popup

Report - taos.exe

Generic Malware Malicious Library AntiDebug AntiVM PE File PE32 JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.05 08:57 Machine s1_win7_x6401
Filename taos.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
9.2
ZERO API file : clean
VT API (file) 24 detected (malicious, high confidence, GenericKD, Unsafe, GenKryptik, confidence, 100%, FJRR, Dygn, ai score=86, Hynamer, BScope, Hlux, ZexaF, xy3@aOORzIoi)
md5 1d11bcec0aff60ec16a81131e2a4d7c3
sha256 63cfd63d995ec04f7c337708ff20ce4e2e118ab32e92395f1a815847bd2c01e2
ssdeep 6144:PfXs0/QQPDE+49V1NAW42dX7PkKssJB152+c858D6SKz8ynq+C:PfXsRQPDE+49V1NAWjX7kKs85cByzDi
imphash 6adf574b9ef4a41b64423f252b6a504d
impfuzzy 48:bxsrXUcY1yEr6Fp6tKEIyDvrQUaKzZll/4zpNJhOeRp2RSv6U01xEIli/kHy1Q04:bxsrEcY1PtSnrx79D7RKiKJ9c1y0yKSN
  Network IP location

Signature (21cnts)

Level Description
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process rgbux.exe
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Command line console output was observed
info Queries for the computername

Rules (16cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.20/gb9fskvS/index.php
whois
Unknown 185.215.113.20 4230 mailcious
http://138.197.134.11/santa.clo
whois
CA DIGITALOCEAN-ASN 138.197.134.11 clean
http://185.215.113.20/gb9fskvS/index.php?scr=1
whois
Unknown 185.215.113.20 4230 mailcious
138.197.134.11
whois
CA DIGITALOCEAN-ASN 138.197.134.11 clean
185.215.113.20
whois
Unknown 185.215.113.20 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Amadey CnC Check-In

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40c1e4 QueryPerformanceCounter
 0x40c1e8 QueryPerformanceFrequency
 0x40c1ec HeapCreate
 0x40c1f0 GetProcessHeap
 0x40c1f4 InitializeCriticalSection
 0x40c1f8 SetFilePointerEx
 0x40c1fc SetFilePointer
 0x40c200 LockFile
 0x40c204 GetLogicalDrives
 0x40c208 GetFileSizeEx
 0x40c20c GetFileSize
 0x40c210 GetFileInformationByHandle
 0x40c214 CreateFileW
 0x40c218 GetCommandLineW
 0x40c21c EnterCriticalSection
 0x40c220 LeaveCriticalSection
 0x40c224 SetEvent
 0x40c228 ResetEvent
 0x40c22c CreateMutexW
 0x40c230 CreateEventW
 0x40c234 GetCurrentProcess
 0x40c238 GetCurrentProcessId
 0x40c23c GetCurrentThreadId
 0x40c240 GetSystemInfo
 0x40c244 GetVersion
 0x40c248 GetVersionExW
 0x40c24c CreateTimerQueue
 0x40c250 GetModuleHandleA
 0x40c254 DeleteAtom
 0x40c258 AddAtomW
 0x40c25c UnlockFile
USER32.dll
 0x40c264 CreatePopupMenu
 0x40c268 GetSystemMenu
 0x40c26c GetMenu
 0x40c270 GetSystemMetrics
 0x40c274 TranslateAcceleratorA
 0x40c278 DestroyAcceleratorTable
 0x40c27c LoadAcceleratorsA
 0x40c280 EnableWindow
 0x40c284 KillTimer
 0x40c288 SetTimer
 0x40c28c GetActiveWindow
 0x40c290 SetFocus
 0x40c294 CharLowerBuffA
 0x40c298 CharUpperA
 0x40c29c EmptyClipboard
 0x40c2a0 EnumClipboardFormats
 0x40c2a4 GetClipboardData
 0x40c2a8 SetClipboardData
 0x40c2ac CloseClipboard
 0x40c2b0 OpenClipboard
 0x40c2b4 DefDlgProcA
 0x40c2b8 SendDlgItemMessageA
 0x40c2bc IsDlgButtonChecked
 0x40c2c0 CheckRadioButton
 0x40c2c4 CheckDlgButton
 0x40c2c8 CheckMenuItem
 0x40c2cc SetDlgItemTextA
 0x40c2d0 SetDlgItemInt
 0x40c2d4 GetDlgItem
 0x40c2d8 EndDialog
 0x40c2dc DialogBoxParamA
 0x40c2e0 CreateDialogParamA
 0x40c2e4 SetWindowPlacement
 0x40c2e8 GetWindowPlacement
 0x40c2ec SetWindowPos
 0x40c2f0 MoveWindow
 0x40c2f4 DestroyWindow
 0x40c2f8 IsMenu
 0x40c2fc IsWindow
 0x40c300 GetClassInfoA
 0x40c304 UnregisterClassA
 0x40c308 RegisterClassA
 0x40c30c CallWindowProcA
 0x40c310 PostQuitMessage
 0x40c314 PostMessageA
 0x40c318 SendMessageA
 0x40c31c DispatchMessageA
 0x40c320 TranslateMessage
 0x40c324 GetMessageA
 0x40c328 wsprintfA
 0x40c32c wvsprintfA
 0x40c330 DestroyMenu
 0x40c334 EnableMenuItem
 0x40c338 GetSubMenu
 0x40c33c AppendMenuA
 0x40c340 RemoveMenu
 0x40c344 TrackPopupMenu
 0x40c348 InsertMenuItemA
 0x40c34c SetMenuItemInfoA
 0x40c350 SetActiveWindow
 0x40c354 InvalidateRect
 0x40c358 RedrawWindow
 0x40c35c SetWindowTextA
 0x40c360 GetWindowTextA
 0x40c364 GetClientRect
 0x40c368 GetWindowRect
 0x40c36c MessageBoxA
 0x40c370 SetCursor
 0x40c374 GetCursorPos
 0x40c378 ClientToScreen
 0x40c37c ChildWindowFromPoint
 0x40c380 GetSysColor
 0x40c384 GetSysColorBrush
 0x40c388 GetWindowLongA
 0x40c38c SetWindowLongA
 0x40c390 FindWindowA
 0x40c394 CheckMenuRadioItem
 0x40c398 LoadCursorA
 0x40c39c DestroyCursor
 0x40c3a0 LoadIconA
 0x40c3a4 DestroyIcon
 0x40c3a8 IsDialogMessageA
 0x40c3ac GetDlgItemTextA
GDI32.dll
 0x40c03c GdiGetBatchLimit
 0x40c040 GdiSetBatchLimit
 0x40c044 GdiFlush
 0x40c048 UnrealizeObject
 0x40c04c GetKerningPairsW
 0x40c050 GetTextFaceW
 0x40c054 SetBrushOrgEx
 0x40c058 SetViewportOrgEx
 0x40c05c PolylineTo
 0x40c060 PolyBezierTo
 0x40c064 PolyBezier
 0x40c068 Polyline
 0x40c06c Polygon
 0x40c070 LPtoDP
 0x40c074 DPtoLP
 0x40c078 ExtTextOutW
 0x40c07c TextOutW
 0x40c080 GetObjectW
 0x40c084 GetObjectA
 0x40c088 GetArcDirection
 0x40c08c WidenPath
 0x40c090 StrokePath
 0x40c094 SetArcDirection
 0x40c098 PathToRegion
 0x40c09c GetPath
 0x40c0a0 FlattenPath
 0x40c0a4 ArcTo
 0x40c0a8 SetDIBColorTable
 0x40c0ac GetDIBColorTable
 0x40c0b0 SetWorldTransform
 0x40c0b4 GetTextMetricsW
 0x40c0b8 GdiComment
 0x40c0bc PlayEnhMetaFileRecord
 0x40c0c0 GetWinMetaFileBits
 0x40c0c4 GetEnhMetaFilePaletteEntries
 0x40c0c8 GetEnhMetaFileW
 0x40c0cc UpdateColors
 0x40c0d0 SetTextJustification
 0x40c0d4 SetTextAlign
 0x40c0d8 SetTextColor
 0x40c0dc SetStretchBltMode
 0x40c0e0 SetPolyFillMode
 0x40c0e4 SetPixelV
 0x40c0e8 SetPixel
 0x40c0ec GetLayout
 0x40c0f0 SetGraphicsMode
 0x40c0f4 SetMapperFlags
 0x40c0f8 SetDIBitsToDevice
 0x40c0fc SetBoundsRect
 0x40c100 SetBkMode
 0x40c104 SetBkColor
 0x40c108 SelectPalette
 0x40c10c SelectObject
 0x40c110 ExtSelectClipRgn
 0x40c114 SelectClipRgn
 0x40c118 ResizePalette
 0x40c11c RoundRect
 0x40c120 RestoreDC
 0x40c124 Rectangle
 0x40c128 RectInRegion
 0x40c12c PtVisible
 0x40c130 OffsetClipRgn
 0x40c134 PlgBlt
 0x40c138 MaskBlt
 0x40c13c LineTo
 0x40c140 IntersectClipRect
 0x40c144 GetWindowExtEx
 0x40c148 GetViewportOrgEx
 0x40c14c GetViewportExtEx
 0x40c150 RemoveFontMemResourceEx
 0x40c154 GetGlyphIndicesW
 0x40c158 GetFontUnicodeRanges
 0x40c15c GetCharacterPlacementW
 0x40c160 GetTextColor
 0x40c164 GetSystemPaletteEntries
 0x40c168 GetStretchBltMode
 0x40c16c GetStockObject
 0x40c170 GetRandomRgn
 0x40c174 GetRasterizerCaps
 0x40c178 GetPolyFillMode
 0x40c17c GetObjectType
 0x40c180 GetNearestPaletteIndex
 0x40c184 GetNearestColor
 0x40c188 GetMetaFileBitsEx
 0x40c18c GetMapMode
 0x40c190 GetGlyphOutlineW
 0x40c194 GetDeviceCaps
 0x40c198 GetMetaRgn
 0x40c19c GetClipBox
 0x40c1a0 GetCharABCWidthsW
 0x40c1a4 GetBitmapBits
 0x40c1a8 GetBkMode
 0x40c1ac GetDCPenColor
 0x40c1b0 GetDCBrushColor
 0x40c1b4 GetBkColor
 0x40c1b8 GetAspectRatioFilterEx
 0x40c1bc GetROP2
 0x40c1c0 FrameRgn
 0x40c1c4 EqualRgn
 0x40c1c8 EnumObjects
 0x40c1cc EnumFontFamiliesW
 0x40c1d0 CancelDC
 0x40c1d4 Chord
 0x40c1d8 CreateFontIndirectA
 0x40c1dc DeleteObject
WINSPOOL.DRV
 0x40c3b4 FindClosePrinterChangeNotification
 0x40c3b8 FindNextPrinterChangeNotification
 0x40c3bc FindFirstPrinterChangeNotification
 0x40c3c0 ScheduleJob
 0x40c3c4 ReadPrinter
 0x40c3c8 AbortPrinter
 0x40c3cc WritePrinter
COMDLG32.dll
 0x40c030 GetSaveFileNameA
 0x40c034 GetOpenFileNameA
ADVAPI32.dll
 0x40c000 GetUserNameA
 0x40c004 RegSetValueA
 0x40c008 RegQueryValueExA
 0x40c00c RegOpenKeyExA
 0x40c010 RegDeleteKeyA
 0x40c014 RegCreateKeyA
 0x40c018 RegCloseKey
 0x40c01c AdjustTokenPrivileges
 0x40c020 LookupPrivilegeValueA
 0x40c024 DecryptFileW
 0x40c028 OpenProcessToken

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure