popup

Report - bank.exe

UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.10 17:52 Machine s1_win7_x6401
Filename bank.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
2
 Behavior Score
10.4
ZERO API file : malware
VT API (file) 34 detected (AIDetect, malware2, Androm, malicious, high confidence, score, GenericRXAA, NKGT, EPXQ, Remcos, GenericKD, RATX, DownLoader41, AdwareDealPly, Outbreak, Fareit, ai score=82, R002H0DHA21, Static AI, Malicious PE, Unsafe, Kryptik, confidence)
md5 e92cb564767afb2d59b12ecfc97ed86a
sha256 dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d
ssdeep 12288:SnE1eDMrSuUFA+/ARNb43cRuM7bUwYgsI4pR8/CH3eVgfm+7p:42HfUG+oRNb43chyXI4pR0U3eY
imphash 64b99ed56fe51c14a44881c90ac9ff50
impfuzzy 192:o13MDbuuaxSUvK9ksoHXEpu7uv8DF1QnPbOQk:C3maq9uT1wPbOQk
  Network IP location

Signature (22cnts)

Level Description
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Creates a thread using CreateRemoteThread in a non-child process indicative of process injection
watch Deletes executed files from disk
watch Installs itself for autorun at Windows startup
watch Manipulates memory of a non-child process indicative of process injection
watch Network activity contains more than one unique useragent
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (38cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://apv5oq.sn.files.1drv.com/y4muXeUmSOr2eA8OAZv22ApcwBCduBInlnDD_iP2ohqHowwtZcujQFarcs7juK_0mSRbt6MJSbKteWevTHBIgiv6lJwPrMTfvY1ZebPr11dv0Jj63I1RU3a9kMWmQKSmYqgZFh1LLe2fAR8EZ-z8j-pWLadKuq6Z3fIVgXk84emHccp7oVXqMPta0w5zmX9fkWNqjQ12SMYb696eSzEeW3MLQ/Yjjd
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21117&authkey=ALEWR7_oFnUkSBQ
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 clean
https://apv5oq.sn.files.1drv.com/y4mqtDxi_yjQqMj7aLneNR5K2ag2n6a9B3s2vsguKxD6cq_pEbf-AoBavtlpqHoxXjnVTTRodHYAyAVwV2qMV3yT9FJF0ReIQscZaXQGrtQ_Qo0ZTxor0a01qx5w-nMorDgI-I4bWaoFPlMR2GfVgFSbCIl6ErQU5_nxjDMV0u2rSp5S7Vf6y3eFgoL5jbcc9J171z-sNGiboKZE27hENWiuQ/Yjjd
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
apv5oq.sn.files.1drv.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
onedrive.live.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 mailcious
twistednerd.dvrlists.com
whois
SE IP-Only Networks AB 62.102.148.130 mailcious
13.107.42.13
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 mailcious
13.107.42.12
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 malware
62.102.148.130
whois
SE IP-Only Networks AB 62.102.148.130 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

oleaut32.dll
 0x4a47c8 SysFreeString
 0x4a47cc SysReAllocStringLen
 0x4a47d0 SysAllocStringLen
advapi32.dll
 0x4a47d8 RegQueryValueExA
 0x4a47dc RegOpenKeyExA
 0x4a47e0 RegCloseKey
user32.dll
 0x4a47e8 GetKeyboardType
 0x4a47ec DestroyWindow
 0x4a47f0 LoadStringA
 0x4a47f4 MessageBoxA
 0x4a47f8 CharNextA
kernel32.dll
 0x4a4800 GetACP
 0x4a4804 Sleep
 0x4a4808 VirtualFree
 0x4a480c VirtualAlloc
 0x4a4810 GetCurrentThreadId
 0x4a4814 InterlockedDecrement
 0x4a4818 InterlockedIncrement
 0x4a481c VirtualQuery
 0x4a4820 WideCharToMultiByte
 0x4a4824 MultiByteToWideChar
 0x4a4828 lstrlenA
 0x4a482c lstrcpynA
 0x4a4830 LoadLibraryExA
 0x4a4834 GetThreadLocale
 0x4a4838 GetStartupInfoA
 0x4a483c GetProcAddress
 0x4a4840 GetModuleHandleA
 0x4a4844 GetModuleFileNameA
 0x4a4848 GetLocaleInfoA
 0x4a484c GetCommandLineA
 0x4a4850 FreeLibrary
 0x4a4854 FindFirstFileA
 0x4a4858 FindClose
 0x4a485c ExitProcess
 0x4a4860 CompareStringA
 0x4a4864 WriteFile
 0x4a4868 UnhandledExceptionFilter
 0x4a486c RtlUnwind
 0x4a4870 RaiseException
 0x4a4874 GetStdHandle
kernel32.dll
 0x4a487c TlsSetValue
 0x4a4880 TlsGetValue
 0x4a4884 LocalAlloc
 0x4a4888 GetModuleHandleA
user32.dll
 0x4a4890 CreateWindowExA
 0x4a4894 WindowFromPoint
 0x4a4898 WaitMessage
 0x4a489c UpdateWindow
 0x4a48a0 UnregisterClassA
 0x4a48a4 UnhookWindowsHookEx
 0x4a48a8 TranslateMessage
 0x4a48ac TranslateMDISysAccel
 0x4a48b0 TrackPopupMenu
 0x4a48b4 SystemParametersInfoA
 0x4a48b8 ShowWindow
 0x4a48bc ShowScrollBar
 0x4a48c0 ShowOwnedPopups
 0x4a48c4 SetWindowsHookExA
 0x4a48c8 SetWindowTextA
 0x4a48cc SetWindowPos
 0x4a48d0 SetWindowPlacement
 0x4a48d4 SetWindowLongW
 0x4a48d8 SetWindowLongA
 0x4a48dc SetTimer
 0x4a48e0 SetScrollRange
 0x4a48e4 SetScrollPos
 0x4a48e8 SetScrollInfo
 0x4a48ec SetRect
 0x4a48f0 SetPropA
 0x4a48f4 SetParent
 0x4a48f8 SetMenuItemInfoA
 0x4a48fc SetMenu
 0x4a4900 SetForegroundWindow
 0x4a4904 SetFocus
 0x4a4908 SetCursor
 0x4a490c SetClassLongA
 0x4a4910 SetCapture
 0x4a4914 SetActiveWindow
 0x4a4918 SendMessageW
 0x4a491c SendMessageA
 0x4a4920 ScrollWindow
 0x4a4924 ScreenToClient
 0x4a4928 RemovePropA
 0x4a492c RemoveMenu
 0x4a4930 ReleaseDC
 0x4a4934 ReleaseCapture
 0x4a4938 RegisterWindowMessageA
 0x4a493c RegisterClipboardFormatA
 0x4a4940 RegisterClassA
 0x4a4944 RedrawWindow
 0x4a4948 PtInRect
 0x4a494c PostQuitMessage
 0x4a4950 PostMessageA
 0x4a4954 PeekMessageW
 0x4a4958 PeekMessageA
 0x4a495c OffsetRect
 0x4a4960 OemToCharA
 0x4a4964 MessageBoxA
 0x4a4968 MapWindowPoints
 0x4a496c MapVirtualKeyA
 0x4a4970 LoadStringA
 0x4a4974 LoadKeyboardLayoutA
 0x4a4978 LoadIconA
 0x4a497c LoadCursorA
 0x4a4980 LoadBitmapA
 0x4a4984 KillTimer
 0x4a4988 IsZoomed
 0x4a498c IsWindowVisible
 0x4a4990 IsWindowUnicode
 0x4a4994 IsWindowEnabled
 0x4a4998 IsWindow
 0x4a499c IsRectEmpty
 0x4a49a0 IsIconic
 0x4a49a4 IsDialogMessageW
 0x4a49a8 IsDialogMessageA
 0x4a49ac IsChild
 0x4a49b0 InvalidateRect
 0x4a49b4 IntersectRect
 0x4a49b8 InsertMenuItemA
 0x4a49bc InsertMenuA
 0x4a49c0 InflateRect
 0x4a49c4 GetWindowThreadProcessId
 0x4a49c8 GetWindowTextA
 0x4a49cc GetWindowRect
 0x4a49d0 GetWindowPlacement
 0x4a49d4 GetWindowLongW
 0x4a49d8 GetWindowLongA
 0x4a49dc GetWindowDC
 0x4a49e0 GetTopWindow
 0x4a49e4 GetSystemMetrics
 0x4a49e8 GetSystemMenu
 0x4a49ec GetSysColorBrush
 0x4a49f0 GetSysColor
 0x4a49f4 GetSubMenu
 0x4a49f8 GetScrollRange
 0x4a49fc GetScrollPos
 0x4a4a00 GetScrollInfo
 0x4a4a04 GetPropA
 0x4a4a08 GetParent
 0x4a4a0c GetWindow
 0x4a4a10 GetMessageTime
 0x4a4a14 GetMessagePos
 0x4a4a18 GetMenuStringA
 0x4a4a1c GetMenuState
 0x4a4a20 GetMenuItemInfoA
 0x4a4a24 GetMenuItemID
 0x4a4a28 GetMenuItemCount
 0x4a4a2c GetMenu
 0x4a4a30 GetLastActivePopup
 0x4a4a34 GetKeyboardState
 0x4a4a38 GetKeyboardLayoutNameA
 0x4a4a3c GetKeyboardLayoutList
 0x4a4a40 GetKeyboardLayout
 0x4a4a44 GetKeyState
 0x4a4a48 GetKeyNameTextA
 0x4a4a4c GetIconInfo
 0x4a4a50 GetForegroundWindow
 0x4a4a54 GetFocus
 0x4a4a58 GetDesktopWindow
 0x4a4a5c GetDCEx
 0x4a4a60 GetDC
 0x4a4a64 GetCursorPos
 0x4a4a68 GetCursor
 0x4a4a6c GetClipboardData
 0x4a4a70 GetClientRect
 0x4a4a74 GetClassLongA
 0x4a4a78 GetClassInfoA
 0x4a4a7c GetCapture
 0x4a4a80 GetActiveWindow
 0x4a4a84 FrameRect
 0x4a4a88 FindWindowA
 0x4a4a8c FillRect
 0x4a4a90 EqualRect
 0x4a4a94 EnumWindows
 0x4a4a98 EnumThreadWindows
 0x4a4a9c EnumChildWindows
 0x4a4aa0 EndPaint
 0x4a4aa4 EnableWindow
 0x4a4aa8 EnableScrollBar
 0x4a4aac EnableMenuItem
 0x4a4ab0 DrawTextA
 0x4a4ab4 DrawMenuBar
 0x4a4ab8 DrawIconEx
 0x4a4abc DrawIcon
 0x4a4ac0 DrawFrameControl
 0x4a4ac4 DrawEdge
 0x4a4ac8 DispatchMessageW
 0x4a4acc DispatchMessageA
 0x4a4ad0 DestroyWindow
 0x4a4ad4 DestroyMenu
 0x4a4ad8 DestroyIcon
 0x4a4adc DestroyCursor
 0x4a4ae0 DeleteMenu
 0x4a4ae4 DefWindowProcA
 0x4a4ae8 DefMDIChildProcA
 0x4a4aec DefFrameProcA
 0x4a4af0 CreatePopupMenu
 0x4a4af4 CreateMenu
 0x4a4af8 CreateIcon
 0x4a4afc ClientToScreen
 0x4a4b00 CheckMenuItem
 0x4a4b04 CharNextW
 0x4a4b08 CallWindowProcA
 0x4a4b0c CallNextHookEx
 0x4a4b10 BeginPaint
 0x4a4b14 CharNextA
 0x4a4b18 CharLowerBuffA
 0x4a4b1c CharLowerA
 0x4a4b20 CharUpperBuffA
 0x4a4b24 CharToOemA
 0x4a4b28 AdjustWindowRectEx
 0x4a4b2c ActivateKeyboardLayout
gdi32.dll
 0x4a4b34 UnrealizeObject
 0x4a4b38 StretchBlt
 0x4a4b3c SetWindowOrgEx
 0x4a4b40 SetWinMetaFileBits
 0x4a4b44 SetViewportOrgEx
 0x4a4b48 SetTextColor
 0x4a4b4c SetStretchBltMode
 0x4a4b50 SetROP2
 0x4a4b54 SetPixel
 0x4a4b58 SetMapMode
 0x4a4b5c SetEnhMetaFileBits
 0x4a4b60 SetDIBColorTable
 0x4a4b64 SetBrushOrgEx
 0x4a4b68 SetBkMode
 0x4a4b6c SetBkColor
 0x4a4b70 SelectPalette
 0x4a4b74 SelectObject
 0x4a4b78 SelectClipRgn
 0x4a4b7c SaveDC
 0x4a4b80 RestoreDC
 0x4a4b84 Rectangle
 0x4a4b88 RectVisible
 0x4a4b8c RealizePalette
 0x4a4b90 Polyline
 0x4a4b94 PlayEnhMetaFile
 0x4a4b98 PatBlt
 0x4a4b9c MoveToEx
 0x4a4ba0 MaskBlt
 0x4a4ba4 LineTo
 0x4a4ba8 LPtoDP
 0x4a4bac IntersectClipRect
 0x4a4bb0 GetWindowOrgEx
 0x4a4bb4 GetWinMetaFileBits
 0x4a4bb8 GetTextMetricsA
 0x4a4bbc GetTextExtentPoint32A
 0x4a4bc0 GetSystemPaletteEntries
 0x4a4bc4 GetStockObject
 0x4a4bc8 GetRgnBox
 0x4a4bcc GetPixel
 0x4a4bd0 GetPaletteEntries
 0x4a4bd4 GetObjectA
 0x4a4bd8 GetEnhMetaFilePaletteEntries
 0x4a4bdc GetEnhMetaFileHeader
 0x4a4be0 GetEnhMetaFileDescriptionA
 0x4a4be4 GetEnhMetaFileBits
 0x4a4be8 GetDeviceCaps
 0x4a4bec GetDIBits
 0x4a4bf0 GetDIBColorTable
 0x4a4bf4 GetDCOrgEx
 0x4a4bf8 GetCurrentPositionEx
 0x4a4bfc GetClipBox
 0x4a4c00 GetBrushOrgEx
 0x4a4c04 GetBitmapBits
 0x4a4c08 ExcludeClipRect
 0x4a4c0c DeleteObject
 0x4a4c10 DeleteEnhMetaFile
 0x4a4c14 DeleteDC
 0x4a4c18 CreateSolidBrush
 0x4a4c1c CreatePenIndirect
 0x4a4c20 CreatePalette
 0x4a4c24 CreateHalftonePalette
 0x4a4c28 CreateFontIndirectA
 0x4a4c2c CreateEnhMetaFileA
 0x4a4c30 CreateDIBitmap
 0x4a4c34 CreateDIBSection
 0x4a4c38 CreateCompatibleDC
 0x4a4c3c CreateCompatibleBitmap
 0x4a4c40 CreateBrushIndirect
 0x4a4c44 CreateBitmap
 0x4a4c48 CopyEnhMetaFileA
 0x4a4c4c CloseEnhMetaFile
 0x4a4c50 BitBlt
version.dll
 0x4a4c58 VerQueryValueA
 0x4a4c5c GetFileVersionInfoSizeA
 0x4a4c60 GetFileVersionInfoA
kernel32.dll
 0x4a4c68 lstrcpyA
 0x4a4c6c lstrcmpiA
 0x4a4c70 WriteFile
 0x4a4c74 WaitForSingleObject
 0x4a4c78 VirtualQuery
 0x4a4c7c VirtualProtect
 0x4a4c80 VirtualAlloc
 0x4a4c84 SizeofResource
 0x4a4c88 SetThreadLocale
 0x4a4c8c SetFilePointer
 0x4a4c90 SetEvent
 0x4a4c94 SetErrorMode
 0x4a4c98 SetEndOfFile
 0x4a4c9c ResetEvent
 0x4a4ca0 ReadFile
 0x4a4ca4 MultiByteToWideChar
 0x4a4ca8 MulDiv
 0x4a4cac LockResource
 0x4a4cb0 LoadResource
 0x4a4cb4 LoadLibraryA
 0x4a4cb8 LeaveCriticalSection
 0x4a4cbc InitializeCriticalSection
 0x4a4cc0 GlobalUnlock
 0x4a4cc4 GlobalSize
 0x4a4cc8 GlobalLock
 0x4a4ccc GlobalFree
 0x4a4cd0 GlobalFindAtomA
 0x4a4cd4 GlobalDeleteAtom
 0x4a4cd8 GlobalAlloc
 0x4a4cdc GlobalAddAtomA
 0x4a4ce0 GetVersionExA
 0x4a4ce4 GetVersion
 0x4a4ce8 GetUserDefaultLCID
 0x4a4cec GetTickCount
 0x4a4cf0 GetThreadLocale
 0x4a4cf4 GetStdHandle
 0x4a4cf8 GetProcAddress
 0x4a4cfc GetModuleHandleA
 0x4a4d00 GetModuleFileNameA
 0x4a4d04 GetLocaleInfoA
 0x4a4d08 GetLocalTime
 0x4a4d0c GetLastError
 0x4a4d10 GetFullPathNameA
 0x4a4d14 GetDiskFreeSpaceA
 0x4a4d18 GetDateFormatA
 0x4a4d1c GetCurrentThreadId
 0x4a4d20 GetCurrentProcessId
 0x4a4d24 GetComputerNameA
 0x4a4d28 GetCPInfo
 0x4a4d2c FreeResource
 0x4a4d30 InterlockedExchange
 0x4a4d34 FreeLibrary
 0x4a4d38 FormatMessageA
 0x4a4d3c FindResourceA
 0x4a4d40 EnumCalendarInfoA
 0x4a4d44 EnterCriticalSection
 0x4a4d48 DeleteCriticalSection
 0x4a4d4c CreateThread
 0x4a4d50 CreateFileA
 0x4a4d54 CreateEventA
 0x4a4d58 CompareStringA
 0x4a4d5c CloseHandle
advapi32.dll
 0x4a4d64 RegQueryValueExA
 0x4a4d68 RegOpenKeyExA
 0x4a4d6c RegFlushKey
 0x4a4d70 RegCloseKey
oleaut32.dll
 0x4a4d78 GetErrorInfo
 0x4a4d7c GetActiveObject
 0x4a4d80 SysFreeString
ole32.dll
 0x4a4d88 CreateStreamOnHGlobal
 0x4a4d8c IsAccelerator
 0x4a4d90 OleDraw
 0x4a4d94 OleSetMenuDescriptor
 0x4a4d98 CoTaskMemFree
 0x4a4d9c ProgIDFromCLSID
 0x4a4da0 StringFromCLSID
 0x4a4da4 CoCreateInstance
 0x4a4da8 CoGetClassObject
 0x4a4dac CoUninitialize
 0x4a4db0 CoInitialize
 0x4a4db4 IsEqualGUID
kernel32.dll
 0x4a4dbc Sleep
oleaut32.dll
 0x4a4dc4 SafeArrayPtrOfIndex
 0x4a4dc8 SafeArrayPutElement
 0x4a4dcc SafeArrayGetElement
 0x4a4dd0 SafeArrayUnaccessData
 0x4a4dd4 SafeArrayAccessData
 0x4a4dd8 SafeArrayGetUBound
 0x4a4ddc SafeArrayGetLBound
 0x4a4de0 SafeArrayCreate
 0x4a4de4 VariantChangeType
 0x4a4de8 VariantCopyInd
 0x4a4dec VariantCopy
 0x4a4df0 VariantClear
 0x4a4df4 VariantInit
comctl32.dll
 0x4a4dfc _TrackMouseEvent
 0x4a4e00 ImageList_SetIconSize
 0x4a4e04 ImageList_GetIconSize
 0x4a4e08 ImageList_Write
 0x4a4e0c ImageList_Read
 0x4a4e10 ImageList_DragShowNolock
 0x4a4e14 ImageList_DragMove
 0x4a4e18 ImageList_DragLeave
 0x4a4e1c ImageList_DragEnter
 0x4a4e20 ImageList_EndDrag
 0x4a4e24 ImageList_BeginDrag
 0x4a4e28 ImageList_Remove
 0x4a4e2c ImageList_DrawEx
 0x4a4e30 ImageList_Draw
 0x4a4e34 ImageList_GetBkColor
 0x4a4e38 ImageList_SetBkColor
 0x4a4e3c ImageList_Add
 0x4a4e40 ImageList_GetImageCount
 0x4a4e44 ImageList_Destroy
 0x4a4e48 ImageList_Create

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure