popup

Report - GodK6jam0J2bDZkC.exe

Gen1 Malicious Library Malicious Packer PE File OS Processor Check PE32 DLL JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.23 12:27 Machine s1_win7_x6401
Filename GodK6jam0J2bDZkC.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
12
 Behavior Score
12.8
ZERO API file : malware
VT API (file) 44 detected (Vidar, malicious, high confidence, DeepScan, SpyAgent, GenericRXON, TrojanPSW, ZexaF, NmW@aSIxPPb, Attribute, HighConfidence, PWSX, qqpass, Qqrob, Dztu, R002C0PHM21, Outbreak, AGEN, ai score=81, ASMalwS, PSWTroj, kcloud, score, Unsafe, Arkei, CLASSIC, Static AI, Malicious PE, susgen, GdSda, confidence, 100%)
md5 80be083d6e199ea9ac0391d791379440
sha256 421de3e1abdd3307f05eb1d1900f0e5e12e99794f51fb14fffee3aa5427e3f03
ssdeep 12288:VPaYUeh6oGci940+hbwozJup8tGeFE+QpK6OUdnUYRJF93Ophc41UYNbh9FKuLRl:VPOHEi9bozJD9WvK3UdnUEvd+c4XNE7M
imphash 422c1a894fb7ba8c5b29fe9ee067d2cb
impfuzzy 96:sum+NsR3FVkl6g/eufcpgPlS0hCoGFtami+M:sum5F+l6g/9V6M
  Network IP location

Signature (29cnts)

Level Description
danger File has been identified by 44 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process godk6jam0j2bdzkc.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Terminates another process
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (12cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (12cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://188.34.200.103/softokn3.dll
whois
DE Hetzner Online GmbH 188.34.200.103 clean
http://188.34.200.103/msvcp140.dll
whois
DE Hetzner Online GmbH 188.34.200.103 clean
http://188.34.200.103/903
whois
DE Hetzner Online GmbH 188.34.200.103 clean
http://188.34.200.103/freebl3.dll
whois
DE Hetzner Online GmbH 188.34.200.103 clean
http://188.34.200.103/nss3.dll
whois
DE Hetzner Online GmbH 188.34.200.103 clean
http://188.34.200.103/vcruntime140.dll
whois
DE Hetzner Online GmbH 188.34.200.103 clean
http://188.34.200.103/
whois
DE Hetzner Online GmbH 188.34.200.103 clean
http://188.34.200.103/mozglue.dll
whois
DE Hetzner Online GmbH 188.34.200.103 clean
https://eduarroma.tumblr.com/
whois
CA AUTOMATTIC 74.114.154.22 clean
eduarroma.tumblr.com
whois
CA AUTOMATTIC 74.114.154.18 clean
74.114.154.22
whois
CA AUTOMATTIC 74.114.154.22 mailcious
188.34.200.103
whois
DE Hetzner Online GmbH 188.34.200.103 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x483008 LocalFree
 0x48300c HeapAlloc
 0x483010 GetProcessHeap
 0x483014 HeapFree
 0x483018 lstrcatA
 0x48301c CreateDirectoryA
 0x483020 FindClose
 0x483024 FindNextFileW
 0x483028 DeleteFileW
 0x48302c lstrcmpW
 0x483030 FindFirstFileW
 0x483034 lstrcatW
 0x483038 lstrcpyW
 0x48303c FindNextFileA
 0x483040 CopyFileA
 0x483044 FindFirstFileA
 0x483048 GetDriveTypeA
 0x48304c GetLogicalDriveStringsA
 0x483050 DeleteFileA
 0x483054 GetCurrentProcessId
 0x483058 SetCurrentDirectoryA
 0x48305c CopyFileW
 0x483060 CloseHandle
 0x483064 WriteFile
 0x483068 CreateFileA
 0x48306c MultiByteToWideChar
 0x483070 ReadFile
 0x483074 GetFileSize
 0x483078 GetVersionExA
 0x48307c GetFileSizeEx
 0x483080 GetCurrentDirectoryA
 0x483084 GetPrivateProfileSectionNamesA
 0x483088 Process32Next
 0x48308c Process32First
 0x483090 CreateToolhelp32Snapshot
 0x483094 TerminateProcess
 0x483098 OpenProcess
 0x48309c GetProcAddress
 0x4830a0 LoadLibraryA
 0x4830a4 FreeLibrary
 0x4830a8 GetFileAttributesA
 0x4830ac FileTimeToSystemTime
 0x4830b0 InterlockedCompareExchange
 0x4830b4 OutputDebugStringW
 0x4830b8 OutputDebugStringA
 0x4830bc WaitForSingleObjectEx
 0x4830c0 WaitForSingleObject
 0x4830c4 UnmapViewOfFile
 0x4830c8 UnlockFileEx
 0x4830cc UnlockFile
 0x4830d0 SystemTimeToFileTime
 0x4830d4 SetFilePointer
 0x4830d8 SetEndOfFile
 0x4830dc QueryPerformanceCounter
 0x4830e0 MapViewOfFile
 0x4830e4 LockFileEx
 0x4830e8 LockFile
 0x4830ec LoadLibraryW
 0x4830f0 HeapCompact
 0x4830f4 HeapValidate
 0x4830f8 HeapSize
 0x4830fc HeapReAlloc
 0x483100 HeapDestroy
 0x483104 HeapCreate
 0x483108 GetVersionExW
 0x48310c LocalAlloc
 0x483110 GetTempPathW
 0x483114 GetTempPathA
 0x483118 GetSystemTimeAsFileTime
 0x48311c GetSystemTime
 0x483120 GetSystemInfo
 0x483124 GetLastError
 0x483128 GetFullPathNameW
 0x48312c GetFullPathNameA
 0x483130 GetFileAttributesExW
 0x483134 GetFileAttributesW
 0x483138 GetDiskFreeSpaceW
 0x48313c GetDiskFreeSpaceA
 0x483140 FormatMessageW
 0x483144 FormatMessageA
 0x483148 FlushFileBuffers
 0x48314c CreateMutexW
 0x483150 CreateFileMappingW
 0x483154 CreateFileMappingA
 0x483158 CreateFileW
 0x48315c AreFileApisANSI
 0x483160 DeleteCriticalSection
 0x483164 EnterCriticalSection
 0x483168 LeaveCriticalSection
 0x48316c InitializeCriticalSection
 0x483170 TryEnterCriticalSection
 0x483174 GetCurrentThreadId
 0x483178 GetComputerNameA
 0x48317c IsWow64Process
 0x483180 GetCurrentProcess
 0x483184 GlobalMemoryStatus
 0x483188 GetModuleHandleA
 0x48318c GetUserDefaultLocaleName
 0x483190 TzSpecificLocalTimeToSystemTime
 0x483194 GetTimeZoneInformation
 0x483198 GetLocaleInfoA
 0x48319c GetFileInformationByHandle
 0x4831a0 GetLocalTime
 0x4831a4 CompareStringW
 0x4831a8 SetStdHandle
 0x4831ac WideCharToMultiByte
 0x4831b0 Sleep
 0x4831b4 IsValidLocale
 0x4831b8 EnumSystemLocalesA
 0x4831bc GetUserDefaultLCID
 0x4831c0 GetLocaleInfoW
 0x4831c4 GetStringTypeW
 0x4831c8 GetEnvironmentStringsW
 0x4831cc FreeEnvironmentStringsW
 0x4831d0 GetModuleFileNameA
 0x4831d4 GetConsoleMode
 0x4831d8 GetConsoleCP
 0x4831dc SetEnvironmentVariableA
 0x4831e0 SetEnvironmentVariableW
 0x4831e4 GetModuleFileNameW
 0x4831e8 IsValidCodePage
 0x4831ec GetOEMCP
 0x4831f0 GetACP
 0x4831f4 GetFileType
 0x4831f8 InitializeCriticalSectionAndSpinCount
 0x4831fc GetStdHandle
 0x483200 SetHandleCount
 0x483204 SetLastError
 0x483208 TlsFree
 0x48320c TlsSetValue
 0x483210 TlsGetValue
 0x483214 GetTickCount
 0x483218 ExitProcess
 0x48321c InterlockedIncrement
 0x483220 InterlockedDecrement
 0x483224 InterlockedExchange
 0x483228 EncodePointer
 0x48322c DecodePointer
 0x483230 RaiseException
 0x483234 RtlUnwind
 0x483238 ExitThread
 0x48323c CreateThread
 0x483240 GetCommandLineA
 0x483244 HeapSetInformation
 0x483248 GetStartupInfoW
 0x48324c LCMapStringW
 0x483250 GetCPInfo
 0x483254 UnhandledExceptionFilter
 0x483258 SetUnhandledExceptionFilter
 0x48325c IsDebuggerPresent
 0x483260 IsProcessorFeaturePresent
 0x483264 GetModuleHandleW
 0x483268 TlsAlloc
 0x48326c WriteConsoleW
USER32.dll
 0x4832a0 GetDesktopWindow
ADVAPI32.dll
 0x483000 GetUserNameA
SHELL32.dll
 0x483284 SHFileOperationA
 0x483288 ShellExecuteA
 0x48328c SHGetFolderPathA
SHLWAPI.dll
 0x483294 PathMatchSpecW
 0x483298 PathMatchSpecA
PSAPI.DLL
 0x483274 GetModuleFileNameExA
 0x483278 GetModuleBaseNameA
 0x48327c EnumProcessModules
WININET.dll
 0x4832a8 DeleteUrlCacheEntry
gdiplus.dll
 0x4832b0 GdipGetImageEncodersSize
 0x4832b4 GdipCreateBitmapFromHBITMAP
 0x4832b8 GdipSaveImageToFile
 0x4832bc GdipCloneImage
 0x4832c0 GdipGetImageEncoders
 0x4832c4 GdiplusShutdown
 0x4832c8 GdipFree
 0x4832cc GdipAlloc
 0x4832d0 GdiplusStartup
 0x4832d4 GdipDisposeImage

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure