popup

Report - simple.png

Emotet Gen1 Malicious Library Malicious Packer AntiDebug AntiVM PE File OS Processor Check DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.21 12:16 Machine s1_win7_x6402
Filename simple.png
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
11.0
ZERO API file : clean
VT API (file) 7 detected (malicious, high confidence, confidence, Static AI, Suspicious PE, score, susgen)
md5 4fb0ee16540b1779fce8c502e6d877dc
sha256 33fcd639567316ceffba1be151d878ece3af93f5a6949be1387d3c98435c5bf9
ssdeep 12288:mOxwEPSgOP2Tyf5T53IN/haywGQV20O5vE5j+0Sm:wEagq2TyxV3IDtwp2hFE5j5Sm
imphash 00585b5ac1f3a2f8fc50a162c67e07ac
impfuzzy 192:LZDHwyfnWVW4klsFw6UR39UcncncFgNP1QPvh:5Hwon73yaM31QPvh
  Network IP location

Signature (23cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice File has been identified by 7 AntiVirus engines on VirusTotal as malicious
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername

Rules (16cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (31cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://185.56.175.122/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/DJS6KJsl65V5nFwMo9/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://97.83.40.67/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ZLPtp9fdjfjlx9ZD5bp9/
whois
US CHARTER-20115 97.83.40.67 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/DNSBL/listed/0/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://97.83.40.67/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/10/62/JXHVHPLBDXXPH/7/
whois
US CHARTER-20115 97.83.40.67 clean
https://105.27.205.34/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/5/pwgrabc64/
whois
ZA SEACOM-AS 105.27.205.34 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/5/file/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/NAT%20status/client%20is%20behind%20NAT/0/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://105.27.205.34/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/5/pwgrabb64/
whois
ZA SEACOM-AS 105.27.205.34 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://184.74.99.214/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-Cat79LLHL%5Cflsimplexl.dmo/0/
whois
US TWC-11351-NORTHEAST 184.74.99.214 clean
https://184.74.99.214/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/9zPGdBbjwEq5eaKruQEKQYx942/
whois
US TWC-11351-NORTHEAST 184.74.99.214 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/23/100019/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/10/62/RJPPTNNBRBB/7/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/1/B9JFNbxl9dJZrzdrz3zH/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/5lzwvmMIa5aD7Tu2g5FCNaV1WJ31/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/user/test22/0/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/10/62/JRBLETMWAPMIABTIG/7/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://api.ip.sb/ip
whois
US CLOUDFLARENET 172.67.75.172 clean
150.134.208.175.b.barracudacentral.org
whois
Unknown 127.0.0.2 clean
150.134.208.175.cbl.abuseat.org
whois
Unknown clean
150.134.208.175.zen.spamhaus.org
whois
Unknown clean
api.ip.sb
whois
US CLOUDFLARENET 104.26.12.31 clean
105.27.205.34
whois
ZA SEACOM-AS 105.27.205.34 mailcious
172.67.75.172
whois
US CLOUDFLARENET 172.67.75.172 clean
179.189.229.254
whois
BR America-NET Ltda. 179.189.229.254 mailcious
194.146.249.137
whois
PL Virtuaoperator Sp. z o.o. 194.146.249.137 mailcious
184.74.99.214
whois
US TWC-11351-NORTHEAST 184.74.99.214 mailcious
185.56.175.122
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 mailcious
97.83.40.67
whois
US CHARTER-20115 97.83.40.67 mailcious
216.166.148.187
whois
US CYBERNET1 216.166.148.187 mailcious
79.106.115.107
whois
AL Albtelecom Sh.a. 79.106.115.107 mailcious

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 25
ET CNC Feodo Tracker Reported CnC Server group 10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x1002c0c8 VirtualQuery
 0x1002c0cc GetCommandLineA
 0x1002c0d0 TerminateProcess
 0x1002c0d4 HeapReAlloc
 0x1002c0d8 HeapSize
 0x1002c0dc HeapDestroy
 0x1002c0e0 HeapCreate
 0x1002c0e4 VirtualFree
 0x1002c0e8 IsBadWritePtr
 0x1002c0ec SetHandleCount
 0x1002c0f0 GetStdHandle
 0x1002c0f4 GetFileType
 0x1002c0f8 GetStartupInfoA
 0x1002c0fc FreeEnvironmentStringsA
 0x1002c100 GetEnvironmentStrings
 0x1002c104 FreeEnvironmentStringsW
 0x1002c108 GetEnvironmentStringsW
 0x1002c10c UnhandledExceptionFilter
 0x1002c110 GetSystemInfo
 0x1002c114 GetCurrentProcessId
 0x1002c118 GetSystemTimeAsFileTime
 0x1002c11c SetUnhandledExceptionFilter
 0x1002c120 LCMapStringA
 0x1002c124 LCMapStringW
 0x1002c128 GetStringTypeA
 0x1002c12c GetStringTypeW
 0x1002c130 GetTimeZoneInformation
 0x1002c134 IsBadReadPtr
 0x1002c138 IsBadCodePtr
 0x1002c13c SetStdHandle
 0x1002c140 SetEnvironmentVariableA
 0x1002c144 VirtualAlloc
 0x1002c148 VirtualProtect
 0x1002c14c HeapAlloc
 0x1002c150 RtlUnwind
 0x1002c154 HeapFree
 0x1002c158 GetTickCount
 0x1002c15c GetFileTime
 0x1002c160 GetFileAttributesA
 0x1002c164 FileTimeToLocalFileTime
 0x1002c168 FileTimeToSystemTime
 0x1002c16c GetOEMCP
 0x1002c170 GetCPInfo
 0x1002c174 CreateFileA
 0x1002c178 GetFullPathNameA
 0x1002c17c GetVolumeInformationA
 0x1002c180 FindFirstFileA
 0x1002c184 FindClose
 0x1002c188 GetCurrentProcess
 0x1002c18c DuplicateHandle
 0x1002c190 GetFileSize
 0x1002c194 SetEndOfFile
 0x1002c198 UnlockFile
 0x1002c19c LockFile
 0x1002c1a0 FlushFileBuffers
 0x1002c1a4 SetFilePointer
 0x1002c1a8 WriteFile
 0x1002c1ac ReadFile
 0x1002c1b0 TlsFree
 0x1002c1b4 LocalReAlloc
 0x1002c1b8 TlsSetValue
 0x1002c1bc TlsAlloc
 0x1002c1c0 TlsGetValue
 0x1002c1c4 EnterCriticalSection
 0x1002c1c8 GlobalHandle
 0x1002c1cc GlobalReAlloc
 0x1002c1d0 LeaveCriticalSection
 0x1002c1d4 LocalAlloc
 0x1002c1d8 DeleteCriticalSection
 0x1002c1dc InitializeCriticalSection
 0x1002c1e0 RaiseException
 0x1002c1e4 GlobalFlags
 0x1002c1e8 InterlockedIncrement
 0x1002c1ec WritePrivateProfileStringA
 0x1002c1f0 InterlockedDecrement
 0x1002c1f4 GlobalGetAtomNameA
 0x1002c1f8 GlobalFindAtomA
 0x1002c1fc lstrcatA
 0x1002c200 lstrcmpW
 0x1002c204 FreeResource
 0x1002c208 CloseHandle
 0x1002c20c GlobalAddAtomA
 0x1002c210 SetLastError
 0x1002c214 GlobalFree
 0x1002c218 MulDiv
 0x1002c21c GlobalUnlock
 0x1002c220 FormatMessageA
 0x1002c224 lstrcpynA
 0x1002c228 LocalFree
 0x1002c22c GetCurrentThread
 0x1002c230 GetCurrentThreadId
 0x1002c234 GlobalLock
 0x1002c238 GlobalAlloc
 0x1002c23c FreeLibrary
 0x1002c240 GlobalDeleteAtom
 0x1002c244 lstrcmpA
 0x1002c248 GetModuleFileNameA
 0x1002c24c GetModuleHandleA
 0x1002c250 GetProcAddress
 0x1002c254 ConvertDefaultLocale
 0x1002c258 EnumResourceLanguagesA
 0x1002c25c lstrcpyA
 0x1002c260 LoadResource
 0x1002c264 LockResource
 0x1002c268 SizeofResource
 0x1002c26c FindResourceA
 0x1002c270 LoadLibraryA
 0x1002c274 ExitProcess
 0x1002c278 WriteProcessMemory
 0x1002c27c GetLastError
 0x1002c280 lstrlenA
 0x1002c284 lstrcmpiA
 0x1002c288 WideCharToMultiByte
 0x1002c28c CompareStringA
 0x1002c290 CompareStringW
 0x1002c294 MultiByteToWideChar
 0x1002c298 GetVersion
 0x1002c29c GetThreadLocale
 0x1002c2a0 GetLocaleInfoA
 0x1002c2a4 GetACP
 0x1002c2a8 GetVersionExA
 0x1002c2ac QueryPerformanceCounter
 0x1002c2b0 InterlockedExchange
USER32.dll
 0x1002c300 PostThreadMessageA
 0x1002c304 MessageBeep
 0x1002c308 GetNextDlgGroupItem
 0x1002c30c InvalidateRgn
 0x1002c310 CopyAcceleratorTableA
 0x1002c314 SetRect
 0x1002c318 IsRectEmpty
 0x1002c31c CharNextA
 0x1002c320 GetSysColorBrush
 0x1002c324 ReleaseCapture
 0x1002c328 LoadCursorA
 0x1002c32c SetCapture
 0x1002c330 EndPaint
 0x1002c334 BeginPaint
 0x1002c338 GetWindowDC
 0x1002c33c ReleaseDC
 0x1002c340 GetDC
 0x1002c344 ClientToScreen
 0x1002c348 GrayStringA
 0x1002c34c DrawTextExA
 0x1002c350 DrawTextA
 0x1002c354 TabbedTextOutA
 0x1002c358 DestroyMenu
 0x1002c35c wsprintfA
 0x1002c360 ShowWindow
 0x1002c364 MoveWindow
 0x1002c368 SetWindowTextA
 0x1002c36c IsDialogMessageA
 0x1002c370 RegisterWindowMessageA
 0x1002c374 WinHelpA
 0x1002c378 GetCapture
 0x1002c37c CreateWindowExA
 0x1002c380 GetClassLongA
 0x1002c384 GetClassInfoExA
 0x1002c388 GetClassNameA
 0x1002c38c SetPropA
 0x1002c390 GetPropA
 0x1002c394 RemovePropA
 0x1002c398 SendDlgItemMessageA
 0x1002c39c SetFocus
 0x1002c3a0 IsChild
 0x1002c3a4 GetWindowTextA
 0x1002c3a8 GetForegroundWindow
 0x1002c3ac GetTopWindow
 0x1002c3b0 UnhookWindowsHookEx
 0x1002c3b4 GetMessageTime
 0x1002c3b8 GetMessagePos
 0x1002c3bc MapWindowPoints
 0x1002c3c0 SetForegroundWindow
 0x1002c3c4 UpdateWindow
 0x1002c3c8 GetMenu
 0x1002c3cc GetSysColor
 0x1002c3d0 AdjustWindowRectEx
 0x1002c3d4 EqualRect
 0x1002c3d8 GetClassInfoA
 0x1002c3dc RegisterClassA
 0x1002c3e0 UnregisterClassA
 0x1002c3e4 GetDlgCtrlID
 0x1002c3e8 DefWindowProcA
 0x1002c3ec CallWindowProcA
 0x1002c3f0 SetWindowLongA
 0x1002c3f4 CharUpperA
 0x1002c3f8 EnableWindow
 0x1002c3fc LoadIconA
 0x1002c400 SendMessageA
 0x1002c404 AppendMenuA
 0x1002c408 GetSystemMenu
 0x1002c40c DrawIcon
 0x1002c410 GetClientRect
 0x1002c414 GetSystemMetrics
 0x1002c418 IsIconic
 0x1002c41c OffsetRect
 0x1002c420 IntersectRect
 0x1002c424 SystemParametersInfoA
 0x1002c428 GetWindowPlacement
 0x1002c42c GetWindowRect
 0x1002c430 CopyRect
 0x1002c434 PtInRect
 0x1002c438 GetWindow
 0x1002c43c SetWindowContextHelpId
 0x1002c440 MapDialogRect
 0x1002c444 SetWindowPos
 0x1002c448 GetDesktopWindow
 0x1002c44c SetActiveWindow
 0x1002c450 CreateDialogIndirectParamA
 0x1002c454 DestroyWindow
 0x1002c458 RegisterClipboardFormatA
 0x1002c45c IsWindow
 0x1002c460 GetDlgItem
 0x1002c464 GetNextDlgTabItem
 0x1002c468 EndDialog
 0x1002c46c SetMenuItemBitmaps
 0x1002c470 GetFocus
 0x1002c474 ModifyMenuA
 0x1002c478 EnableMenuItem
 0x1002c47c CheckMenuItem
 0x1002c480 GetMenuCheckMarkDimensions
 0x1002c484 SetWindowsHookExA
 0x1002c488 CallNextHookEx
 0x1002c48c GetParent
 0x1002c490 LoadBitmapA
 0x1002c494 InvalidateRect
 0x1002c498 PostMessageA
 0x1002c49c PostQuitMessage
 0x1002c4a0 GetSubMenu
 0x1002c4a4 GetMenuItemCount
 0x1002c4a8 GetMenuItemID
 0x1002c4ac GetMenuState
 0x1002c4b0 SetCursor
 0x1002c4b4 IsWindowEnabled
 0x1002c4b8 GetLastActivePopup
 0x1002c4bc GetWindowLongA
 0x1002c4c0 MessageBoxA
 0x1002c4c4 ValidateRect
 0x1002c4c8 GetCursorPos
 0x1002c4cc PeekMessageA
 0x1002c4d0 GetKeyState
 0x1002c4d4 IsWindowVisible
 0x1002c4d8 GetActiveWindow
 0x1002c4dc DispatchMessageA
 0x1002c4e0 TranslateMessage
 0x1002c4e4 GetMessageA
GDI32.dll
 0x1002c030 GetBkColor
 0x1002c034 GetTextColor
 0x1002c038 CreateRectRgnIndirect
 0x1002c03c GetRgnBox
 0x1002c040 GetMapMode
 0x1002c044 GetStockObject
 0x1002c048 DeleteDC
 0x1002c04c ExtSelectClipRgn
 0x1002c050 ScaleWindowExtEx
 0x1002c054 SetWindowExtEx
 0x1002c058 ScaleViewportExtEx
 0x1002c05c SetViewportExtEx
 0x1002c060 OffsetViewportOrgEx
 0x1002c064 SetViewportOrgEx
 0x1002c068 SelectObject
 0x1002c06c Escape
 0x1002c070 TextOutA
 0x1002c074 RectVisible
 0x1002c078 PtVisible
 0x1002c07c BitBlt
 0x1002c080 GetViewportExtEx
 0x1002c084 DeleteObject
 0x1002c088 SetMapMode
 0x1002c08c RestoreDC
 0x1002c090 SaveDC
 0x1002c094 ExtTextOutA
 0x1002c098 SetBkColor
 0x1002c09c SetTextColor
 0x1002c0a0 GetClipBox
 0x1002c0a4 CreateBitmap
 0x1002c0a8 GetDeviceCaps
 0x1002c0ac GetObjectA
 0x1002c0b0 GetPixel
 0x1002c0b4 CreateCompatibleBitmap
 0x1002c0b8 CreateCompatibleDC
 0x1002c0bc SetPixelV
 0x1002c0c0 GetWindowExtEx
comdlg32.dll
 0x1002c4fc GetFileTitleA
WINSPOOL.DRV
 0x1002c4ec OpenPrinterA
 0x1002c4f0 DocumentPropertiesA
 0x1002c4f4 ClosePrinter
ADVAPI32.dll
 0x1002c000 RegQueryValueExA
 0x1002c004 RegOpenKeyExA
 0x1002c008 RegOpenKeyA
 0x1002c00c RegDeleteKeyA
 0x1002c010 RegEnumKeyA
 0x1002c014 RegQueryValueA
 0x1002c018 RegCreateKeyExA
 0x1002c01c RegSetValueExA
 0x1002c020 RegCloseKey
COMCTL32.dll
 0x1002c028 None
SHLWAPI.dll
 0x1002c2ec PathFindFileNameA
 0x1002c2f0 PathStripToRootA
 0x1002c2f4 PathFindExtensionA
 0x1002c2f8 PathIsUNCA
oledlg.dll
 0x1002c544 None
ole32.dll
 0x1002c504 CreateILockBytesOnHGlobal
 0x1002c508 StgCreateDocfileOnILockBytes
 0x1002c50c StgOpenStorageOnILockBytes
 0x1002c510 CoGetClassObject
 0x1002c514 CLSIDFromString
 0x1002c518 CLSIDFromProgID
 0x1002c51c CoTaskMemFree
 0x1002c520 OleUninitialize
 0x1002c524 CoFreeUnusedLibraries
 0x1002c528 CoRegisterMessageFilter
 0x1002c52c OleFlushClipboard
 0x1002c530 OleIsCurrentClipboard
 0x1002c534 CoRevokeClassObject
 0x1002c538 CoTaskMemAlloc
 0x1002c53c OleInitialize
OLEAUT32.dll
 0x1002c2b8 SysAllocStringLen
 0x1002c2bc VariantClear
 0x1002c2c0 VariantChangeType
 0x1002c2c4 VariantInit
 0x1002c2c8 SysStringLen
 0x1002c2cc SysAllocStringByteLen
 0x1002c2d0 OleCreateFontIndirect
 0x1002c2d4 SystemTimeToVariantTime
 0x1002c2d8 SafeArrayDestroy
 0x1002c2dc SysAllocString
 0x1002c2e0 VariantCopy
 0x1002c2e4 SysFreeString

EAT(Export Address Table) Library

0x10002690 ducks

Similarity measure (PE file only) - Checking for service failure