Report - htown.exe

Ave Maria WARZONE RAT NPKI Malicious Library Malicious Packer PE File OS Processor Check PE32
ScreenShot
Created 2021.08.21 08:53 Machine s1_win7_x6402
Filename htown.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
8.2
ZERO API file : clean
VT API (file) 59 detected (AIDetect, malware2, Agentb, trG2, malicious, high confidence, DeepScan, IGENERIC, Remcos, HxQBXhEA, GenericRXLJ, Unsafe, Save, confidence, 100%, Antiav, INDT, AveMaria, jiad, fljpfv, Gencirc, VA@81mmki, Maria, MOCRT, Static AI, Malicious PE, Redcap, ghjpt, ai score=100, ASMalwS, score, R263895, CLASSIC, GenAsa, ++8lN4UW0KE, Razy, ZexaF, hyW@aC46ikhi, Genetic)
md5 6452a476398bc73e815078a0342425f6
sha256 7f6b099267911103a2ed4968d73900bbdc667fde2d574fe8300f891a25a33f55
ssdeep 1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
imphash 51a1d638436da72d7fa5fb524e02d427
impfuzzy 96:VVm8R4U0nscp+0zGXeMCDH2Vl76BmmncGKJziH9/I2K:V90nRceMCDH2V9R9Q5K
  Network IP location

Signature (20cnts)

Level Description
danger File has been identified by 59 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to remove evidence of file being downloaded from the Internet
watch Harvests credentials from local email clients
watch Potential code injection by writing to the memory of another process
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Executes one or more WMI queries
notice Foreign language identified in PE resource
notice One or more potentially interesting buffers were extracted
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info Tries to locate where the browsers are installed

Rules (7cnts)

Level Name Description Collection
danger Ave_Maria_Zero Remote Access Trojan that is also called WARZONE RAT binaries (upload)
danger NPKI_Zero File included NPKI binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
googleservers.org US HOSTING-SOLUTIONS 162.248.225.143 mailcious
162.248.225.143 US HOSTING-SOLUTIONS 162.248.225.143 clean

Suricata ids

PE API

IAT(Import Address Table) Library

crypt.dll
 0x414330 BCryptSetProperty
 0x414334 BCryptGenerateSymmetricKey
 0x414338 BCryptOpenAlgorithmProvider
 0x41433c BCryptDecrypt
KERNEL32.dll
 0x41408c HeapFree
 0x414090 VirtualAlloc
 0x414094 HeapReAlloc
 0x414098 VirtualQuery
 0x41409c TerminateThread
 0x4140a0 CreateThread
 0x4140a4 WriteProcessMemory
 0x4140a8 GetCurrentProcess
 0x4140ac OpenProcess
 0x4140b0 GetWindowsDirectoryA
 0x4140b4 VirtualProtectEx
 0x4140b8 VirtualAllocEx
 0x4140bc CreateRemoteThread
 0x4140c0 CreateProcessA
 0x4140c4 GetModuleHandleW
 0x4140c8 IsWow64Process
 0x4140cc WriteFile
 0x4140d0 CreateFileW
 0x4140d4 LoadLibraryW
 0x4140d8 GetLocalTime
 0x4140dc GetCurrentThreadId
 0x4140e0 GetCurrentProcessId
 0x4140e4 ReadFile
 0x4140e8 FindFirstFileA
 0x4140ec GetBinaryTypeW
 0x4140f0 FindNextFileA
 0x4140f4 GetFullPathNameA
 0x4140f8 GetTempPathW
 0x4140fc GetPrivateProfileStringW
 0x414100 CreateFileA
 0x414104 GlobalAlloc
 0x414108 GetCurrentDirectoryW
 0x41410c SetCurrentDirectoryW
 0x414110 GetFileSize
 0x414114 FreeLibrary
 0x414118 SetDllDirectoryW
 0x41411c GetFileSizeEx
 0x414120 LoadLibraryA
 0x414124 LocalFree
 0x414128 WaitForSingleObject
 0x41412c WaitForMultipleObjects
 0x414130 CreatePipe
 0x414134 PeekNamedPipe
 0x414138 DuplicateHandle
 0x41413c SetEvent
 0x414140 GetStartupInfoA
 0x414144 CreateEventA
 0x414148 GetModuleFileNameW
 0x41414c LoadResource
 0x414150 FindResourceW
 0x414154 GetComputerNameW
 0x414158 GlobalMemoryStatusEx
 0x41415c LoadLibraryExW
 0x414160 FindFirstFileW
 0x414164 FindNextFileW
 0x414168 SetFilePointer
 0x41416c GetLogicalDriveStringsW
 0x414170 DeleteFileW
 0x414174 CopyFileW
 0x414178 GetDriveTypeW
 0x41417c EnterCriticalSection
 0x414180 LeaveCriticalSection
 0x414184 InitializeCriticalSection
 0x414188 DeleteCriticalSection
 0x41418c GetProcessHeap
 0x414190 ReleaseMutex
 0x414194 TerminateProcess
 0x414198 CreateToolhelp32Snapshot
 0x41419c Process32NextW
 0x4141a0 Process32FirstW
 0x4141a4 SizeofResource
 0x4141a8 VirtualProtect
 0x4141ac GetSystemDirectoryW
 0x4141b0 LockResource
 0x4141b4 GetWindowsDirectoryW
 0x4141b8 Process32First
 0x4141bc Process32Next
 0x4141c0 WinExec
 0x4141c4 GetTempPathA
 0x4141c8 HeapAlloc
 0x4141cc lstrcmpW
 0x4141d0 GetTickCount
 0x4141d4 lstrcpyW
 0x4141d8 WideCharToMultiByte
 0x4141dc lstrcpyA
 0x4141e0 Sleep
 0x4141e4 MultiByteToWideChar
 0x4141e8 GetCommandLineA
 0x4141ec GetModuleHandleA
 0x4141f0 ExitProcess
 0x4141f4 CreateProcessW
 0x4141f8 lstrcatA
 0x4141fc lstrcmpA
 0x414200 lstrlenA
 0x414204 ExpandEnvironmentStringsW
 0x414208 lstrlenW
 0x41420c CloseHandle
 0x414210 lstrcatW
 0x414214 GetLastError
 0x414218 VirtualFree
 0x41421c GetProcAddress
 0x414220 SetLastError
 0x414224 GetModuleFileNameA
 0x414228 CreateDirectoryW
 0x41422c LocalAlloc
 0x414230 CreateMutexA
USER32.dll
 0x414298 GetKeyState
 0x41429c GetMessageA
 0x4142a0 DispatchMessageA
 0x4142a4 CreateWindowExW
 0x4142a8 CallNextHookEx
 0x4142ac GetAsyncKeyState
 0x4142b0 RegisterClassW
 0x4142b4 GetRawInputData
 0x4142b8 MapVirtualKeyA
 0x4142bc DefWindowProcA
 0x4142c0 RegisterRawInputDevices
 0x4142c4 TranslateMessage
 0x4142c8 GetForegroundWindow
 0x4142cc GetKeyNameTextW
 0x4142d0 PostQuitMessage
 0x4142d4 MessageBoxA
 0x4142d8 GetLastInputInfo
 0x4142dc wsprintfW
 0x4142e0 GetWindowTextW
 0x4142e4 wsprintfA
 0x4142e8 ToUnicode
ADVAPI32.dll
 0x414000 RegDeleteKeyW
 0x414004 RegCreateKeyExW
 0x414008 RegSetValueExA
 0x41400c RegDeleteValueW
 0x414010 LookupPrivilegeValueW
 0x414014 AdjustTokenPrivileges
 0x414018 AllocateAndInitializeSid
 0x41401c OpenProcessToken
 0x414020 InitializeSecurityDescriptor
 0x414024 RegDeleteKeyA
 0x414028 SetSecurityDescriptorDacl
 0x41402c RegOpenKeyExW
 0x414030 RegOpenKeyExA
 0x414034 RegEnumKeyExW
 0x414038 RegQueryValueExA
 0x41403c RegQueryInfoKeyW
 0x414040 RegCloseKey
 0x414044 OpenServiceW
 0x414048 ChangeServiceConfigW
 0x41404c QueryServiceConfigW
 0x414050 EnumServicesStatusExW
 0x414054 StartServiceW
 0x414058 RegSetValueExW
 0x41405c RegCreateKeyExA
 0x414060 OpenSCManagerW
 0x414064 CloseServiceHandle
 0x414068 GetTokenInformation
 0x41406c LookupAccountSidW
 0x414070 FreeSid
 0x414074 RegQueryValueExW
SHELL32.dll
 0x414254 ShellExecuteExA
 0x414258 ShellExecuteExW
 0x41425c None
 0x414260 SHGetSpecialFolderPathW
 0x414264 SHCreateDirectoryExW
 0x414268 ShellExecuteW
 0x41426c SHGetFolderPathW
 0x414270 SHGetKnownFolderPath
urlmon.dll
 0x41435c URLDownloadToFileW
WS2_32.dll
 0x4142f0 htons
 0x4142f4 recv
 0x4142f8 connect
 0x4142fc socket
 0x414300 send
 0x414304 WSAStartup
 0x414308 shutdown
 0x41430c closesocket
 0x414310 WSACleanup
 0x414314 InetNtopW
 0x414318 gethostbyname
 0x41431c inet_addr
 0x414320 getaddrinfo
 0x414324 setsockopt
 0x414328 freeaddrinfo
ole32.dll
 0x414344 CoInitializeSecurity
 0x414348 CoCreateInstance
 0x41434c CoInitialize
 0x414350 CoUninitialize
 0x414354 CoTaskMemFree
SHLWAPI.dll
 0x414278 StrStrW
 0x41427c PathRemoveFileSpecA
 0x414280 StrStrA
 0x414284 PathCombineA
 0x414288 PathFindFileNameW
 0x41428c PathFileExistsW
 0x414290 PathFindExtensionW
NETAPI32.dll
 0x414238 NetLocalGroupAddMembers
 0x41423c NetUserAdd
OLEAUT32.dll
 0x414244 VariantInit
CRYPT32.dll
 0x41407c CryptUnprotectData
 0x414080 CryptStringToBinaryA
 0x414084 CryptStringToBinaryW
PSAPI.DLL
 0x41424c GetModuleFileNameExW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure