterCriticalSection
 0x4070b0 LeaveCriticalSection
 0x4070b4 SetUnhandledExceptionFilter
 0x4070b8 VirtualAlloc
 0x4070bc HeapReAlloc
 0x4070c0 IsBadWritePtr
 0x4070c4 IsBadReadPtr
 0x4070c8 IsBadCodePtr
 0x4070cc GetCPInfo
 0x4070d0 GetACP
 0x4070d4 GetOEMCP
 0x4070d8 MultiByteToWideChar
 0x4070dc LCMapStringA
 0x4070e0 LCMapStringW
USER32.dll
 0x407100 wsprintfW
ole32.dll
 0x407108 CoSetProxyBlanket
 0x40710c CoInitializeSecurity
 0x407110 CoInitialize
 0x407114 CoCreateInstance
 0x407118 CoUninitialize
OLEAUT32.dll
 0x4070e8 SysStringLen
 0x4070ec SysAllocStringLen
 0x4070f0 SysAllocString
 0x4070f4 VariantClear
 0x4070f8 SysFreeString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure