Report - Setup2.exe

Gen2 Gen1 Emotet UPX Malicious Library Malicious Packer ASPack PE File PE32 OS Processor Check PE64
ScreenShot
Created 2021.08.30 19:00 Machine s1_win7_x6401
Filename Setup2.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
8.2
ZERO API file : malware
VT API (file) 46 detected (Upatre, malicious, high confidence, MulDrop16, GenericKD, Artemis, Unsafe, izhi, Mikey, ZexaF, 5iWaaK94sCpb, Eldorado, Attribute, HighConfidence, multiple detections, ccnc, Static AI, Malicious PE, ancr, vkaxa, ai score=86, ASMalwS, CoinMiner, Predator, O7N5IO, score, Zusy, Lhxd, Blocker, OH3Aj8L7MuI, multiple, detections, confidence, Crypmod)
md5 308da60a9996a07824a1a1ce3a994d05
sha256 1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94
ssdeep 24576:pAT8QE+krxuiBQZ0pzvtIej9zXs3a/reJkSA3ZeoI5fiq3DMR9HC+QKHHIVqPJ7A:pAI+gV22RjuK/YtLeJQ4IVqPJ7uT
imphash c9adc83b45e363b21cd6b11b5da0501f
impfuzzy 48:8cfpHQrngO0Mw+4QkOK+vreIbuTy5xHGKly1ovzX55nByIVLAHZAQcLAHFrthR9a:8cfpHagO0MJ44bvre4Vgwb3V6RYLMy
  Network IP location

Signature (21cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Disables proxy possibly for traffic interception
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info Tries to locate where the browsers are installed

Rules (15cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://186.2.171.3/seemorebty/il.php?e=md8_8eus Unknown 186.2.171.3 clean
https://iplogger.org/ZhiS4 DE Hetzner Online GmbH 88.99.66.31 clean
iplogger.org DE Hetzner Online GmbH 88.99.66.31 mailcious
186.2.171.3 Unknown 186.2.171.3 clean
88.99.66.31 DE Hetzner Online GmbH 88.99.66.31 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x42b1cc DeleteCriticalSection
 0x42b1d0 LeaveCriticalSection
 0x42b1d4 EnterCriticalSection
 0x42b1d8 InitializeCriticalSection
 0x42b1dc VirtualFree
 0x42b1e0 VirtualAlloc
 0x42b1e4 LocalFree
 0x42b1e8 LocalAlloc
 0x42b1ec GetVersion
 0x42b1f0 GetCurrentThreadId
 0x42b1f4 WideCharToMultiByte
 0x42b1f8 GetThreadLocale
 0x42b1fc GetStartupInfoA
 0x42b200 GetLocaleInfoA
 0x42b204 GetCommandLineA
 0x42b208 FreeLibrary
 0x42b20c ExitProcess
 0x42b210 WriteFile
 0x42b214 UnhandledExceptionFilter
 0x42b218 RtlUnwind
 0x42b21c RaiseException
 0x42b220 GetStdHandle
user32.dll
 0x42b228 GetKeyboardType
 0x42b22c MessageBoxA
advapi32.dll
 0x42b234 RegQueryValueExA
 0x42b238 RegOpenKeyExA
 0x42b23c RegCloseKey
oleaut32.dll
 0x42b244 SysFreeString
 0x42b248 SysReAllocStringLen
kernel32.dll
 0x42b250 TlsSetValue
 0x42b254 TlsGetValue
 0x42b258 LocalAlloc
 0x42b25c GetModuleHandleA
advapi32.dll
 0x42b264 RegCloseKey
 0x42b268 OpenThreadToken
 0x42b26c OpenProcessToken
 0x42b270 GetTokenInformation
 0x42b274 FreeSid
 0x42b278 EqualSid
 0x42b27c AllocateAndInitializeSid
 0x42b280 AdjustTokenPrivileges
kernel32.dll
 0x42b288 WriteFile
 0x42b28c WinExec
 0x42b290 WaitForSingleObject
 0x42b294 TerminateProcess
 0x42b298 SystemTimeToFileTime
 0x42b29c Sleep
 0x42b2a0 SetFileTime
 0x42b2a4 SetFilePointer
 0x42b2a8 SetErrorMode
 0x42b2ac SetEndOfFile
 0x42b2b0 ReadFile
 0x42b2b4 OpenProcess
 0x42b2b8 MultiByteToWideChar
 0x42b2bc LocalFileTimeToFileTime
 0x42b2c0 LoadLibraryA
 0x42b2c4 GlobalFree
 0x42b2c8 GlobalAlloc
 0x42b2cc GetVersion
 0x42b2d0 GetUserDefaultLangID
 0x42b2d4 GetProcAddress
 0x42b2d8 GetModuleHandleA
 0x42b2dc GetLocalTime
 0x42b2e0 GetLastError
 0x42b2e4 GetFileTime
 0x42b2e8 GetFileSize
 0x42b2ec GetExitCodeProcess
 0x42b2f0 GetCurrentThread
 0x42b2f4 GetCurrentProcess
 0x42b2f8 FreeLibrary
 0x42b2fc FindClose
 0x42b300 FileTimeToSystemTime
 0x42b304 FileTimeToLocalFileTime
 0x42b308 DosDateTimeToFileTime
 0x42b30c CompareFileTime
 0x42b310 CloseHandle
gdi32.dll
 0x42b318 StretchDIBits
 0x42b31c StretchBlt
 0x42b320 SetWindowOrgEx
 0x42b324 SetTextColor
 0x42b328 SetStretchBltMode
 0x42b32c SetRectRgn
 0x42b330 SetROP2
 0x42b334 SetPixel
 0x42b338 SetDIBits
 0x42b33c SetBrushOrgEx
 0x42b340 SetBkMode
 0x42b344 SetBkColor
 0x42b348 SelectObject
 0x42b34c SaveDC
 0x42b350 RestoreDC
 0x42b354 OffsetRgn
 0x42b358 MoveToEx
 0x42b35c IntersectClipRect
 0x42b360 GetStockObject
 0x42b364 GetPixel
 0x42b368 GetDIBits
 0x42b36c ExtSelectClipRgn
 0x42b370 ExcludeClipRect
 0x42b374 DeleteObject
 0x42b378 DeleteDC
 0x42b37c CreateSolidBrush
 0x42b380 CreateRectRgn
 0x42b384 CreateDIBitmap
 0x42b388 CreateDIBSection
 0x42b38c CreateCompatibleDC
 0x42b390 CreateCompatibleBitmap
 0x42b394 CreateBrushIndirect
 0x42b398 CreateBitmap
 0x42b39c CombineRgn
 0x42b3a0 BitBlt
user32.dll
 0x42b3a8 WaitMessage
 0x42b3ac ValidateRect
 0x42b3b0 TranslateMessage
 0x42b3b4 ShowWindow
 0x42b3b8 SetWindowPos
 0x42b3bc SetTimer
 0x42b3c0 SetParent
 0x42b3c4 SetForegroundWindow
 0x42b3c8 SetFocus
 0x42b3cc SetCursor
 0x42b3d0 SendMessageA
 0x42b3d4 ScreenToClient
 0x42b3d8 ReleaseDC
 0x42b3dc PostQuitMessage
 0x42b3e0 OffsetRect
 0x42b3e4 KillTimer
 0x42b3e8 IsZoomed
 0x42b3ec IsWindowVisible
 0x42b3f0 IsWindowEnabled
 0x42b3f4 IsWindow
 0x42b3f8 IsIconic
 0x42b3fc InvalidateRect
 0x42b400 GetWindowRgn
 0x42b404 GetWindowRect
 0x42b408 GetWindowDC
 0x42b40c GetUpdateRgn
 0x42b410 GetSystemMetrics
 0x42b414 GetSystemMenu
 0x42b418 GetSysColor
 0x42b41c GetParent
 0x42b420 GetWindow
 0x42b424 GetKeyState
 0x42b428 GetFocus
 0x42b42c GetDCEx
 0x42b430 GetDC
 0x42b434 GetCursorPos
 0x42b438 GetClientRect
 0x42b43c GetCapture
 0x42b440 FillRect
 0x42b444 ExitWindowsEx
 0x42b448 EnumWindows
 0x42b44c EndPaint
 0x42b450 EnableWindow
 0x42b454 EnableMenuItem
 0x42b458 DrawIcon
 0x42b45c DestroyWindow
 0x42b460 DestroyIcon
 0x42b464 DeleteMenu
 0x42b468 CopyImage
 0x42b46c ClientToScreen
 0x42b470 BeginPaint
 0x42b474 CharLowerBuffA
winmm.dll
 0x42b47c timeKillEvent
 0x42b480 timeSetEvent
oleaut32.dll
 0x42b488 SysAllocStringLen
ole32.dll
 0x42b490 OleInitialize
comctl32.dll
 0x42b498 ImageList_Draw
 0x42b49c ImageList_SetBkColor
 0x42b4a0 ImageList_Create
 0x42b4a4 InitCommonControls
shell32.dll
 0x42b4ac SHGetFileInfoA
user32.dll
 0x42b4b4 wvsprintfA
 0x42b4b8 SetWindowLongA
 0x42b4bc SetPropA
 0x42b4c0 SendMessageA
 0x42b4c4 RemovePropA
 0x42b4c8 RegisterClassA
 0x42b4cc PostMessageA
 0x42b4d0 PeekMessageA
 0x42b4d4 MessageBoxA
 0x42b4d8 LoadIconA
 0x42b4dc LoadCursorA
 0x42b4e0 GetWindowTextLengthA
 0x42b4e4 GetWindowTextA
 0x42b4e8 GetWindowLongA
 0x42b4ec GetPropA
 0x42b4f0 GetClassLongA
 0x42b4f4 GetClassInfoA
 0x42b4f8 FindWindowA
 0x42b4fc DrawTextA
 0x42b500 DispatchMessageA
 0x42b504 DefWindowProcA
 0x42b508 CreateWindowExA
 0x42b50c CallWindowProcA
gdi32.dll
 0x42b514 GetTextExtentPoint32A
 0x42b518 GetObjectA
 0x42b51c CreateFontIndirectA
 0x42b520 AddFontResourceA
kernel32.dll
 0x42b528 WritePrivateProfileStringA
 0x42b52c SetFileAttributesA
 0x42b530 SetCurrentDirectoryA
 0x42b534 RemoveDirectoryA
 0x42b538 LoadLibraryA
 0x42b53c GetWindowsDirectoryA
 0x42b540 GetVersionExA
 0x42b544 GetTimeFormatA
 0x42b548 GetTempPathA
 0x42b54c GetSystemDirectoryA
 0x42b550 GetShortPathNameA
 0x42b554 GetPrivateProfileStringA
 0x42b558 GetModuleHandleA
 0x42b55c GetModuleFileNameA
 0x42b560 GetFullPathNameA
 0x42b564 GetFileAttributesA
 0x42b568 GetDiskFreeSpaceA
 0x42b56c GetDateFormatA
 0x42b570 GetComputerNameA
 0x42b574 GetCommandLineA
 0x42b578 FindNextFileA
 0x42b57c FindFirstFileA
 0x42b580 ExpandEnvironmentStringsA
 0x42b584 DeleteFileA
 0x42b588 CreateFileA
 0x42b58c CreateDirectoryA
 0x42b590 CompareStringA
advapi32.dll
 0x42b598 RegSetValueExA
 0x42b59c RegQueryValueExA
 0x42b5a0 RegQueryInfoKeyA
 0x42b5a4 RegOpenKeyExA
 0x42b5a8 RegEnumKeyExA
 0x42b5ac RegCreateKeyExA
 0x42b5b0 LookupPrivilegeValueA
 0x42b5b4 GetUserNameA
shell32.dll
 0x42b5bc ShellExecuteExA
 0x42b5c0 ShellExecuteA
cabinet.dll
 0x42b5c8 FDIDestroy
 0x42b5cc FDICopy
 0x42b5d0 FDICreate
ole32.dll
 0x42b5d8 OleInitialize
 0x42b5dc CoTaskMemFree
 0x42b5e0 CoCreateInstance
 0x42b5e4 CoUninitialize
 0x42b5e8 CoInitialize
shell32.dll
 0x42b5f0 SHGetSpecialFolderLocation
 0x42b5f4 SHGetPathFromIDListA
 0x42b5f8 SHGetMalloc
 0x42b5fc SHChangeNotify
 0x42b600 SHBrowseForFolderA

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure