popup

Report - 2.dll

UPX AntiDebug AntiVM PE File OS Processor Check DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.17 13:36 Machine s1_win7_x6401
Filename 2.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
10.4
ZERO API file : malware
VT API (file) 6 detected (malicious, high confidence, Save, Wacatac, score, Static AI, Suspicious PE)
md5 37e26534b70abd664cfed4961ad6ecbf
sha256 22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9
ssdeep 12288:T8F4fHXi7upUbuedoBYi5SG//xm6e2vJQbPzSzTu1XLxh2w:g4aCdsjmHxw2vJ8S2FX2
imphash 9330bf385780db42e73f6bd2f0835d5b
impfuzzy 24:jXpOovivteJnc+eDo2Yu9E1B6vm0QTPX8yaBGMK2Cw3X9VLm:j8Bvt+c+K9Ev6vm0QTX8yEtKvum
  Network IP location

Signature (22cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice File has been identified by 6 AntiVirus engines on VirusTotal as malicious
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername

Rules (13cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (19cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/file/
whois
MY TM Net, Internet Service Provider 60.51.47.65 clean
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/10/62/GHKKBYXXMBGPF/7/
whois
MY TM Net, Internet Service Provider 60.51.47.65 clean
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/NAT%20status/client%20is%20behind%20NAT/0/
whois
MY TM Net, Internet Service Provider 60.51.47.65 clean
https://185.56.175.122/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/JykWxsK5VFuVU0IzRFQuDFfZ/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
whois
MY TM Net, Internet Service Provider 60.51.47.65 clean
https://185.56.175.122/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArhCatD3P7BP%5Cpb2lv.dmo/0/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/user/test22/0/
whois
MY TM Net, Internet Service Provider 60.51.47.65 clean
https://ident.me/
whois
GB Linode, LLC 176.58.123.25 clean
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ldB1JbjZnVLztVnX55JJf5j/
whois
MY TM Net, Internet Service Provider 60.51.47.65 clean
https://36.66.188.251/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/pwgrabc64/
whois
ID PT Telekomunikasi Indonesia 36.66.188.251 clean
https://105.27.205.34/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/pwgrabb64/
whois
ZA SEACOM-AS 105.27.205.34 clean
ident.me
whois
GB Linode, LLC 176.58.123.25 clean
105.27.205.34
whois
ZA SEACOM-AS 105.27.205.34 mailcious
194.146.249.137
whois
PL Virtuaoperator Sp. z o.o. 194.146.249.137 mailcious
176.58.123.25
whois
GB Linode, LLC 176.58.123.25 clean
185.56.175.122
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 mailcious
60.51.47.65
whois
MY TM Net, Internet Service Provider 60.51.47.65 mailcious
79.106.115.107
whois
AL Albtelecom Sh.a. 79.106.115.107 clean
36.66.188.251
whois
ID PT Telekomunikasi Indonesia 36.66.188.251 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x1008a02c GlobalAlloc
 0x1008a030 GetFileSize
 0x1008a034 ExitProcess
 0x1008a038 HeapFree
 0x1008a03c GetCommandLineA
 0x1008a040 VirtualProtect
 0x1008a044 VirtualAlloc
 0x1008a048 RaiseException
 0x1008a04c IsDebuggerPresent
 0x1008a050 UnhandledExceptionFilter
 0x1008a054 SetUnhandledExceptionFilter
 0x1008a058 GetCurrentProcess
 0x1008a05c TerminateProcess
 0x1008a060 IsProcessorFeaturePresent
 0x1008a064 SetLastError
 0x1008a068 EnterCriticalSection
 0x1008a06c LeaveCriticalSection
 0x1008a070 TlsGetValue
 0x1008a074 FreeLibrary
 0x1008a078 GetProcAddress
 0x1008a07c LoadLibraryExW
 0x1008a080 LCMapStringW
 0x1008a084 IsValidCodePage
 0x1008a088 GetACP
 0x1008a08c GetOEMCP
 0x1008a090 GetCPInfo
 0x1008a094 GetModuleHandleW
 0x1008a098 GetModuleHandleExW
 0x1008a09c GetStringTypeW
 0x1008a0a0 MultiByteToWideChar
 0x1008a0a4 WideCharToMultiByte
 0x1008a0a8 WriteFile
 0x1008a0ac GetSystemTime
 0x1008a0b0 GetProcessHeap
 0x1008a0b4 CreateFileA
 0x1008a0b8 HeapAlloc
 0x1008a0bc CloseHandle
 0x1008a0c0 GetLastError
 0x1008a0c4 TlsSetValue
 0x1008a0c8 lstrcmpA
 0x1008a0cc RtlUnwind
USER32.dll
 0x1008a0d4 CreatePopupMenu
 0x1008a0d8 DeleteMenu
 0x1008a0dc GetMenu
 0x1008a0e0 LoadMenuA
 0x1008a0e4 SetMenu
 0x1008a0e8 RegisterClassA
 0x1008a0ec DrawMenuBar
 0x1008a0f0 AppendMenuA
 0x1008a0f4 EnableMenuItem
 0x1008a0f8 GetMenuStringA
 0x1008a0fc CreateMenu
 0x1008a100 InsertMenuItemA
 0x1008a104 ShowWindow
 0x1008a108 FindWindowA
 0x1008a10c MessageBoxA
 0x1008a110 DestroyMenu
GDI32.dll
 0x1008a010 SetBkMode
 0x1008a014 CreateFontIndirectA
 0x1008a018 SetBkColor
 0x1008a01c DeleteObject
 0x1008a020 SetTextColor
 0x1008a024 GetTextExtentPoint32A
COMDLG32.dll
 0x1008a000 GetSaveFileNameA
 0x1008a004 FindTextA
 0x1008a008 GetOpenFileNameA

EAT(Export Address Table) Library

0x10081e16 DllRegisterServer

Similarity measure (PE file only) - Checking for service failure