popup

Report - photo.png

Emotet Gen1 UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File OS Processor Check DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.20 10:08 Machine s1_win7_x6401
Filename photo.png
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
10.8
ZERO API file : malware
VT API (file) 12 detected (malicious, high confidence, confidence, 100%, Trickster, Static AI, Malicious PE, susgen, kcloud, Cloxer, score)
md5 042d6a2c08376d3cb1860a74383a5e58
sha256 d9a05fa49db564d9a45d63178733bed0ed74938bb691f5cfd91d5029efc8f9ca
ssdeep 12288:taK4EKLIGOlFsyrlcDk35LbBQP/FL/ukh8:takrsc+IJCP/9Gk
imphash 8319e137203f98a2bd6caa7e043a6fa9
impfuzzy 96:3mhkUgg7JBPP+tpmoQiqMisdsZscF/WY9RXEcRcLQnfKTNQR:CTfiqwdsZscF/WY99EcRcsONQR
  Network IP location

Signature (22cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch File has been identified by 12 AntiVirus engines on VirusTotal as malicious
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (17cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (37cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ipecho.net/plain
whois
US GOOGLE 34.117.59.81 mailcious
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/289684/0/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
https://221.147.172.5/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/pwgrabc64/
whois
KR Korea Telecom 221.147.172.5 clean
https://105.27.205.34/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/networkDll64/
whois
ZA SEACOM-AS 105.27.205.34 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/t4t3CS0jQMS9UI5SNoHrkbjtx6cei9l/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1ovoQnL1dPUqTI9l/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/23/100019/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/networkDll64/reload1/0/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/FMVZUWJFLMMODQWN/7/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/ZFNFZNFXBVRTP/7/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/user/test22/0/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
https://46.99.175.149/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/OI3LyOOUmuYHFL26IAylrWkdSWcs/
whois
AL IPKO Telecommunications LLC 46.99.175.149 clean
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/pwgrabc/sTart%20Run%20D%20failed/0/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
https://46.99.175.149/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-CatT0VKPD%5Cscphotorg.dmo/0/
whois
AL IPKO Telecommunications LLC 46.99.175.149 clean
https://221.147.172.5/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/pwgrabb64/
whois
KR Korea Telecom 221.147.172.5 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/1/nX5MSl1KKv9sNLfeSGF6AS1KHeuzdV/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/DNSBL/listed/0/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/MLVBSVIBGGSLCETYA/7/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/1/9g3K3Gh8vChwthBQuAfCr6lURUHfovZ/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/9h1FTJ3vRTD3jjtJPF91V1nNR3XHLTHR/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
https://185.56.175.122/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ldtPZdTFpdDVL1rN/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/NAT%20status/client%20is%20behind%20NAT/0/
whois
AL IPKO Telecommunications LLC 46.99.175.217 clean
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/file/
whois
US TWC-11426-CAROLINAS 45.36.99.184 clean
150.134.208.175.b.barracudacentral.org
whois
Unknown 127.0.0.2 clean
150.134.208.175.cbl.abuseat.org
whois
Unknown clean
ipecho.net
whois
US GOOGLE 34.117.59.81 mailcious
150.134.208.175.zen.spamhaus.org
whois
Unknown clean
105.27.205.34
whois
ZA SEACOM-AS 105.27.205.34
46.99.175.217
whois
AL IPKO Telecommunications LLC 46.99.175.217 mailcious
46.99.175.149
whois
AL IPKO Telecommunications LLC 46.99.175.149 mailcious
216.166.148.187
whois
US CYBERNET1 216.166.148.187 mailcious
194.146.249.137
whois
PL Virtuaoperator Sp. z o.o. 194.146.249.137 mailcious
221.147.172.5
whois
KR Korea Telecom 221.147.172.5 mailcious
185.56.175.122
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 mailcious
45.36.99.184
whois
US TWC-11426-CAROLINAS 45.36.99.184 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY External IP Lookup - ipecho.net
ET CNC Feodo Tracker Reported CnC Server group 19

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x10020094 GetCommandLineA
 0x10020098 HeapReAlloc
 0x1002009c TerminateProcess
 0x100200a0 HeapSize
 0x100200a4 HeapDestroy
 0x100200a8 HeapCreate
 0x100200ac VirtualFree
 0x100200b0 IsBadWritePtr
 0x100200b4 SetHandleCount
 0x100200b8 GetStdHandle
 0x100200bc GetFileType
 0x100200c0 GetStartupInfoA
 0x100200c4 FreeEnvironmentStringsA
 0x100200c8 GetEnvironmentStrings
 0x100200cc FreeEnvironmentStringsW
 0x100200d0 GetEnvironmentStringsW
 0x100200d4 UnhandledExceptionFilter
 0x100200d8 QueryPerformanceCounter
 0x100200dc RtlUnwind
 0x100200e0 GetCurrentProcessId
 0x100200e4 GetSystemTimeAsFileTime
 0x100200e8 SetUnhandledExceptionFilter
 0x100200ec LCMapStringA
 0x100200f0 LCMapStringW
 0x100200f4 GetStringTypeA
 0x100200f8 GetStringTypeW
 0x100200fc IsBadReadPtr
 0x10020100 IsBadCodePtr
 0x10020104 GetUserDefaultLCID
 0x10020108 EnumSystemLocalesA
 0x1002010c IsValidLocale
 0x10020110 IsValidCodePage
 0x10020114 SetStdHandle
 0x10020118 GetLocaleInfoW
 0x1002011c VirtualQuery
 0x10020120 GetSystemInfo
 0x10020124 VirtualProtect
 0x10020128 HeapFree
 0x1002012c HeapAlloc
 0x10020130 GetOEMCP
 0x10020134 GetCPInfo
 0x10020138 FlushFileBuffers
 0x1002013c SetFilePointer
 0x10020140 WriteFile
 0x10020144 ReadFile
 0x10020148 GlobalFlags
 0x1002014c WritePrivateProfileStringA
 0x10020150 TlsFree
 0x10020154 LocalReAlloc
 0x10020158 TlsSetValue
 0x1002015c TlsAlloc
 0x10020160 TlsGetValue
 0x10020164 EnterCriticalSection
 0x10020168 GlobalHandle
 0x1002016c GlobalReAlloc
 0x10020170 LeaveCriticalSection
 0x10020174 LocalAlloc
 0x10020178 InterlockedIncrement
 0x1002017c DeleteCriticalSection
 0x10020180 InitializeCriticalSection
 0x10020184 RaiseException
 0x10020188 GlobalGetAtomNameA
 0x1002018c GlobalFindAtomA
 0x10020190 lstrcatA
 0x10020194 lstrcmpW
 0x10020198 InterlockedDecrement
 0x1002019c FreeResource
 0x100201a0 CloseHandle
 0x100201a4 GlobalAddAtomA
 0x100201a8 GetCurrentThreadId
 0x100201ac FreeLibrary
 0x100201b0 GlobalDeleteAtom
 0x100201b4 lstrcmpA
 0x100201b8 GetModuleFileNameA
 0x100201bc ConvertDefaultLocale
 0x100201c0 EnumResourceLanguagesA
 0x100201c4 lstrcpyA
 0x100201c8 SetLastError
 0x100201cc GlobalFree
 0x100201d0 MulDiv
 0x100201d4 GlobalAlloc
 0x100201d8 GlobalLock
 0x100201dc GlobalUnlock
 0x100201e0 FormatMessageA
 0x100201e4 lstrcpynA
 0x100201e8 LocalFree
 0x100201ec LoadLibraryA
 0x100201f0 ExitProcess
 0x100201f4 GetModuleHandleA
 0x100201f8 GetProcAddress
 0x100201fc VirtualAlloc
 0x10020200 WriteProcessMemory
 0x10020204 GetCurrentThread
 0x10020208 GetCurrentProcess
 0x1002020c lstrlenA
 0x10020210 lstrcmpiA
 0x10020214 GetVersion
 0x10020218 FindResourceA
 0x1002021c LoadResource
 0x10020220 LockResource
 0x10020224 SizeofResource
 0x10020228 GetLastError
 0x1002022c WideCharToMultiByte
 0x10020230 MultiByteToWideChar
 0x10020234 GetVersionExA
 0x10020238 GetThreadLocale
 0x1002023c GetLocaleInfoA
 0x10020240 GetACP
 0x10020244 GetTickCount
 0x10020248 InterlockedExchange
USER32.dll
 0x10020268 SetWindowTextA
 0x1002026c IsDialogMessageA
 0x10020270 RegisterWindowMessageA
 0x10020274 WinHelpA
 0x10020278 GetCapture
 0x1002027c CreateWindowExA
 0x10020280 GetClassInfoExA
 0x10020284 GetClassNameA
 0x10020288 SetPropA
 0x1002028c GetPropA
 0x10020290 RemovePropA
 0x10020294 SendDlgItemMessageA
 0x10020298 SetFocus
 0x1002029c GetWindowTextLengthA
 0x100202a0 GetWindowTextA
 0x100202a4 GetForegroundWindow
 0x100202a8 GetTopWindow
 0x100202ac GetMessageTime
 0x100202b0 GetMessagePos
 0x100202b4 MapWindowPoints
 0x100202b8 SetForegroundWindow
 0x100202bc UpdateWindow
 0x100202c0 GetMenu
 0x100202c4 GetSysColor
 0x100202c8 AdjustWindowRectEx
 0x100202cc GetClassInfoA
 0x100202d0 RegisterClassA
 0x100202d4 UnregisterClassA
 0x100202d8 SetWindowPlacement
 0x100202dc GetDlgCtrlID
 0x100202e0 DefWindowProcA
 0x100202e4 CallWindowProcA
 0x100202e8 SetWindowLongA
 0x100202ec SetWindowPos
 0x100202f0 SystemParametersInfoA
 0x100202f4 GetWindowPlacement
 0x100202f8 GetWindowRect
 0x100202fc CopyRect
 0x10020300 PtInRect
 0x10020304 UnhookWindowsHookEx
 0x10020308 GetDesktopWindow
 0x1002030c SetActiveWindow
 0x10020310 CreateDialogIndirectParamA
 0x10020314 DestroyWindow
 0x10020318 IsWindow
 0x1002031c GetDlgItem
 0x10020320 GetNextDlgTabItem
 0x10020324 EndDialog
 0x10020328 SetMenuItemBitmaps
 0x1002032c GetFocus
 0x10020330 ModifyMenuA
 0x10020334 EnableMenuItem
 0x10020338 CheckMenuItem
 0x1002033c GetMenuCheckMarkDimensions
 0x10020340 LoadBitmapA
 0x10020344 SetWindowsHookExA
 0x10020348 CallNextHookEx
 0x1002034c GetMessageA
 0x10020350 TranslateMessage
 0x10020354 DispatchMessageA
 0x10020358 GetActiveWindow
 0x1002035c IsWindowVisible
 0x10020360 GetKeyState
 0x10020364 PeekMessageA
 0x10020368 DestroyMenu
 0x1002036c GetCursorPos
 0x10020370 ValidateRect
 0x10020374 MessageBoxA
 0x10020378 GetParent
 0x1002037c GetWindowLongA
 0x10020380 GetLastActivePopup
 0x10020384 IsWindowEnabled
 0x10020388 SetCursor
 0x1002038c PostQuitMessage
 0x10020390 PostMessageA
 0x10020394 GetMenuState
 0x10020398 GetMenuItemID
 0x1002039c GetMenuItemCount
 0x100203a0 GetSubMenu
 0x100203a4 GetSystemMetrics
 0x100203a8 LoadIconA
 0x100203ac EnableWindow
 0x100203b0 GetClientRect
 0x100203b4 IsIconic
 0x100203b8 SendMessageA
 0x100203bc DrawIcon
 0x100203c0 GetWindow
 0x100203c4 LoadCursorA
 0x100203c8 GetSysColorBrush
 0x100203cc EndPaint
 0x100203d0 BeginPaint
 0x100203d4 ReleaseDC
 0x100203d8 GetDC
 0x100203dc ClientToScreen
 0x100203e0 GrayStringA
 0x100203e4 DrawTextExA
 0x100203e8 DrawTextA
 0x100203ec TabbedTextOutA
 0x100203f0 wsprintfA
 0x100203f4 ShowWindow
 0x100203f8 GetClassLongA
GDI32.dll
 0x10020030 PtVisible
 0x10020034 RectVisible
 0x10020038 TextOutA
 0x1002003c ExtTextOutA
 0x10020040 Escape
 0x10020044 SelectObject
 0x10020048 SetViewportOrgEx
 0x1002004c OffsetViewportOrgEx
 0x10020050 SetViewportExtEx
 0x10020054 ScaleViewportExtEx
 0x10020058 SetWindowExtEx
 0x1002005c ScaleWindowExtEx
 0x10020060 DeleteDC
 0x10020064 GetStockObject
 0x10020068 DeleteObject
 0x1002006c SetMapMode
 0x10020070 RestoreDC
 0x10020074 SaveDC
 0x10020078 GetObjectA
 0x1002007c SetBkColor
 0x10020080 SetTextColor
 0x10020084 GetClipBox
 0x10020088 CreateBitmap
 0x1002008c GetDeviceCaps
WINSPOOL.DRV
 0x10020400 OpenPrinterA
 0x10020404 DocumentPropertiesA
 0x10020408 ClosePrinter
ADVAPI32.dll
 0x10020000 RegQueryValueExA
 0x10020004 RegCloseKey
 0x10020008 RegOpenKeyExA
 0x1002000c RegSetValueExA
 0x10020010 RegCreateKeyExA
 0x10020014 RegOpenKeyA
 0x10020018 RegDeleteKeyA
 0x1002001c RegQueryValueA
 0x10020020 RegEnumKeyA
COMCTL32.dll
 0x10020028 None
SHLWAPI.dll
 0x10020260 PathFindExtensionA
OLEAUT32.dll
 0x10020250 VariantInit
 0x10020254 VariantClear
 0x10020258 VariantChangeType

EAT(Export Address Table) Library

0x1000fa3d Sajd548zfDsaj
0x1000fa3d hgjdfggvdsgg
0x10002836 hitmk
0x1000fa3d sfe5384tsfrfw4dhd

Similarity measure (PE file only) - Checking for service failure