Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.08.19 19:22	Machine	s1_win7_x6401
Filename	redtank.png
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score	7	Behavior Score	10.8
ZERO API	file : clean
VT API (file)
md5	1618f8ae8ee070d71010a20d21b5e856
sha256	0848a10d6f7db8ad7f03be296b2a307a82554446d8a172fe0a0503309c08aeb0
ssdeep	6144:vW3hPbF9A3hAfKKC64zROB6NBbTN+qGfhI6zSRZKhoRli2fFzs:vWRjAhAfKbRO6NBbTMp/STKhoHi2fFzs
imphash	89aafe32fea223936c5c233bf06df6d3
impfuzzy	48:Nf2AIEDnXW1sxiMcJJPRirqySSNShrlBgaTWlquJYIJPXvQKQEf:Nf2anaOGTy6ZBgaTMqGYIJfH

Network IP location

Signature (24cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Communicates with host for which no DNS query was performed
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	A process attempted to delay the analysis task.
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a suspicious process
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Terminates another process
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Yara rule detected in process memory
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	One or more processes crashed
info	Queries for the computername
info	The executable uses a known packer
info	The file contains an unknown PE resource name possibly indicative of a packer

Rules (11cnts)

Level	Name	Description	Collection
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsDLL	(no description)	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (33cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/23/100019/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/1/hziJCxHymvb2gHXq6TiBkB8T/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/TYtN4uS9vzAQl4jbxpHvhP3TRn1fv/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/10/62/HNFXZPJHLZVXLFBRPVF/7/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://221.147.172.5/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/pwgrabc64/ whois	Korea Telecom	221.147.172.5		clean
https://105.27.205.34/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/pwgrabb64/ whois	SEACOM-AS	105.27.205.34	4162	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/user/test22/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/10/62/TZVNJHBFVZX/7/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://60.51.47.65/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/VfcG57GJVdJPXjUbD/ whois	TM Net, Internet Service Provider	60.51.47.65	4163	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/2ZPXt9YscNmrMG1rVFPmfY08/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/file/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://ident.me/ whois	Linode, LLC	176.58.123.25		clean
https://5.152.175.57/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/networkDll64/ whois	Skylogic S.p.A.	5.152.175.57		clean
https://179.189.229.254/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/b6LNAyociBwuWyQPTryUfUogSUQp0QA/ whois	America-NET Ltda.	179.189.229.254		clean
https://179.189.229.254/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-Cat8CLSDN%5Cwfredtankmf.dmo/0/ whois	America-NET Ltda.	179.189.229.254		clean
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/DNSBL/listed/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
https://60.51.47.65/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/10/62/DTHXTBVHNHHFNTTPH/7/ whois	TM Net, Internet Service Provider	60.51.47.65	4163	mailcious
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/NAT%20status/client%20is%20behind%20NAT/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	4161	mailcious
150.134.208.175.b.barracudacentral.org whois		127.0.0.2		clean
150.134.208.175.cbl.abuseat.org whois				clean
ident.me whois	Linode, LLC	176.58.123.25		clean
150.134.208.175.zen.spamhaus.org whois				clean
105.27.205.34 whois	SEACOM-AS	105.27.205.34		mailcious
221.147.172.5 whois	Korea Telecom	221.147.172.5		clean
179.189.229.254 whois	America-NET Ltda.	179.189.229.254		mailcious
194.146.249.137 whois	Virtuaoperator Sp. z o.o.	194.146.249.137		mailcious
5.152.175.57 whois	Skylogic S.p.A.	5.152.175.57		mailcious
176.58.123.25 whois	Linode, LLC	176.58.123.25		clean
185.56.175.122 whois	Virtuaoperator Sp. z o.o.	185.56.175.122		mailcious
65.152.201.203 whois	CENTURYLINK-US-LEGACY-QWEST	65.152.201.203		mailcious
216.166.148.187 whois	CYBERNET1	216.166.148.187		mailcious
60.51.47.65 whois	TM Net, Internet Service Provider	60.51.47.65		mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

MFC42.DLL
0x100176e8 None
0x100176ec None
0x100176f0 None
0x100176f4 None
0x100176f8 None
0x100176fc None
0x10017700 None
0x10017704 None
0x10017708 None
0x1001770c None
0x10017710 None
0x10017714 None
0x10017718 None
0x1001771c None
0x10017720 None
0x10017724 None
0x10017728 None
0x1001772c None
0x10017730 None
0x10017734 None
0x10017738 None
0x1001773c None
0x10017740 None
0x10017744 None
0x10017748 None
0x1001774c None
0x10017750 None
0x10017754 None
0x10017758 None
0x1001775c None
0x10017760 None
0x10017764 None
0x10017768 None
0x1001776c None
0x10017770 None
0x10017774 None
0x10017778 None
0x1001777c None
0x10017780 None
0x10017784 None
0x10017788 None
0x1001778c None
0x10017790 None
0x10017794 None
0x10017798 None
0x1001779c None
0x100177a0 None
0x100177a4 None
0x100177a8 None
0x100177ac None
0x100177b0 None
0x100177b4 None
0x100177b8 None
0x100177bc None
0x100177c0 None
0x100177c4 None
0x100177c8 None
0x100177cc None
0x100177d0 None
0x100177d4 None
0x100177d8 None
0x100177dc None
0x100177e0 None
0x100177e4 None
0x100177e8 None
0x100177ec None
0x100177f0 None
0x100177f4 None
0x100177f8 None
0x100177fc None
0x10017800 None
0x10017804 None
0x10017808 None
0x1001780c None
0x10017810 None
0x10017814 None
0x10017818 None
0x1001781c None
0x10017820 None
0x10017824 None
0x10017828 None
0x1001782c None
0x10017830 None
0x10017834 None
0x10017838 None
0x1001783c None
0x10017840 None
0x10017844 None
0x10017848 None
0x1001784c None
0x10017850 None
0x10017854 None
0x10017858 None
0x1001785c None
0x10017860 None
0x10017864 None
0x10017868 None
0x1001786c None
0x10017870 None
0x10017874 None
0x10017878 None
0x1001787c None
0x10017880 None
0x10017884 None
0x10017888 None
0x1001788c None
0x10017890 None
0x10017894 None
0x10017898 None
0x1001789c None
0x100178a0 None
0x100178a4 None
0x100178a8 None
0x100178ac None
0x100178b0 None
0x100178b4 None
0x100178b8 None
0x100178bc None
0x100178c0 None
0x100178c4 None
0x100178c8 None
0x100178cc None
0x100178d0 None
0x100178d4 None
0x100178d8 None
0x100178dc None
0x100178e0 None
0x100178e4 None
0x100178e8 None
0x100178ec None
0x100178f0 None
0x100178f4 None
0x100178f8 None
0x100178fc None
0x10017900 None
0x10017904 None
0x10017908 None
0x1001790c None
0x10017910 None
0x10017914 None
0x10017918 None
0x1001791c None
0x10017920 None
0x10017924 None
0x10017928 None
0x1001792c None
0x10017930 None
0x10017934 None
0x10017938 None
0x1001793c None
0x10017940 None
0x10017944 None
0x10017948 None
0x1001794c None
0x10017950 None
0x10017954 None
0x10017958 None
0x1001795c None
0x10017960 None
0x10017964 None
0x10017968 None
0x1001796c None
0x10017970 None
0x10017974 None
0x10017978 None
0x1001797c None
0x10017980 None
0x10017984 None
0x10017988 None
0x1001798c None
0x10017990 None
0x10017994 None
0x10017998 None
0x1001799c None
0x100179a0 None
0x100179a4 None
0x100179a8 None
0x100179ac None
0x100179b0 None
0x100179b4 None
0x100179b8 None
0x100179bc None
0x100179c0 None
0x100179c4 None
0x100179c8 None
0x100179cc None
0x100179d0 None
0x100179d4 None
0x100179d8 None
0x100179dc None
0x100179e0 None
0x100179e4 None
0x100179e8 None
0x100179ec None
0x100179f0 None
0x100179f4 None
0x100179f8 None
0x100179fc None
0x10017a00 None
0x10017a04 None
0x10017a08 None
0x10017a0c None
0x10017a10 None
0x10017a14 None
0x10017a18 None
0x10017a1c None
0x10017a20 None
0x10017a24 None
0x10017a28 None
0x10017a2c None
0x10017a30 None
0x10017a34 None
0x10017a38 None
0x10017a3c None
0x10017a40 None
0x10017a44 None
0x10017a48 None
0x10017a4c None
0x10017a50 None
0x10017a54 None
0x10017a58 None
0x10017a5c None
0x10017a60 None
0x10017a64 None
0x10017a68 None
0x10017a6c None
0x10017a70 None
MSVCRT.dll
0x10017b54 _adjust_fdiv
0x10017b58 _initterm
0x10017b5c free
0x10017b60 _onexit
0x10017b64 __dllonexit
0x10017b68 strstr
0x10017b6c __CxxFrameHandler
0x10017b70 strncpy
0x10017b74 sprintf
0x10017b78 _wcsicmp
0x10017b7c _strnicmp
0x10017b80 malloc
0x10017b84 atoi
0x10017b88 printf
KERNEL32.dll
0x10017688 CreateFileMappingA
0x1001768c MapViewOfFile
0x10017690 DisableThreadLibraryCalls
0x10017694 GetFileSize
0x10017698 UnmapViewOfFile
0x1001769c GetCurrentProcess
0x100176a0 ExitProcess
0x100176a4 LoadLibraryA
0x100176a8 CreateFileA
0x100176ac CloseHandle
0x100176b0 WideCharToMultiByte
USER32.dll
0x10017bc0 SendMessageA
0x10017bc4 IsCharAlphaNumericA
0x10017bc8 InvalidateRect
0x10017bcc wsprintfA
0x10017bd0 EnableWindow
0x10017bd4 SetWindowLongA
GDI32.dll
0x10017640 CreateFontA
0x10017644 GetObjectA
0x10017648 GetTextMetricsA
0x1001764c GetDeviceCaps
0x10017650 GetTextExtentPoint32A
0x10017654 CreateFontIndirectA

EAT(Export Address Table) Library

0x100011d1 klust

Report - redtank.png

Signature (24cnts)

Rules (11cnts)

Network (33cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure