popup

Report - r33.exe

Worm Phorpiex Malicious Packer Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.11 15:09 Machine s1_win7_x6402
Filename r33.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
13
 Behavior Score
9.8
ZERO API file : malware
VT API (file) 41 detected (AIDetect, malware1, malicious, high confidence, score, Save, confidence, 100%, Attribute, HighConfidence, Phorpiex, KadrBot, CLASSIC, biwgu, kcloud, Phonzy, BScope, Hynamer, ai score=81, Unsafe, Static AI, Malicious PE, GdSda, susgen)
md5 b53466259125d66deb6ef9d787fa1b13
sha256 5fae9e2f6fc2e95b5f6be3c8c0d3a76cebf18a2526913d21c67bb98be35f8247
ssdeep 1536:pzQjJuw3c6hqh1kJaJrNKx5tzzevaCpzqFFzWcXdqu7mOYhngYFD:hQduF60Q0X036aCBqXcY6tgYFD
imphash d617e8618688e76a02c9e4d9a14e5afd
impfuzzy 96:nCN7TwTsu2YJMvtwN9X1Nqm6OwudkcRMx6Fk3CDtKxFk+:0Tt1a9F6uIx6Fk3CDQLL
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Disables Windows Security features
warning Generates some ICMP traffic
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Modifies security center warnings
notice A process attempted to delay the analysis task.
notice An executable file was downloaded by the process r33.exe
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info Checks if process is being debugged by a debugger

Rules (9cnts)

Level Name Description Collection
danger Win_Worm_Phorpiex a worm which spreads via removable drives and network drives. binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (37cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.84/twzt.exe
whois
Unknown 185.215.113.84 clean
api.wipmania.com
whois
Unknown 127.0.0.1 clean
www.update.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 52.137.90.34 clean
39.45.148.120
whois
PK Pakistan Telecom Company Limited 39.45.148.120 clean
89.236.216.4
whois
UZ East Telecom 89.236.216.4 clean
62.209.132.199
whois
UZ LLC texnoprosistem 62.209.132.199 clean
109.110.169.72
whois
IR Shabdiz Telecom Network PJSC 109.110.169.72 clean
2.135.238.38
whois
KZ JSC Kazakhtelecom 2.135.238.38 clean
5.236.196.254
whois
IR Iran Telecommunication Company PJS 5.236.196.254 clean
87.202.76.185
whois
GR OTEnet S.A. 87.202.76.185 clean
185.215.113.66
whois
Unknown 185.215.113.66 malware
91.98.216.220
whois
IR Pars Online PJS 91.98.216.220 clean
213.230.73.39
whois
UZ Uzbektelekom Joint Stock Company 213.230.73.39 clean
39.60.41.243
whois
PK Pakistan Telecom Company Limited 39.60.41.243 clean
42.248.182.132
whois
CN Chinanet 42.248.182.132 clean
185.215.113.84
whois
Unknown 185.215.113.84 malware
80.80.223.226
whois
UZ LLC texnoprosistem 80.80.223.226 clean
109.74.46.59
whois
YE Public Telecommunication Corporation 109.74.46.59 clean
217.219.230.200
whois
IR Iran Telecommunication Company PJS 217.219.230.200 clean
195.181.24.186
whois
IR Information Technology Company (ITC) 195.181.24.186 clean
52.185.71.28
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 52.185.71.28 clean
42.248.182.220
whois
CN Chinanet 42.248.182.220 clean
109.200.175.189
whois
YE Public Telecommunication Corporation 109.200.175.189 clean
188.158.96.194
whois
IR Parvaresh Dadeha Co. Private Joint Stock 188.158.96.194 clean
93.117.42.214
whois
IR Iran Telecommunication Company PJS 93.117.42.214 clean
128.65.179.120
whois
IR Asiatech Data Transmission company 128.65.179.120 clean
42.248.183.170
whois
CN Chinanet 42.248.183.170 clean
5.227.212.94
whois
RU MTS PJSC 5.227.212.94 clean
154.41.3.119
whois
UA TOV Lekol 154.41.3.119 clean
91.92.189.39
whois
IR Information Technology Company (ITC) 91.92.189.39 clean
78.38.107.89
whois
IR Iran Telecommunication Company PJS 78.38.107.89 clean
42.248.183.34
whois
CN Chinanet 42.248.183.34 clean
109.238.179.30
whois
IR khalij fars Ettela Resan Company J.S. 109.238.179.30 clean
45.157.102.112
whois
IR Bunea TELECOM SRL 45.157.102.112 clean
5.232.240.174
whois
IR Iran Telecommunication Company PJS 5.232.240.174 clean
176.210.80.7
whois
RU Rostelecom 176.210.80.7 clean
151.232.108.62
whois
IR Iran Telecommunication Company PJS 151.232.108.62 clean

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

WS2_32.dll
 0x40d1fc recvfrom
 0x40d200 setsockopt
 0x40d204 sendto
 0x40d208 ind
 0x40d20c ioctlsocket
 0x40d210 WSAStartup
 0x40d214 recv
 0x40d218 send
 0x40d21c WSACloseEvent
 0x40d220 WSARecv
 0x40d224 WSASend
 0x40d228 gethostname
 0x40d22c connect
 0x40d230 inet_ntoa
 0x40d234 inet_addr
 0x40d238 htons
 0x40d23c getsockname
 0x40d240 shutdown
 0x40d244 socket
 0x40d248 closesocket
 0x40d24c gethostbyname
 0x40d250 WSAGetLastError
 0x40d254 WSAEnumNetworkEvents
 0x40d258 WSASocketA
 0x40d25c listen
 0x40d260 WSAWaitForMultipleEvents
 0x40d264 getpeername
 0x40d268 accept
 0x40d26c WSAEventSelect
 0x40d270 WSAGetOverlappedResult
 0x40d274 WSACreateEvent
SHLWAPI.dll
 0x40d154 PathFileExistsW
 0x40d158 StrCmpNW
 0x40d15c PathMatchSpecW
 0x40d160 StrCpyNW
 0x40d164 PathFindFileNameW
 0x40d168 StrStrIA
 0x40d16c StrChrA
 0x40d170 StrCmpNIA
 0x40d174 StrStrW
WININET.dll
 0x40d1d0 InternetReadFile
 0x40d1d4 InternetOpenUrlW
 0x40d1d8 InternetOpenW
 0x40d1dc InternetCloseHandle
 0x40d1e0 InternetOpenA
 0x40d1e4 HttpSendRequestA
 0x40d1e8 HttpAddRequestHeadersA
 0x40d1ec HttpOpenRequestA
 0x40d1f0 InternetConnectA
 0x40d1f4 InternetCrackUrlA
ntdll.dll
 0x40d28c memset
 0x40d290 memcpy
 0x40d294 _chkstk
 0x40d298 RtlUnwind
 0x40d29c RtlTimeToSecondsSince1980
 0x40d2a0 mbstowcs
 0x40d2a4 NtQueryVirtualMemory
 0x40d2a8 NtQuerySystemTime
 0x40d2ac memmove
 0x40d2b0 strstr
 0x40d2b4 isdigit
 0x40d2b8 isalpha
msvcrt.dll
 0x40d27c rand
 0x40d280 srand
 0x40d284 _vscprintf
KERNEL32.dll
 0x40d028 ExitProcess
 0x40d02c CreateProcessW
 0x40d030 DeleteCriticalSection
 0x40d034 GetThreadPriority
 0x40d038 SetThreadPriority
 0x40d03c GetCurrentThread
 0x40d040 InterlockedExchangeAdd
 0x40d044 InterlockedIncrement
 0x40d048 InterlockedExchange
 0x40d04c WaitForSingleObject
 0x40d050 InterlockedDecrement
 0x40d054 GetCurrentProcessId
 0x40d058 HeapSetInformation
 0x40d05c GetProcessHeaps
 0x40d060 HeapValidate
 0x40d064 HeapCreate
 0x40d068 HeapFree
 0x40d06c HeapAlloc
 0x40d070 HeapReAlloc
 0x40d074 ExpandEnvironmentStringsW
 0x40d078 CreateThread
 0x40d07c CreateMutexA
 0x40d080 GetLastError
 0x40d084 CreateEventA
 0x40d088 GetVolumeInformationW
 0x40d08c SetFileAttributesW
 0x40d090 GetSystemInfo
 0x40d094 PostQueuedCompletionStatus
 0x40d098 GetQueuedCompletionStatus
 0x40d09c CreateIoCompletionPort
 0x40d0a0 SetEvent
 0x40d0a4 lstrcpyW
 0x40d0a8 DeleteFileW
 0x40d0ac GetDiskFreeSpaceExW
 0x40d0b0 FindNextFileW
 0x40d0b4 lstrcmpiW
 0x40d0b8 QueryDosDeviceW
 0x40d0bc RemoveDirectoryW
 0x40d0c0 FindClose
 0x40d0c4 lstrlenA
 0x40d0c8 GlobalLock
 0x40d0cc GetModuleHandleW
 0x40d0d0 GetTickCount
 0x40d0d4 GlobalAlloc
 0x40d0d8 Sleep
 0x40d0dc lstrcpynW
 0x40d0e0 ExitThread
 0x40d0e4 MultiByteToWideChar
 0x40d0e8 lstrlenW
 0x40d0ec GlobalUnlock
 0x40d0f0 GetFileSize
 0x40d0f4 MapViewOfFile
 0x40d0f8 UnmapViewOfFile
 0x40d0fc WriteFile
 0x40d100 InitializeCriticalSection
 0x40d104 LeaveCriticalSection
 0x40d108 CreateFileW
 0x40d10c FlushFileBuffers
 0x40d110 EnterCriticalSection
 0x40d114 CreateFileMappingW
 0x40d118 CloseHandle
 0x40d11c FindFirstFileW
 0x40d120 GetDriveTypeW
 0x40d124 MoveFileExW
 0x40d128 CreateDirectoryW
 0x40d12c GetLogicalDrives
 0x40d130 CopyFileW
 0x40d134 GetModuleFileNameW
 0x40d138 lstrcmpW
USER32.dll
 0x40d17c RegisterClassExW
 0x40d180 GetClipboardData
 0x40d184 EmptyClipboard
 0x40d188 ChangeClipboardChain
 0x40d18c SetWindowLongW
 0x40d190 TranslateMessage
 0x40d194 wsprintfW
 0x40d198 SendMessageA
 0x40d19c IsClipboardFormatAvailable
 0x40d1a0 CloseClipboard
 0x40d1a4 GetMessageA
 0x40d1a8 wvsprintfA
 0x40d1ac GetWindowLongW
 0x40d1b0 DefWindowProcA
 0x40d1b4 RegisterRawInputDevices
 0x40d1b8 CreateWindowExW
 0x40d1bc DispatchMessageA
 0x40d1c0 OpenClipboard
 0x40d1c4 SetClipboardData
 0x40d1c8 SetClipboardViewer
ADVAPI32.dll
 0x40d000 RegSetValueExW
 0x40d004 CryptGenRandom
 0x40d008 CryptReleaseContext
 0x40d00c CryptAcquireContextW
 0x40d010 RegQueryValueExW
 0x40d014 RegOpenKeyExA
 0x40d018 RegSetValueExA
 0x40d01c RegCloseKey
 0x40d020 RegOpenKeyExW
SHELL32.dll
 0x40d14c ShellExecuteW
ole32.dll
 0x40d2c0 CoInitialize
 0x40d2c4 CoUninitialize
 0x40d2c8 CoInitializeEx
 0x40d2cc CoCreateInstance
OLEAUT32.dll
 0x40d140 SysFreeString
 0x40d144 SysAllocString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure