popup

Report - ZZZZZ.exe

RAT Generic Malware Themida Packer Malicious Packer PE File PE32 OS Processor Check .NET EXE PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.19 11:28 Machine s1_win7_x6402
Filename ZZZZZ.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
2
 Behavior Score
12.4
ZERO API file : malware
VT API (file) 28 detected (AIDetect, malware2, FakeAlert, Unsafe, Attribute, HighConfidence, GenKryptik, FKHS, Malicious, LightStone, AGEN, CoinMinerInj, score, R441007, ai score=87, BScope, Nitol, Generic@ML, RDML, Tww+eivPTzuUb1eBxs1wQ, susgen, Tiny)
md5 2d42f56f58a4c19df022913160949c76
sha256 cb1bfed9b946adbcb897876432268c9bc453b4b489a6df99f5812d5f71b95ea7
ssdeep 98304:SFLzm8VI6LrLrF9XafiFlHP15bB3PoNLmiVN4:yzdPZPzbRPo5miV
imphash 2a2a662be9dffc461398e7c94d0b55b4
impfuzzy 6:HbJq4wX0pyYJxSBS0H5sD4sIW0oFUAliPEcn:7Jq4wMY58xaPXn
  Network IP location

Signature (30cnts)

Level Description
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Created a process named as a common system process
watch Installs itself for autorun at Windows startup
watch Network communications indicative of possible code injection originated from the process lsass.exe
watch Tries to unhook Windows functions monitored by Cuckoo
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (11cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning themida_packer themida packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://62.109.1.30/triggers/vm_.php?V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4&02a02393cf420479d23438ff09302b99=jNDZkFTN2EWO4ITZiFGZ0UWYlVGZyM2NmVGM4MzNzU2Y4QjNmhDNjBDMyEjM1ETNyIDN3MTM&65ab24948c084368808c
whois
RU JSC The First 62.109.1.30 3585 mailcious
http://62.109.1.30/triggers/vm_.php?V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2
whois
RU JSC The First 62.109.1.30 3585 mailcious
http://176.31.32.198/VideoRecoderDriveMaster.exe
whois
FR OVH SAS 176.31.32.198 clean
https://ipinfo.io/json
whois
US GOOGLE 34.117.59.81 clean
https://api.ipify.org/
whois
US AMAZON-AES 50.16.239.65 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
api.ipify.org
whois
US AMAZON-AES 54.243.45.255 clean
50.16.239.65
whois
US AMAZON-AES 50.16.239.65 clean
176.31.32.198
whois
FR OVH SAS 176.31.32.198 malware
62.109.1.30
whois
RU JSC The First 62.109.1.30 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean

Suricata ids

ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x7a10ac strlen
 0x7a10b0 malloc
 0x7a10b4 fopen
 0x7a10b8 fwrite
 0x7a10bc fclose
 0x7a10c0 memset
 0x7a10c4 getenv
 0x7a10c8 sprintf
 0x7a10cc __argc
 0x7a10d0 __argv
 0x7a10d4 _environ
 0x7a10d8 _XcptFilter
 0x7a10dc __set_app_type
 0x7a10e0 _controlfp
 0x7a10e4 __getmainargs
 0x7a10e8 exit
kernel32.dll
 0x7a10f0 CreateProcessA
 0x7a10f4 CloseHandle
 0x7a10f8 SetUnhandledExceptionFilter

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure