popup

Report - 3cc0e0be954dc849581f9ff1817647de.exe

Gen2 Gen1 Generic Malware Malicious Library PE File OS Processor Check PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.07 12:21 Machine s1_win7_x6402
Filename 3cc0e0be954dc849581f9ff1817647de.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
8.4
ZERO API file : clean
VT API (file) 51 detected (malicious, high confidence, Inject4, GenericKD, Unsafe, Kryptik, confidence, 100%, VJVU, HLQQ, Zusy, ixgvgd, MalwareX, Malware@#2fm7k45x1wj9i, R002C0PH221, GenericRXPL, jqeqy, ai score=88, ASMalwS, kcloud, Multiverze, 13QHYFZ, score, R431137, Gencirc, PossibleThreat, Genetic)
md5 adfe31c40569ca5b0b403f0ba3f7b24c
sha256 68d1b6dbfc303f1949267ce03ac2164ee9cda951231e72e6a5e39a44764ebbf2
ssdeep 12288:CcXe9SLN+NH0khUZY+vcvw1jG8QYewwB9gL1xBliJZcaFh:CcO2Q2ZYuSoel9gLHBlyZcaj
imphash 385b4c734448931d8105f2b8af2a40a5
impfuzzy 24:mDYNCu9eVHOovu4fg7JHniv8ERRv6uk6fcVneJy+KoTPwxQ1EQm:euh449W/fcVneJy+KX5r
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
warning Uses WMI to create a new process
watch Creates or sets a registry key to a long series of bytes
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable uses a known packer

Rules (13cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (12cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ip-api.com/json/?fields=8198
whois
US TUT-AS 208.95.112.1 clean
http://crl.identrust.com/DSTROOTCAX3CRL.crl
whois
US Akamai International B.V. 23.67.53.58 clean
https://a.upstloans.net/report7.4.php
whois
US CLOUDFLARENET 172.67.179.248 4649 mailcious
a.upstloans.net
whois
US CLOUDFLARENET 172.67.179.248 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
b.upstloans.net
whois
US CLOUDFLARENET 104.21.31.210 mailcious
google.vrthcobj.com
whois
US GOOGLE 34.97.69.225 mailcious
crl.identrust.com
whois
US Akamai International B.V. 23.67.53.11 clean
172.67.179.248
whois
US CLOUDFLARENET 172.67.179.248 mailcious
34.97.69.225
whois
US GOOGLE 34.97.69.225 mailcious
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean

Suricata ids

ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x407000 GetProcAddress
 0x407004 lstrlenW
 0x407008 InterlockedDecrement
 0x40700c LoadLibraryA
 0x407010 GetEnvironmentVariableW
 0x407014 InterlockedIncrement
 0x407018 GetStringTypeW
 0x40701c GetStringTypeA
 0x407020 LocalFree
 0x407024 RtlUnwind
 0x407028 GetCommandLineA
 0x40702c GetVersion
 0x407030 ExitProcess
 0x407034 RaiseException
 0x407038 HeapFree
 0x40703c HeapAlloc
 0x407040 GetCurrentThreadId
 0x407044 TlsSetValue
 0x407048 TlsAlloc
 0x40704c SetLastError
 0x407050 TlsGetValue
 0x407054 GetLastError
 0x407058 TerminateProcess
 0x40705c GetCurrentProcess
 0x407060 UnhandledExceptionFilter
 0x407064 GetModuleFileNameA
 0x407068 FreeEnvironmentStringsA
 0x40706c FreeEnvironmentStringsW
 0x407070 WideCharToMultiByte
 0x407074 GetEnvironmentStrings
 0x407078 GetEnvironmentStringsW
 0x40707c SetHandleCount
 0x407080 GetStdHandle
 0x407084 GetFileType
 0x407088 GetStartupInfoA
 0x40708c GetModuleHandleA
 0x407090 GetEnvironmentVariableA
 0x407094 GetVersionExA
 0x407098 HeapDestroy
 0x40709c HeapCreate
 0x4070a0 VirtualFree
 0x4070a4 WriteFile
 0x4070a8 InitializeCriticalSection
 0x4070ac EnterCriticalSection
 0x4070b0 LeaveCriticalSection
 0x4070b4 SetUnhandledExceptionFilter
 0x4070b8 VirtualAlloc
 0x4070bc HeapReAlloc
 0x4070c0 IsBadWritePtr
 0x4070c4 IsBadReadPtr
 0x4070c8 IsBadCodePtr
 0x4070cc GetCPInfo
 0x4070d0 GetACP
 0x4070d4 GetOEMCP
 0x4070d8 MultiByteToWideChar
 0x4070dc LCMapStringA
 0x4070e0 LCMapStringW
USER32.dll
 0x407100 wsprintfW
ole32.dll
 0x407108 CoSetProxyBlanket
 0x40710c CoInitializeSecurity
 0x407110 CoInitialize
 0x407114 CoCreateInstance
 0x407118 CoUninitialize
OLEAUT32.dll
 0x4070e8 SysStringLen
 0x4070ec SysAllocStringLen
 0x4070f0 SysAllocString
 0x4070f4 VariantClear
 0x4070f8 SysFreeString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure