popup

Report - tooltipred.png

Emotet Malicious Library AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.27 15:44 Machine s1_win7_x6402
Filename tooltipred.png
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
10.2
ZERO API file : clean
VT API (file)
md5 4f907ddbf3e599e3d4f6687dcf69e747
sha256 f562e11d9edfea63f1c9a78e9081d85fc8547b9b70334f6d8935113de61df477
ssdeep 12288:QFuLe4nHJm79H5t51MKd3GydYLMcOCWvnJi7:QFF4nHJoBZbnJc
imphash 884c251bdbb51e23564add248435ff5c
impfuzzy 192:TjrGO6xlFzgUQpCz9UZZ9MgDZYELcRcUc756WlN:0xXzgUQg8MoERpWlN
  Network IP location

Signature (21cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
notice Yara rule detected in process memory
info One or more processes crashed
info Queries for the computername
info The executable uses a known packer

Rules (12cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (20cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://icanhazip.com/
whois
US CLOUDFLARENET 104.18.7.156 clean
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/b5Jb57X3TvfZJdxFT53d/
whois
US CHARTER-20115 97.83.40.67 clean
https://5.152.175.57/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/pwgrabb64/
whois
ES Skylogic S.p.A. 5.152.175.57 clean
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/8uMoLXFfUKElAG6M7lPr/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://5.152.175.57/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/pwgrabc64/
whois
ES Skylogic S.p.A. 5.152.175.57 clean
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/10/62/CETDHVSBTPT/7/
whois
US CHARTER-20115 97.83.40.67 clean
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/file/
whois
US CHARTER-20115 97.83.40.67 clean
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/NAT%20status/client%20is%20behind%20NAT/0/
whois
US CHARTER-20115 97.83.40.67 clean
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
whois
US CHARTER-20115 97.83.40.67 clean
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/path/C:%5CUsers%5Ctest22%5CAppData%5CLocal%5CTemp%5Ctooltipred.png/0/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/user/test22/0/
whois
US CHARTER-20115 97.83.40.67 clean
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/W86mMKPIM801nj2bSV6zifCFnf/
whois
BR America-NET Ltda. 179.189.229.254 clean
icanhazip.com
whois
US CLOUDFLARENET 104.18.6.156 clean
104.18.6.156
whois
US CLOUDFLARENET 104.18.6.156 clean
179.189.229.254
whois
BR America-NET Ltda. 179.189.229.254 mailcious
194.146.249.137
whois
PL Virtuaoperator Sp. z o.o. 194.146.249.137 mailcious
5.152.175.57
whois
ES Skylogic S.p.A. 5.152.175.57 mailcious
97.83.40.67
whois
US CHARTER-20115 97.83.40.67 mailcious
62.99.79.77
whois
ES Euskaltel S.A. 62.99.79.77 clean
104.21.19.200
whois
US CLOUDFLARENET 104.21.19.200 clean

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 25
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x4378dc GetCurrentDirectoryA
 0x4378e0 GetProcessVersion
 0x4378e4 SizeofResource
 0x4378e8 GetCPInfo
 0x4378ec GetOEMCP
 0x4378f0 SetErrorMode
 0x4378f4 FileTimeToSystemTime
 0x4378f8 FileTimeToLocalFileTime
 0x4378fc RtlUnwind
 0x437900 HeapAlloc
 0x437904 GetStartupInfoA
 0x437908 GetCommandLineA
 0x43790c HeapFree
 0x437910 TerminateProcess
 0x437914 CreateThread
 0x437918 ExitThread
 0x43791c RaiseException
 0x437920 HeapReAlloc
 0x437924 HeapSize
 0x437928 GetACP
 0x43792c GetTimeZoneInformation
 0x437930 GetSystemTime
 0x437934 GetLocalTime
 0x437938 FatalAppExitA
 0x43793c Sleep
 0x437940 HeapDestroy
 0x437944 HeapCreate
 0x437948 VirtualFree
 0x43794c VirtualAlloc
 0x437950 WritePrivateProfileStringA
 0x437954 UnhandledExceptionFilter
 0x437958 FreeEnvironmentStringsA
 0x43795c FreeEnvironmentStringsW
 0x437960 GetEnvironmentStrings
 0x437964 GetEnvironmentStringsW
 0x437968 SetHandleCount
 0x43796c GetStdHandle
 0x437970 GetFileType
 0x437974 LCMapStringA
 0x437978 LCMapStringW
 0x43797c SetUnhandledExceptionFilter
 0x437980 GetStringTypeA
 0x437984 GetStringTypeW
 0x437988 IsBadReadPtr
 0x43798c IsBadCodePtr
 0x437990 IsValidLocale
 0x437994 IsValidCodePage
 0x437998 GetLocaleInfoA
 0x43799c EnumSystemLocalesA
 0x4379a0 GetUserDefaultLCID
 0x4379a4 GetVersionExA
 0x4379a8 SetConsoleCtrlHandler
 0x4379ac SetStdHandle
 0x4379b0 GetLocaleInfoW
 0x4379b4 CompareStringA
 0x4379b8 CompareStringW
 0x4379bc SetEnvironmentVariableA
 0x4379c0 GetPrivateProfileStringA
 0x4379c4 GetPrivateProfileIntA
 0x4379c8 GlobalFlags
 0x4379cc SetFileAttributesA
 0x4379d0 GetProfileStringA
 0x4379d4 SetFileTime
 0x4379d8 SystemTimeToFileTime
 0x4379dc LocalFileTimeToFileTime
 0x4379e0 GetFileTime
 0x4379e4 GetFileSize
 0x4379e8 GetFileAttributesA
 0x4379ec TlsGetValue
 0x4379f0 LocalReAlloc
 0x4379f4 TlsSetValue
 0x4379f8 EnterCriticalSection
 0x4379fc GlobalReAlloc
 0x437a00 LeaveCriticalSection
 0x437a04 TlsFree
 0x437a08 GlobalHandle
 0x437a0c DeleteCriticalSection
 0x437a10 TlsAlloc
 0x437a14 InitializeCriticalSection
 0x437a18 LocalAlloc
 0x437a1c GetShortPathNameA
 0x437a20 GetThreadLocale
 0x437a24 GetStringTypeExA
 0x437a28 GetFullPathNameA
 0x437a2c lstrcpynA
 0x437a30 GetVolumeInformationA
 0x437a34 FindFirstFileA
 0x437a38 FindClose
 0x437a3c DeleteFileA
 0x437a40 MoveFileA
 0x437a44 SetEndOfFile
 0x437a48 UnlockFile
 0x437a4c LockFile
 0x437a50 FlushFileBuffers
 0x437a54 SetFilePointer
 0x437a58 WriteFile
 0x437a5c ReadFile
 0x437a60 CreateFileA
 0x437a64 GetCurrentProcess
 0x437a68 DuplicateHandle
 0x437a6c GetLastError
 0x437a70 FormatMessageA
 0x437a74 LocalFree
 0x437a78 MulDiv
 0x437a7c lstrcatA
 0x437a80 GlobalGetAtomNameA
 0x437a84 GlobalAddAtomA
 0x437a88 GlobalFindAtomA
 0x437a8c lstrcpyA
 0x437a90 GetModuleHandleA
 0x437a94 GetProcAddress
 0x437a98 GlobalUnlock
 0x437a9c GlobalFree
 0x437aa0 LockResource
 0x437aa4 FindResourceA
 0x437aa8 LoadResource
 0x437aac CreateEventA
 0x437ab0 SuspendThread
 0x437ab4 SetThreadPriority
 0x437ab8 ResumeThread
 0x437abc SetEvent
 0x437ac0 WaitForSingleObject
 0x437ac4 CloseHandle
 0x437ac8 GetModuleFileNameA
 0x437acc GlobalLock
 0x437ad0 GlobalAlloc
 0x437ad4 GlobalDeleteAtom
 0x437ad8 lstrcmpA
 0x437adc WriteProcessMemory
 0x437ae0 lstrcmpiA
 0x437ae4 GetCurrentThread
 0x437ae8 GetCurrentThreadId
 0x437aec MultiByteToWideChar
 0x437af0 WideCharToMultiByte
 0x437af4 lstrlenA
 0x437af8 InterlockedDecrement
 0x437afc InterlockedIncrement
 0x437b00 SetLastError
 0x437b04 FreeLibrary
 0x437b08 GetVersion
 0x437b0c Beep
 0x437b10 LoadLibraryA
 0x437b14 ExitProcess
 0x437b18 IsBadWritePtr
USER32.dll
 0x437b38 SetScrollInfo
 0x437b3c GetScrollInfo
 0x437b40 ScrollWindow
 0x437b44 EndDeferWindowPos
 0x437b48 CopyRect
 0x437b4c BeginDeferWindowPos
 0x437b50 DeferWindowPos
 0x437b54 EqualRect
 0x437b58 ScreenToClient
 0x437b5c AdjustWindowRectEx
 0x437b60 SetFocus
 0x437b64 GetSysColor
 0x437b68 MapWindowPoints
 0x437b6c SendDlgItemMessageA
 0x437b70 UpdateWindow
 0x437b74 CheckDlgButton
 0x437b78 CheckRadioButton
 0x437b7c GetDlgItemInt
 0x437b80 GetDlgItemTextA
 0x437b84 SetDlgItemInt
 0x437b88 SetDlgItemTextA
 0x437b8c IsDlgButtonChecked
 0x437b90 ScrollWindowEx
 0x437b94 IsDialogMessageA
 0x437b98 SetWindowTextA
 0x437b9c MoveWindow
 0x437ba0 ShowWindow
 0x437ba4 wvsprintfA
 0x437ba8 LoadStringA
 0x437bac DestroyMenu
 0x437bb0 ClientToScreen
 0x437bb4 GetDC
 0x437bb8 ReleaseDC
 0x437bbc GetWindowDC
 0x437bc0 BeginPaint
 0x437bc4 EndPaint
 0x437bc8 TabbedTextOutA
 0x437bcc DrawTextA
 0x437bd0 GrayStringA
 0x437bd4 CharUpperA
 0x437bd8 LoadCursorA
 0x437bdc SetCapture
 0x437be0 ReleaseCapture
 0x437be4 GetDesktopWindow
 0x437be8 GetWindowThreadProcessId
 0x437bec WindowFromPoint
 0x437bf0 GetClassNameA
 0x437bf4 PtInRect
 0x437bf8 InsertMenuA
 0x437bfc DeleteMenu
 0x437c00 GetMenuStringA
 0x437c04 GetSysColorBrush
 0x437c08 GetDialogBaseUnits
 0x437c0c SetRectEmpty
 0x437c10 LoadAcceleratorsA
 0x437c14 TranslateAcceleratorA
 0x437c18 SetMenu
 0x437c1c ReuseDDElParam
 0x437c20 UnpackDDElParam
 0x437c24 InvalidateRect
 0x437c28 BringWindowToTop
 0x437c2c IsChild
 0x437c30 GetCapture
 0x437c34 WinHelpA
 0x437c38 GetClassInfoA
 0x437c3c RegisterClassA
 0x437c40 GetMenu
 0x437c44 GetMenuItemCount
 0x437c48 SetWindowPlacement
 0x437c4c GetWindowTextLengthA
 0x437c50 GetWindowTextA
 0x437c54 GetDlgCtrlID
 0x437c58 ShowScrollBar
 0x437c5c CreateWindowExA
 0x437c60 GetClassLongA
 0x437c64 SetPropA
 0x437c68 GetPropA
 0x437c6c CallWindowProcA
 0x437c70 RemovePropA
 0x437c74 GetMessageTime
 0x437c78 GetMessagePos
 0x437c7c GetForegroundWindow
 0x437c80 GetWindow
 0x437c84 SetWindowLongA
 0x437c88 SetWindowPos
 0x437c8c RegisterWindowMessageA
 0x437c90 OffsetRect
 0x437c94 IntersectRect
 0x437c98 SystemParametersInfoA
 0x437c9c GetWindowPlacement
 0x437ca0 GetWindowRect
 0x437ca4 EndDialog
 0x437ca8 SetActiveWindow
 0x437cac CreateDialogIndirectParamA
 0x437cb0 DestroyWindow
 0x437cb4 GetDlgItem
 0x437cb8 GetMenuCheckMarkDimensions
 0x437cbc LoadBitmapA
 0x437cc0 GetMenuState
 0x437cc4 ModifyMenuA
 0x437cc8 SetMenuItemBitmaps
 0x437ccc CheckMenuItem
 0x437cd0 EnableMenuItem
 0x437cd4 GetFocus
 0x437cd8 GetNextDlgTabItem
 0x437cdc GetMessageA
 0x437ce0 TranslateMessage
 0x437ce4 GetActiveWindow
 0x437ce8 GetKeyState
 0x437cec CallNextHookEx
 0x437cf0 ValidateRect
 0x437cf4 IsWindowVisible
 0x437cf8 SetWindowsHookExA
 0x437cfc GetParent
 0x437d00 GetLastActivePopup
 0x437d04 IsWindowEnabled
 0x437d08 GetWindowLongA
 0x437d0c MessageBoxA
 0x437d10 SetCursor
 0x437d14 ShowOwnedPopups
 0x437d18 PostQuitMessage
 0x437d1c OemToCharA
 0x437d20 CharToOemA
 0x437d24 WaitMessage
 0x437d28 PeekMessageA
 0x437d2c DispatchMessageA
 0x437d30 PostMessageA
 0x437d34 LoadMenuA
 0x437d38 GetSubMenu
 0x437d3c SetMenuDefaultItem
 0x437d40 GetCursorPos
 0x437d44 wsprintfA
 0x437d48 EnableWindow
 0x437d4c LoadIconA
 0x437d50 SendMessageA
 0x437d54 UnregisterClassA
 0x437d58 HideCaret
 0x437d5c SetForegroundWindow
 0x437d60 TrackPopupMenu
 0x437d64 GetMenuItemID
 0x437d68 IsWindow
 0x437d6c KillTimer
 0x437d70 SetTimer
 0x437d74 IsIconic
 0x437d78 GetSystemMetrics
 0x437d7c GetClientRect
 0x437d80 GetScrollRange
 0x437d84 SetScrollRange
 0x437d88 GetScrollPos
 0x437d8c SetScrollPos
 0x437d90 DefWindowProcA
 0x437d94 GetTopWindow
 0x437d98 DrawIcon
 0x437d9c GetSystemMenu
 0x437da0 ShowCaret
 0x437da4 ExcludeUpdateRgn
 0x437da8 DrawFocusRect
 0x437dac DefDlgProcA
 0x437db0 InflateRect
 0x437db4 CharNextA
 0x437db8 IsWindowUnicode
 0x437dbc AppendMenuA
 0x437dc0 UnhookWindowsHookEx
GDI32.dll
 0x4377b0 GetStockObject
 0x4377b4 SelectPalette
 0x4377b8 SetBkMode
 0x4377bc SetPolyFillMode
 0x4377c0 SetROP2
 0x4377c4 SetStretchBltMode
 0x4377c8 SetMapMode
 0x4377cc SetViewportOrgEx
 0x4377d0 OffsetViewportOrgEx
 0x4377d4 SetViewportExtEx
 0x4377d8 ScaleViewportExtEx
 0x4377dc SetWindowOrgEx
 0x4377e0 OffsetWindowOrgEx
 0x4377e4 SetWindowExtEx
 0x4377e8 ScaleWindowExtEx
 0x4377ec SelectClipRgn
 0x4377f0 ExcludeClipRect
 0x4377f4 IntersectClipRect
 0x4377f8 OffsetClipRgn
 0x4377fc MoveToEx
 0x437800 LineTo
 0x437804 SetTextAlign
 0x437808 SetTextJustification
 0x43780c SetTextCharacterExtra
 0x437810 SetMapperFlags
 0x437814 GetCurrentPositionEx
 0x437818 ArcTo
 0x43781c SetArcDirection
 0x437820 PolyDraw
 0x437824 SelectObject
 0x437828 SetColorAdjustment
 0x43782c PolyBezierTo
 0x437830 DeleteObject
 0x437834 GetClipRgn
 0x437838 CreateRectRgn
 0x43783c SelectClipPath
 0x437840 ExtSelectClipRgn
 0x437844 PlayMetaFileRecord
 0x437848 GetObjectType
 0x43784c EnumMetaFile
 0x437850 PlayMetaFile
 0x437854 GetDeviceCaps
 0x437858 GetViewportExtEx
 0x43785c GetWindowExtEx
 0x437860 CreatePen
 0x437864 ExtCreatePen
 0x437868 CreateSolidBrush
 0x43786c CreateHatchBrush
 0x437870 CreatePatternBrush
 0x437874 CreateDIBPatternBrushPt
 0x437878 PtVisible
 0x43787c RectVisible
 0x437880 TextOutA
 0x437884 ExtTextOutA
 0x437888 Escape
 0x43788c GetTextExtentPoint32A
 0x437890 GetTextMetricsA
 0x437894 CreateFontIndirectA
 0x437898 RestoreDC
 0x43789c SaveDC
 0x4378a0 StartDocA
 0x4378a4 DeleteDC
 0x4378a8 GetObjectA
 0x4378ac SetBkColor
 0x4378b0 SetTextColor
 0x4378b4 GetClipBox
 0x4378b8 GetDCOrgEx
 0x4378bc PolylineTo
 0x4378c0 CreateDIBitmap
 0x4378c4 PatBlt
 0x4378c8 GetTextExtentPointA
 0x4378cc BitBlt
 0x4378d0 CreateCompatibleDC
 0x4378d4 CreateBitmap
comdlg32.dll
 0x437e38 GetFileTitleA
WINSPOOL.DRV
 0x437dc8 DocumentPropertiesA
 0x437dcc OpenPrinterA
 0x437dd0 ClosePrinter
ADVAPI32.dll
 0x437784 RegOpenKeyExA
 0x437788 RegDeleteKeyA
 0x43778c RegDeleteValueA
 0x437790 RegSetValueExA
 0x437794 RegQueryValueExA
 0x437798 RegCreateKeyExA
 0x43779c RegOpenKeyA
 0x4377a0 RegCloseKey
SHELL32.dll
 0x437b20 DragFinish
 0x437b24 SHGetFileInfoA
 0x437b28 DragAcceptFiles
 0x437b2c Shell_NotifyIconA
 0x437b30 DragQueryFileA
COMCTL32.dll
 0x4377a8 None
WSOCK32.dll
 0x437dd8 closesocket
 0x437ddc gethostbyname
 0x437de0 recv
 0x437de4 send
 0x437de8 WSAAsyncSelect
 0x437dec inet_ntoa
 0x437df0 socket
 0x437df4 recvfrom
 0x437df8 sendto
 0x437dfc htonl
 0x437e00 getsockname
 0x437e04 getpeername
 0x437e08 ntohs
 0x437e0c inet_addr
 0x437e10 WSAGetLastError
 0x437e14 WSASetLastError
 0x437e18 WSAStartup
 0x437e1c WSACleanup
 0x437e20 htons
 0x437e24 ind
 0x437e28 ioctlsocket
 0x437e2c connect
 0x437e30 accept

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure