popup

Report - bincrypted.exe

Formbook UPX Malicious Library PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.04 09:54 Machine s1_win7_x6401
Filename bincrypted.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
5.2
ZERO API file : malware
VT API (file) 41 detected (AIDetect, malware2, Noon, Packed2, GenericKD, Unsafe, Save, FormBook, malicious, confidence, ZexaF, wyZ@aqwvwKfi, Attribute, HighConfidence, Kryptik, HLXQ, MalwareX, susgen, sklls, score, Generic PWS, ai score=80, BScope, Androm, CLASSIC, Static AI, Suspicious PE, HLWX, HwoCueAA)
md5 059b1244ac9fda54de086692db4b5a08
sha256 abb29be2c1eccd851bdb99b126e822a8cf0f57be95e9b71a921aa703b2c285be
ssdeep 6144:GCeJWu3gGB7g1TaqXp/bTLwlLGX7lQtbzRuYqCRxPi4f+99:uWcgGCTaqXhKLGEvRrnm99
imphash 589aee860f84814af33b4e1068b97d01
impfuzzy 48:1AS1jtu5c+ppcx3rBF/KA/JG+onBQES5X090WmqQGAE46XnHN7:WS1jtu5c+ppc9zQtawlN7
  Network IP location

Signature (10cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (6cnts)

Level Name Description Collection
danger Win_Trojan_Formbook_Zero Used Formbook binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (49cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.466se.com/ehp9/
whois
US MULTA-ASN1 198.74.106.237 clean
http://www.ejsuniqueclasses.com/ehp9/
whois
DE Contabo GmbH 164.68.104.58 clean
http://www.nazarppe.com/ehp9/?DXFTJ=ForhLKJW5s3cPVf6/6Q1cyVpQBFSYL410ahzi4TIJRZgcvQolUc5UDI3pLbwinN7hftJyfKf&Jt7=XPv4nH2h
whois
No GOOGLE 34.80.190.141 clean
http://www.runninghogfarm.com/ehp9/
whois
US LEASEWEB-USA-SFO-12 23.108.179.100 clean
http://www.ifn.xyz/ehp9/?DXFTJ=52eH09aBYPtE5DyiejMY8v2uxe7c6i3pelrpIF5DWEK+lqUjHfhnU3NPACtVlTQkZMRHjcr5&Jt7=XPv4nH2h
whois
US CLOUDFLARENET 104.17.92.27 clean
http://www.macrovigilance.com/ehp9/
whois
HK ABCDE GROUP COMPANY LIMITED 154.212.216.43 clean
http://www.circusocks.com/ehp9/
whois
Unknown 163.123.204.26 clean
http://www.macrovigilance.com/ehp9/?DXFTJ=TrVpt/Sm2xJ9IGi4K3NwgAhB6j/uvsDHzHwNFROlzNa3rgYvh2eLdGW0sMsxruWtvTWJfmAK&Jt7=XPv4nH2h
whois
HK ABCDE GROUP COMPANY LIMITED 154.212.216.43 clean
http://www.tunnurl.com/ehp9/?DXFTJ=QhkqBxVohxlqPUcu6G0chdX25ZqKuFpZq4xLpZwu6mKCp53I4Tvx5rMPt0/BXf9pPvuvFI6V&Jt7=XPv4nH2h
whois
US GOOGLE 34.102.136.180 clean
http://www.joinlashedbyjamie.com/ehp9/?DXFTJ=+eGaCpWIeY1GeVLPRfBKIdnCFP4bn1fBUg7gUF+CiQV6Bp5ohh8tCc+mNs21JISC/amISJ9y&Jt7=XPv4nH2h
whois
US 1&1 Ionos Se 74.208.236.178 clean
http://www.nazarppe.com/ehp9/
whois
No GOOGLE 34.80.190.141 clean
http://www.ejsuniqueclasses.com/ehp9/?DXFTJ=8c/5QoMU/LJp2F/JqDOgvqNfypt6IHckOwRzCQjdzO4ATzLHPoPQ6gSPk/oNBgTWB7oKG4q8&Jt7=XPv4nH2h
whois
DE Contabo GmbH 164.68.104.58 clean
http://www.lovebodystyles.com/ehp9/?DXFTJ=fQONYJVf+drtsBymL6LN0IYUYxuzf9afeJHOCvotCVRqAxc+aKra+zVgjtRtDEfwsmLVAV7e&Jt7=XPv4nH2h
whois
US GOOGLE 34.102.136.180 clean
http://www.lovebodystyles.com/ehp9/
whois
US GOOGLE 34.102.136.180 clean
http://www.twinedinmagic.com/ehp9/?DXFTJ=I8oiP9SoG5h48m6KhZc1JhaZpcQmSrut+JcyFmPalQS48JdChQkexhtZM/EBi3DjLJXpgbrL&Jt7=XPv4nH2h
whois
CA CLOUDFLARENET 23.227.38.74 clean
http://www.tunnurl.com/ehp9/
whois
US GOOGLE 34.102.136.180 clean
http://www.atokastore.com/ehp9/
whois
US GOOGLE 34.102.136.180 clean
http://www.ifn.xyz/ehp9/
whois
US CLOUDFLARENET 104.17.92.27 clean
http://www.466se.com/ehp9/?DXFTJ=UsPTfcJ2cekV2xN0pFMXthX3126RUWmODdc5A73g6eF5qcZ7S3zbdbbJe1Glq8VOYp62ahzf&Jt7=XPv4nH2h
whois
US MULTA-ASN1 198.74.106.237 clean
http://www.twinedinmagic.com/ehp9/
whois
CA CLOUDFLARENET 23.227.38.74 clean
http://www.joinlashedbyjamie.com/ehp9/
whois
US 1&1 Ionos Se 74.208.236.178 clean
http://www.circusocks.com/ehp9/?DXFTJ=oRr9ZXzYir31EMpQ4cLVquMpSAfNXH/ZGOcaxDo65nuPHc2Zv4aHZ1gD7lNSjr7j2ZXrkkv7&Jt7=XPv4nH2h
whois
Unknown 163.123.204.26 clean
http://www.runninghogfarm.com/ehp9/?DXFTJ=TiEJkYh9nBwlrsDRUzymswvqStp9NyNn6K1JUARvaYpBqYPnTPyRdaxdWm2SESo4LeuL0jJk&Jt7=XPv4nH2h
whois
US LEASEWEB-USA-SFO-12 23.108.179.100 clean
http://www.atokastore.com/ehp9/?DXFTJ=0LqjHGvSuyDGgeop76VF70PcmE//HpHSJ558UeTMc749V6eczRm/Pf3IqfOFmaD//tqFBTEy&Jt7=XPv4nH2h
whois
US GOOGLE 34.102.136.180 clean
www.twinedinmagic.com
whois
CA CLOUDFLARENET 23.227.38.74 clean
www.atokastore.com
whois
US GOOGLE 34.102.136.180 clean
www.466se.com
whois
US MULTA-ASN1 198.74.106.237 clean
www.lovebodystyles.com
whois
US GOOGLE 34.102.136.180 clean
www.circusocks.com
whois
Unknown 163.123.204.26 clean
www.cmnkt-byem.xyz
whois
Unknown clean
www.joinlashedbyjamie.com
whois
US 1&1 Ionos Se 74.208.236.178 clean
www.macrovigilance.com
whois
HK ABCDE GROUP COMPANY LIMITED 154.212.216.43 clean
www.ifn.xyz
whois
US CLOUDFLARENET 104.17.92.27 clean
www.gilleyaviation.com
whois
Unknown clean
www.ejsuniqueclasses.com
whois
DE Contabo GmbH 164.68.104.58 clean
www.nazarppe.com
whois
No GOOGLE 34.80.190.141 clean
www.runninghogfarm.com
whois
US LEASEWEB-USA-SFO-12 23.108.179.100 clean
www.tunnurl.com
whois
US GOOGLE 34.102.136.180 clean
www.gee825.com
whois
Unknown clean
23.108.179.100
whois
US LEASEWEB-USA-SFO-12 23.108.179.100 clean
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
163.123.204.26
whois
Unknown 163.123.204.26 clean
74.208.236.178
whois
US 1&1 Ionos Se 74.208.236.178 clean
34.80.190.141
whois
No GOOGLE 34.80.190.141 mailcious
104.17.66.15
whois
US CLOUDFLARENET 104.17.66.15 clean
154.212.216.43
whois
HK ABCDE GROUP COMPANY LIMITED 154.212.216.43 clean
164.68.104.58
whois
DE Contabo GmbH 164.68.104.58 phishing
198.74.106.237
whois
US MULTA-ASN1 198.74.106.237 clean
23.227.38.74
whois
CA CLOUDFLARENET 23.227.38.74 mailcious

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40e04c SetStdHandle
 0x40e050 GetFileType
 0x40e054 GetStringTypeW
 0x40e058 GetProcessHeap
 0x40e05c HeapSize
 0x40e060 FlushFileBuffers
 0x40e064 GetConsoleCP
 0x40e068 GetConsoleMode
 0x40e06c SetFilePointerEx
 0x40e070 WriteConsoleW
 0x40e074 DecodePointer
 0x40e078 VirtualProtect
 0x40e07c CloseHandle
 0x40e080 EnumLanguageGroupLocalesW
 0x40e084 CreateFileW
 0x40e088 LCMapStringW
 0x40e08c WriteFile
 0x40e090 QueryPerformanceCounter
 0x40e094 GetCurrentProcessId
 0x40e098 GetCurrentThreadId
 0x40e09c GetSystemTimeAsFileTime
 0x40e0a0 InitializeSListHead
 0x40e0a4 IsDebuggerPresent
 0x40e0a8 UnhandledExceptionFilter
 0x40e0ac SetUnhandledExceptionFilter
 0x40e0b0 GetStartupInfoW
 0x40e0b4 IsProcessorFeaturePresent
 0x40e0b8 GetModuleHandleW
 0x40e0bc GetCurrentProcess
 0x40e0c0 TerminateProcess
 0x40e0c4 RtlUnwind
 0x40e0c8 GetLastError
 0x40e0cc SetLastError
 0x40e0d0 EnterCriticalSection
 0x40e0d4 LeaveCriticalSection
 0x40e0d8 DeleteCriticalSection
 0x40e0dc InitializeCriticalSectionAndSpinCount
 0x40e0e0 TlsAlloc
 0x40e0e4 TlsGetValue
 0x40e0e8 TlsSetValue
 0x40e0ec TlsFree
 0x40e0f0 FreeLibrary
 0x40e0f4 GetProcAddress
 0x40e0f8 LoadLibraryExW
 0x40e0fc GetStdHandle
 0x40e100 GetModuleFileNameW
 0x40e104 MultiByteToWideChar
 0x40e108 WideCharToMultiByte
 0x40e10c ExitProcess
 0x40e110 GetModuleHandleExW
 0x40e114 GetACP
 0x40e118 HeapFree
 0x40e11c HeapAlloc
 0x40e120 HeapReAlloc
 0x40e124 FindClose
 0x40e128 FindFirstFileExW
 0x40e12c FindNextFileW
 0x40e130 IsValidCodePage
 0x40e134 GetOEMCP
 0x40e138 GetCPInfo
 0x40e13c GetCommandLineA
 0x40e140 GetCommandLineW
 0x40e144 GetEnvironmentStringsW
 0x40e148 FreeEnvironmentStringsW
 0x40e14c RaiseException
USER32.dll
 0x40e154 GetMessageW
 0x40e158 DefWindowProcW
 0x40e15c DestroyWindow
 0x40e160 DispatchMessageW
 0x40e164 TranslateMessage
 0x40e168 LoadCursorW
 0x40e16c GetClientRect
 0x40e170 PostQuitMessage
 0x40e174 InvalidateRect
 0x40e178 BeginPaint
 0x40e17c EndPaint
 0x40e180 CreateWindowExW
 0x40e184 RegisterClassExW
 0x40e188 RegisterClassW
 0x40e18c SetMenu
 0x40e190 AppendMenuW
 0x40e194 GetSysColorBrush
 0x40e198 CreateMenu
 0x40e19c GetDC
 0x40e1a0 ReleaseDC
GDI32.dll
 0x40e00c CreateCompatibleBitmap
 0x40e010 CreateCompatibleDC
 0x40e014 SetBkColor
 0x40e018 SetROP2
 0x40e01c ExtTextOutW
 0x40e020 GetStockObject
 0x40e024 SelectObject
 0x40e028 SetPixel
 0x40e02c ExtFloodFill
 0x40e030 GetDIBits
 0x40e034 GetPixel
 0x40e038 GetObjectW
 0x40e03c DeleteObject
 0x40e040 CreateSolidBrush
 0x40e044 BitBlt
COMDLG32.dll
 0x40e000 ChooseColorW
 0x40e004 GetOpenFileNameW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure