popup

Report - Zenare.exe

Emotet Generic Malware Malicious Library PE File PE32 GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.04 15:18 Machine s1_win7_x6402
Filename Zenare.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
5.6
ZERO API file : clean
VT API (file) 10 detected (Unsafe, ZexaE, @F1@a0VcOXpi, Malicious, Miner, ccmw, Sabsik, score)
md5 d43db563bc6efb1c6cbb86f4d21349d9
sha256 be9e07dff4dd0d93825aadbda9174e107bc3de3223e4e8be6c15bef71dc92701
ssdeep 98304:IWeHPHev2chbU02i5V5gm2hVgB0ezO94ngxY/xxL29Kcu44aoww2TpMKEvc:IP+v9b28V5gjCBXs4nYYZxaKcu42Hc
imphash f7002f113348cb31269a1ba68c8dea11
impfuzzy 12:Bt5q/9T7Srm7H8vQfP9qZGoQtXJxZGb9AJcDfA5kLfP9m:rEFvSrmLMQaQtXJHc9NDI5Q8
  Network IP location

Signature (14cnts)

Level Description
watch File has been identified by 10 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
info Command line console output was observed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info Lnk_Format_Zero LNK Format binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://iplogger.org/1mxPf7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://iplogger.org/1mxPf7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0xb58000 SizeofResource
USER32.dll
 0xb58008 ShowWindow
SHELL32.dll
 0xb58010 ShellExecuteW
ole32.dll
 0xb58018 CoInitializeEx
WININET.dll
 0xb58020 HttpOpenRequestW
urlmon.dll
 0xb58028 URLDownloadToFileW
crypt.dll
 0xb58030 BCryptDeriveKeyPBKDF2
ADVAPI32.dll
 0xb58038 GetSecurityInfo
WTSAPI32.dll
 0xb58040 WTSSendMessageW
KERNEL32.dll
 0xb58048 VirtualQuery
USER32.dll
 0xb58050 GetUserObjectInformationW
KERNEL32.dll
 0xb58058 LocalAlloc
 0xb5805c LocalFree
 0xb58060 GetModuleFileNameW
 0xb58064 GetProcessAffinityMask
 0xb58068 SetProcessAffinityMask
 0xb5806c SetThreadAffinityMask
 0xb58070 Sleep
 0xb58074 ExitProcess
 0xb58078 FreeLibrary
 0xb5807c LoadLibraryA
 0xb58080 GetModuleHandleA
 0xb58084 GetProcAddress
USER32.dll
 0xb5808c GetProcessWindowStation
 0xb58090 GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure