Report - askinstall53.exe

Gen2 Trojan_PWS_Stealer NPKI Emotet RAT Credential User Data Generic Malware UPX Malicious Packer Malicious Library SQLite Cookie Admin Tool (Sysinternals etc ...) Anti_VM ASPack Antivirus OS Processor Check PE File PE32 ELF PNG Format PE64 DLL MSOffic
ScreenShot
Created 2021.08.07 14:02 Machine s1_win7_x6402
Filename askinstall53.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
2
Behavior Score
11.8
ZERO API file : malware
VT API (file) 51 detected (AIDetect, malware2, malicious, high confidence, Zusy, DisbukRI, S19305183, GenericRXLT, Unsafe, Save, Socelars, GKGU, Attribute, HighConfidence, Razy, PWSX, R + Troj, BGVO, Siggen13, R002C0DH321, asxw, AGEN, kcloud, MigratedCloud, score, R372531, ZexaF, z10@aqJUe5pj, ai score=80, BScope, Agentb, Glupteba, Bruteforce, FBAdsCard, CLASSIC, LakI5Od7RMQ, Static AI, Suspicious PE, confidence, 100%, HgIASZsA)
md5 9192eed4f3433a1fe590754041c0a0cf
sha256 47d35b344cc8c6ef8e8ae82899655f0f1010d2af4f3c0413e124b9ae94378362
ssdeep 24576:M8TJtpd95n1HCEei6gFT/L+V3F+kyRejskFL/whBZhnHo4Sad5RKr00z4drPC6ew:jJtpx1iErFrLK3F7QojUnHo4Sa0r00i7
imphash 4f0608b5638c60342069764638589dcf
impfuzzy 48:/XV+FLa0DZuBGRMUS0LES9wYQJcGtp48+9faOwOe6mxvmYBOvyzy:/XAFuEjRMr0LESBQJcGtp43ta736mxOP
  Network IP location

Signature (30cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Drops 67 unknown file mime types indicative of ransomware writing encrypted files back to disk
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Terminates another process
notice Uses Windows utilities for basic Windows functionality
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (33cnts)

Level Name Description Collection
danger NPKI_Zero File included NPKI binaries (download)
danger Trojan_PWS_Stealer_1_Zero Trojan.PWS.Stealer Zero binaries (upload)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_1_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
warning Credential_User_Data_Check_Zero Credential User Data Check binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch SQLite_cookies_Check_Zero SQLite Cookie Check... select binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info IsDLL (no description) binaries (download)
info IsELF Executable and Linking Format executable file (Linux/Unix) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.nincefcs.xyz/Home/Index/lkdinl RU TimeWeb Ltd. 188.225.87.175 3618 mailcious
http://www.iyiqian.com/ Unknown 103.155.92.58 2326 mailcious
https://iplogger.org/1Z7qd7 DE Hetzner Online GmbH 88.99.66.31 clean
https://www.listincode.com/ US AS-CHOOPA 144.202.76.47 2327 mailcious
www.listincode.com US AS-CHOOPA 144.202.76.47 mailcious
www.nincefcs.xyz RU TimeWeb Ltd. 188.225.87.175 mailcious
www.iyiqian.com Unknown 103.155.92.58 mailcious
iplogger.org DE Hetzner Online GmbH 88.99.66.31 mailcious
88.99.66.31 DE Hetzner Online GmbH 88.99.66.31 mailcious
144.202.76.47 US AS-CHOOPA 144.202.76.47 mailcious
188.225.87.175 RU TimeWeb Ltd. 188.225.87.175 mailcious
45.227.253.62 PA Global Layer B.V. 45.227.253.62 malware
103.155.92.58 Unknown 103.155.92.58 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x50e050 LocalAlloc
 0x50e054 LocalFree
 0x50e058 WinExec
 0x50e05c GetComputerNameW
 0x50e060 GetModuleFileNameA
 0x50e064 GetCurrentProcessId
 0x50e068 OpenProcess
 0x50e06c GetModuleFileNameW
 0x50e070 SetLastError
 0x50e074 GetCurrentThread
 0x50e078 FindResourceW
 0x50e07c GetPrivateProfileStringW
 0x50e080 CopyFileW
 0x50e084 SetStdHandle
 0x50e088 SetEnvironmentVariableW
 0x50e08c FreeEnvironmentStringsW
 0x50e090 GetEnvironmentStringsW
 0x50e094 GetOEMCP
 0x50e098 SizeofResource
 0x50e09c CreateProcessA
 0x50e0a0 LockResource
 0x50e0a4 LoadResource
 0x50e0a8 FreeLibrary
 0x50e0ac GetTickCount
 0x50e0b0 TerminateProcess
 0x50e0b4 Sleep
 0x50e0b8 WaitForSingleObject
 0x50e0bc GetProcessHeap
 0x50e0c0 HeapAlloc
 0x50e0c4 GetLastError
 0x50e0c8 GetTempPathA
 0x50e0cc CreateDirectoryA
 0x50e0d0 SetCurrentDirectoryW
 0x50e0d4 GetShortPathNameA
 0x50e0d8 LoadLibraryW
 0x50e0dc GetProcAddress
 0x50e0e0 WideCharToMultiByte
 0x50e0e4 MultiByteToWideChar
 0x50e0e8 SystemTimeToFileTime
 0x50e0ec DosDateTimeToFileTime
 0x50e0f0 GetCurrentProcess
 0x50e0f4 DuplicateHandle
 0x50e0f8 CloseHandle
 0x50e0fc WriteFile
 0x50e100 SetFileTime
 0x50e104 SetFilePointer
 0x50e108 ReadFile
 0x50e10c GetFileType
 0x50e110 CreateFileW
 0x50e114 CreateDirectoryW
 0x50e118 CreateEventW
 0x50e11c GetCurrentDirectoryW
 0x50e120 GetACP
 0x50e124 IsValidCodePage
 0x50e128 FindNextFileW
 0x50e12c FindFirstFileExW
 0x50e130 FindClose
 0x50e134 GetTimeZoneInformation
 0x50e138 GetFileSizeEx
 0x50e13c GetConsoleCP
 0x50e140 SetFilePointerEx
 0x50e144 ReadConsoleW
 0x50e148 GetConsoleMode
 0x50e14c EnumSystemLocalesW
 0x50e150 GetUserDefaultLCID
 0x50e154 IsValidLocale
 0x50e158 GetCommandLineW
 0x50e15c GetCommandLineA
 0x50e160 GetStdHandle
 0x50e164 ExitProcess
 0x50e168 GetModuleHandleExW
 0x50e16c FreeLibraryAndExitThread
 0x50e170 ExitThread
 0x50e174 CreateThread
 0x50e178 LoadLibraryExW
 0x50e17c RtlUnwind
 0x50e180 RaiseException
 0x50e184 GetStringTypeW
 0x50e188 GetLocaleInfoW
 0x50e18c LCMapStringW
 0x50e190 CompareStringW
 0x50e194 GetCPInfo
 0x50e198 TlsFree
 0x50e19c WriteConsoleW
 0x50e1a0 TlsSetValue
 0x50e1a4 TlsGetValue
 0x50e1a8 TlsAlloc
 0x50e1ac SwitchToThread
 0x50e1b0 DecodePointer
 0x50e1b4 EncodePointer
 0x50e1b8 InitializeSListHead
 0x50e1bc GetStartupInfoW
 0x50e1c0 IsDebuggerPresent
 0x50e1c4 GetModuleHandleW
 0x50e1c8 ResetEvent
 0x50e1cc SetEvent
 0x50e1d0 InitializeCriticalSectionAndSpinCount
 0x50e1d4 IsProcessorFeaturePresent
 0x50e1d8 SetUnhandledExceptionFilter
 0x50e1dc UnhandledExceptionFilter
 0x50e1e0 FlushFileBuffers
 0x50e1e4 QueryPerformanceCounter
 0x50e1e8 MapViewOfFile
 0x50e1ec CreateFileMappingW
 0x50e1f0 FormatMessageA
 0x50e1f4 GetSystemTime
 0x50e1f8 GetSystemTimeAsFileTime
 0x50e1fc AreFileApisANSI
 0x50e200 TryEnterCriticalSection
 0x50e204 HeapCreate
 0x50e208 HeapFree
 0x50e20c EnterCriticalSection
 0x50e210 GetFullPathNameW
 0x50e214 GetDiskFreeSpaceW
 0x50e218 OutputDebugStringA
 0x50e21c LockFile
 0x50e220 LeaveCriticalSection
 0x50e224 InitializeCriticalSection
 0x50e228 GetFullPathNameA
 0x50e22c SetEndOfFile
 0x50e230 UnlockFileEx
 0x50e234 GetTempPathW
 0x50e238 CreateMutexW
 0x50e23c GetFileAttributesW
 0x50e240 GetCurrentThreadId
 0x50e244 UnmapViewOfFile
 0x50e248 HeapValidate
 0x50e24c HeapSize
 0x50e250 FormatMessageW
 0x50e254 GetDiskFreeSpaceA
 0x50e258 GetFileAttributesA
 0x50e25c GetFileAttributesExW
 0x50e260 OutputDebugStringW
 0x50e264 FlushViewOfFile
 0x50e268 CreateFileA
 0x50e26c LoadLibraryA
 0x50e270 WaitForSingleObjectEx
 0x50e274 DeleteFileA
 0x50e278 DeleteFileW
 0x50e27c HeapReAlloc
 0x50e280 GetSystemInfo
 0x50e284 HeapCompact
 0x50e288 HeapDestroy
 0x50e28c UnlockFile
 0x50e290 LockFileEx
 0x50e294 GetFileSize
 0x50e298 DeleteCriticalSection
ADVAPI32.dll
 0x50e000 LookupPrivilegeValueW
 0x50e004 AdjustTokenPrivileges
 0x50e008 LookupAccountNameW
 0x50e00c SetSecurityDescriptorOwner
 0x50e010 SetSecurityDescriptorGroup
 0x50e014 SetSecurityDescriptorDacl
 0x50e018 IsValidSecurityDescriptor
 0x50e01c InitializeSecurityDescriptor
 0x50e020 InitializeAcl
 0x50e024 GetTokenInformation
 0x50e028 GetLengthSid
 0x50e02c FreeSid
 0x50e030 EqualSid
 0x50e034 DuplicateToken
 0x50e038 AllocateAndInitializeSid
 0x50e03c AddAccessAllowedAce
 0x50e040 AccessCheck
 0x50e044 OpenThreadToken
 0x50e048 OpenProcessToken
SHELL32.dll
 0x50e2a8 ShellExecuteExA
ole32.dll
 0x50e2fc CoInitializeEx
 0x50e300 CoGetObject
 0x50e304 CoUninitialize
WININET.dll
 0x50e2b0 InternetGetCookieExA
NETAPI32.dll
 0x50e2a0 Netbios
ntdll.dll
 0x50e2b8 RtlInitUnicodeString
 0x50e2bc NtFreeVirtualMemory
 0x50e2c0 LdrEnumerateLoadedModules
 0x50e2c4 RtlEqualUnicodeString
 0x50e2c8 RtlAcquirePebLock
 0x50e2cc NtAllocateVirtualMemory
 0x50e2d0 RtlReleasePebLock
 0x50e2d4 RtlNtStatusToDosError
 0x50e2d8 RtlCreateHeap
 0x50e2dc RtlDestroyHeap
 0x50e2e0 RtlAllocateHeap
 0x50e2e4 RtlFreeHeap
 0x50e2e8 NtClose
 0x50e2ec NtOpenKey
 0x50e2f0 NtEnumerateValueKey
 0x50e2f4 NtQueryValueKey

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure