popup

Report - 3003.exe

Gen2 UPX Malicious Library PE32 PE File OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.27 09:24 Machine s1_win7_x6401
Filename 3003.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
7.2
ZERO API file : clean
VT API (file) 24 detected (Ulise, Inject4, MalwareX, Artemis, Redcap, xmzlv, ai score=85, Wacatac, R002H09GQ21, GdSda, HgIASZEA)
md5 1609d18c06f71cd892d6fb524ecfc2ad
sha256 9df54d4e8faccc9aff9d8ea76a8aaf9e1f64ef0e32dbe9904b4654cee4884e1e
ssdeep 768:tY0swb0Bhe4KC7ojVTH/EdJ2cTspywATkIOsKCljh:0wuKCchTMdJ6pKHbljh
imphash f4d21a3c7e3ac3673fd95463d8843df2
impfuzzy 24:FuDoku9lb4vLXHOovuXg7JHniv8ERRv6uk3zfcVAJXKKFwxGT5Enk1EQDX:P4TXuhw9WKzfcVAJXKKOHnFC
  Network IP location

Signature (18cnts)

Level Description
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
warning Uses WMI to create a new process
watch Creates or sets a registry key to a long series of bytes
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable uses a known packer

Rules (11cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (15cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ol.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 104.21.21.221 1518 mailcious
http://ip-api.com/json/?fields=8198
whois
US TUT-AS 208.95.112.1 clean
http://by.dirfgame.com/report7.4.php
whois
US CLOUDFLARENET 104.21.78.28 2900 mailcious
https://live.goatgame.live/userf/dat/3003/sqlite.dat
whois
US CLOUDFLARENET 172.67.222.125 clean
https://live.goatgame.live/userf/dat/sqlite.dll
whois
US CLOUDFLARENET 172.67.222.125 clean
ol.gamegame.info
whois
US CLOUDFLARENET 172.67.200.215 mailcious
live.goatgame.live
whois
US CLOUDFLARENET 104.21.70.98 malware
google.vrthcobj.com
whois
US GOOGLE 34.97.69.225 mailcious
by.dirfgame.com
whois
US CLOUDFLARENET 172.67.215.92 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
172.67.200.215
whois
US CLOUDFLARENET 172.67.200.215 clean
34.97.69.225
whois
US GOOGLE 34.97.69.225 mailcious
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
104.21.78.28
whois
US CLOUDFLARENET 104.21.78.28 mailcious
172.67.222.125
whois
US CLOUDFLARENET 172.67.222.125 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x408000 lstrlenW
 0x408004 InterlockedDecrement
 0x408008 GetProcAddress
 0x40800c LoadLibraryA
 0x408010 CloseHandle
 0x408014 WriteFile
 0x408018 CreateFileW
 0x40801c GetEnvironmentVariableW
 0x408020 GetModuleFileNameW
 0x408024 GetConsoleWindow
 0x408028 RaiseException
 0x40802c LocalFree
 0x408030 lstrlenA
 0x408034 InterlockedIncrement
 0x408038 GetStringTypeW
 0x40803c GetStringTypeA
 0x408040 LCMapStringW
 0x408044 LCMapStringA
 0x408048 MultiByteToWideChar
 0x40804c RtlUnwind
 0x408050 GetCommandLineA
 0x408054 GetVersion
 0x408058 ExitProcess
 0x40805c HeapFree
 0x408060 HeapAlloc
 0x408064 GetCurrentThreadId
 0x408068 TlsSetValue
 0x40806c TlsAlloc
 0x408070 SetLastError
 0x408074 TlsGetValue
 0x408078 GetLastError
 0x40807c TerminateProcess
 0x408080 GetCurrentProcess
 0x408084 UnhandledExceptionFilter
 0x408088 GetModuleFileNameA
 0x40808c FreeEnvironmentStringsA
 0x408090 FreeEnvironmentStringsW
 0x408094 WideCharToMultiByte
 0x408098 GetEnvironmentStrings
 0x40809c GetEnvironmentStringsW
 0x4080a0 SetHandleCount
 0x4080a4 GetStdHandle
 0x4080a8 GetFileType
 0x4080ac GetStartupInfoA
 0x4080b0 GetModuleHandleA
 0x4080b4 GetEnvironmentVariableA
 0x4080b8 GetVersionExA
 0x4080bc HeapDestroy
 0x4080c0 HeapCreate
 0x4080c4 VirtualFree
 0x4080c8 VirtualAlloc
 0x4080cc HeapReAlloc
 0x4080d0 IsBadWritePtr
 0x4080d4 InitializeCriticalSection
 0x4080d8 EnterCriticalSection
 0x4080dc LeaveCriticalSection
 0x4080e0 SetUnhandledExceptionFilter
 0x4080e4 IsBadReadPtr
 0x4080e8 IsBadCodePtr
 0x4080ec GetCPInfo
 0x4080f0 GetACP
 0x4080f4 GetOEMCP
 0x4080f8 HeapSize
USER32.dll
 0x408134 ShowWindow
 0x408138 wsprintfW
ole32.dll
 0x408140 CoInitializeSecurity
 0x408144 CoUninitialize
 0x408148 CoCreateInstance
 0x40814c CoSetProxyBlanket
 0x408150 CoInitialize
OLEAUT32.dll
 0x408100 VariantInit
 0x408104 SafeArrayGetDim
 0x408108 SafeArrayGetLBound
 0x40810c SafeArrayGetUBound
 0x408110 SafeArrayAccessData
 0x408114 SafeArrayUnaccessData
 0x408118 SysStringLen
 0x40811c SysAllocStringLen
 0x408120 SysAllocString
 0x408124 VariantClear
 0x408128 SysFreeString
 0x40812c GetErrorInfo

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure