popup

Report - font.exe

UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.23 08:56 Machine s1_win7_x6402
Filename font.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
11.0
ZERO API file : malware
VT API (file) 21 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, ZelphiCO, GW@amRm3spi, GenKryptik, FKZJ, Zusy, Androm, DelfInject, score, BScope, Remcos, Static AI, Suspicious PE, susgen, EPYP, GdSda, confidence)
md5 1a1a9b3969abcd2fccd2c6ce20be68ac
sha256 80b539d191e840c8f421b2a1c34dcdd34961675d43d678d08b55d17f1e97fc63
ssdeep 12288:FYfGUHuv5bSkBsFkT5m3GpOAz1DeoAdrL7i:FYOUUtBs2YqO8ArPi
imphash 91a12f22e7f2305a107edddf42c40880
impfuzzy 192:P3hnf1QjmdbuuSrSUvK9RqoaqEseSPOQwN:P3J17SA9LdPOQu
  Network IP location

Signature (24cnts)

Level Description
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Creates a thread using CreateRemoteThread in a non-child process indicative of process injection
watch Deletes executed files from disk
watch Installs itself for autorun at Windows startup
watch Manipulates memory of a non-child process indicative of process injection
watch Network activity contains more than one unique useragent
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (38cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21162&authkey=AMb87N8cpiL5Row
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 clean
https://l5d8cg.sn.files.1drv.com/y4mSaZorKK315vRgsptEjrE3dujWZAYwafYy5QfcxhDMYKUARl2P1AaRVHkC7bpYLAeCofg0BpF-hZo0NS8QQuKSaxtGGDeYJ2QeY8XK3UXreyrUiCrRn-pp0TG92R9pP_auhrwHMaCPd3annbupWRS5EYSkqm43DXzy7hjTTBioJNI0IwGLRtu_I4LxqbWySFu6Jzae_of3ByR2HlupF8eGA/Kkjc
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
https://l5d8cg.sn.files.1drv.com/y4mobOpIGv1zX3LZgl4BW4c7yypfbd6VNAB3mY0umB_hqc-waN_bjRhzLk9qNv1Pj2e4Rhaf6q1ShL7TQTR2VVx1wJcKjavOenYJfZKrBUCXm3uBw32FaJdqCJ-xSCpQtzqgkPLyZkjIC9Ipl6k6mEukG8tF6RpDG17yNyL25zlEAGPKU7y2qezciuiwfyKqkduA-B_so1mTS61Tq2XTZhu7w/Kkjc
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
l5d8cg.sn.files.1drv.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
onedrive.live.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 mailcious
trapboijiggy.dvrlists.com
whois
SE AltusHost B.V. 31.3.152.100 clean
13.107.42.13
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 mailcious
13.107.42.12
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 malware
31.3.152.100
whois
SE AltusHost B.V. 31.3.152.100 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x4ee140 DeleteCriticalSection
 0x4ee144 LeaveCriticalSection
 0x4ee148 EnterCriticalSection
 0x4ee14c InitializeCriticalSection
 0x4ee150 VirtualFree
 0x4ee154 VirtualAlloc
 0x4ee158 LocalFree
 0x4ee15c LocalAlloc
 0x4ee160 GetVersion
 0x4ee164 GetCurrentThreadId
 0x4ee168 InterlockedDecrement
 0x4ee16c InterlockedIncrement
 0x4ee170 VirtualQuery
 0x4ee174 WideCharToMultiByte
 0x4ee178 MultiByteToWideChar
 0x4ee17c lstrlenA
 0x4ee180 lstrcpynA
 0x4ee184 LoadLibraryExA
 0x4ee188 GetThreadLocale
 0x4ee18c GetStartupInfoA
 0x4ee190 GetProcAddress
 0x4ee194 GetModuleHandleA
 0x4ee198 GetModuleFileNameA
 0x4ee19c GetLocaleInfoA
 0x4ee1a0 GetLastError
 0x4ee1a4 GetCommandLineA
 0x4ee1a8 FreeLibrary
 0x4ee1ac FindFirstFileA
 0x4ee1b0 FindClose
 0x4ee1b4 ExitProcess
 0x4ee1b8 WriteFile
 0x4ee1bc UnhandledExceptionFilter
 0x4ee1c0 SetFilePointer
 0x4ee1c4 SetEndOfFile
 0x4ee1c8 RtlUnwind
 0x4ee1cc ReadFile
 0x4ee1d0 RaiseException
 0x4ee1d4 GetStdHandle
 0x4ee1d8 GetFileSize
 0x4ee1dc GetFileType
 0x4ee1e0 CreateFileA
 0x4ee1e4 CloseHandle
user32.dll
 0x4ee1ec GetKeyboardType
 0x4ee1f0 LoadStringA
 0x4ee1f4 MessageBoxA
 0x4ee1f8 CharNextA
advapi32.dll
 0x4ee200 RegQueryValueExA
 0x4ee204 RegOpenKeyExA
 0x4ee208 RegCloseKey
oleaut32.dll
 0x4ee210 SysFreeString
 0x4ee214 SysReAllocStringLen
 0x4ee218 SysAllocStringLen
kernel32.dll
 0x4ee220 TlsSetValue
 0x4ee224 TlsGetValue
 0x4ee228 LocalAlloc
 0x4ee22c GetModuleHandleA
advapi32.dll
 0x4ee234 RegQueryValueExA
 0x4ee238 RegOpenKeyExA
 0x4ee23c RegCloseKey
kernel32.dll
 0x4ee244 lstrcpyA
 0x4ee248 WriteFile
 0x4ee24c WaitForSingleObject
 0x4ee250 VirtualQuery
 0x4ee254 VirtualProtect
 0x4ee258 VirtualAlloc
 0x4ee25c Sleep
 0x4ee260 SizeofResource
 0x4ee264 SetThreadLocale
 0x4ee268 SetFilePointer
 0x4ee26c SetEvent
 0x4ee270 SetErrorMode
 0x4ee274 SetEndOfFile
 0x4ee278 ResetEvent
 0x4ee27c ReadFile
 0x4ee280 MultiByteToWideChar
 0x4ee284 MulDiv
 0x4ee288 LockResource
 0x4ee28c LoadResource
 0x4ee290 LoadLibraryA
 0x4ee294 LeaveCriticalSection
 0x4ee298 InitializeCriticalSection
 0x4ee29c GlobalUnlock
 0x4ee2a0 GlobalSize
 0x4ee2a4 GlobalReAlloc
 0x4ee2a8 GlobalHandle
 0x4ee2ac GlobalLock
 0x4ee2b0 GlobalFree
 0x4ee2b4 GlobalFindAtomA
 0x4ee2b8 GlobalDeleteAtom
 0x4ee2bc GlobalAlloc
 0x4ee2c0 GlobalAddAtomA
 0x4ee2c4 GetVersionExA
 0x4ee2c8 GetVersion
 0x4ee2cc GetUserDefaultLCID
 0x4ee2d0 GetTickCount
 0x4ee2d4 GetThreadLocale
 0x4ee2d8 GetSystemInfo
 0x4ee2dc GetStringTypeExA
 0x4ee2e0 GetStdHandle
 0x4ee2e4 GetProcAddress
 0x4ee2e8 GetModuleHandleA
 0x4ee2ec GetModuleFileNameA
 0x4ee2f0 GetLocaleInfoA
 0x4ee2f4 GetLocalTime
 0x4ee2f8 GetLastError
 0x4ee2fc GetFullPathNameA
 0x4ee300 GetDiskFreeSpaceA
 0x4ee304 GetDateFormatA
 0x4ee308 GetCurrentThreadId
 0x4ee30c GetCurrentProcessId
 0x4ee310 GetComputerNameA
 0x4ee314 GetCPInfo
 0x4ee318 GetACP
 0x4ee31c FreeResource
 0x4ee320 InterlockedExchange
 0x4ee324 FreeLibrary
 0x4ee328 FormatMessageA
 0x4ee32c FindResourceA
 0x4ee330 EnumCalendarInfoA
 0x4ee334 EnterCriticalSection
 0x4ee338 DeleteCriticalSection
 0x4ee33c CreateThread
 0x4ee340 CreateFileA
 0x4ee344 CreateEventA
 0x4ee348 CompareStringA
 0x4ee34c CloseHandle
version.dll
 0x4ee354 VerQueryValueA
 0x4ee358 GetFileVersionInfoSizeA
 0x4ee35c GetFileVersionInfoA
gdi32.dll
 0x4ee364 UnrealizeObject
 0x4ee368 StretchBlt
 0x4ee36c SetWindowOrgEx
 0x4ee370 SetWinMetaFileBits
 0x4ee374 SetViewportOrgEx
 0x4ee378 SetTextColor
 0x4ee37c SetStretchBltMode
 0x4ee380 SetROP2
 0x4ee384 SetPixel
 0x4ee388 SetEnhMetaFileBits
 0x4ee38c SetDIBColorTable
 0x4ee390 SetBrushOrgEx
 0x4ee394 SetBkMode
 0x4ee398 SetBkColor
 0x4ee39c SelectPalette
 0x4ee3a0 SelectObject
 0x4ee3a4 SelectClipRgn
 0x4ee3a8 SaveDC
 0x4ee3ac RestoreDC
 0x4ee3b0 RectVisible
 0x4ee3b4 RealizePalette
 0x4ee3b8 PlayEnhMetaFile
 0x4ee3bc PatBlt
 0x4ee3c0 MoveToEx
 0x4ee3c4 MaskBlt
 0x4ee3c8 LineTo
 0x4ee3cc IntersectClipRect
 0x4ee3d0 GetWindowOrgEx
 0x4ee3d4 GetWinMetaFileBits
 0x4ee3d8 GetTextMetricsA
 0x4ee3dc GetTextExtentPoint32A
 0x4ee3e0 GetSystemPaletteEntries
 0x4ee3e4 GetStockObject
 0x4ee3e8 GetPixel
 0x4ee3ec GetPaletteEntries
 0x4ee3f0 GetObjectA
 0x4ee3f4 GetEnhMetaFilePaletteEntries
 0x4ee3f8 GetEnhMetaFileHeader
 0x4ee3fc GetEnhMetaFileDescriptionA
 0x4ee400 GetEnhMetaFileBits
 0x4ee404 GetDeviceCaps
 0x4ee408 GetDIBits
 0x4ee40c GetDIBColorTable
 0x4ee410 GetDCOrgEx
 0x4ee414 GetCurrentPositionEx
 0x4ee418 GetClipBox
 0x4ee41c GetBrushOrgEx
 0x4ee420 GetBitmapBits
 0x4ee424 ExcludeClipRect
 0x4ee428 DeleteObject
 0x4ee42c DeleteEnhMetaFile
 0x4ee430 DeleteDC
 0x4ee434 CreateSolidBrush
 0x4ee438 CreatePenIndirect
 0x4ee43c CreatePalette
 0x4ee440 CreateHalftonePalette
 0x4ee444 CreateFontIndirectA
 0x4ee448 CreateEnhMetaFileA
 0x4ee44c CreateDIBitmap
 0x4ee450 CreateDIBSection
 0x4ee454 CreateCompatibleDC
 0x4ee458 CreateCompatibleBitmap
 0x4ee45c CreateBrushIndirect
 0x4ee460 CreateBitmap
 0x4ee464 CopyEnhMetaFileA
 0x4ee468 CloseEnhMetaFile
 0x4ee46c BitBlt
user32.dll
 0x4ee474 CreateWindowExA
 0x4ee478 WindowFromPoint
 0x4ee47c WinHelpA
 0x4ee480 WaitMessage
 0x4ee484 UpdateWindow
 0x4ee488 UnregisterClassA
 0x4ee48c UnhookWindowsHookEx
 0x4ee490 TranslateMessage
 0x4ee494 TranslateMDISysAccel
 0x4ee498 TrackPopupMenu
 0x4ee49c SystemParametersInfoA
 0x4ee4a0 ShowWindow
 0x4ee4a4 ShowScrollBar
 0x4ee4a8 ShowOwnedPopups
 0x4ee4ac ShowCursor
 0x4ee4b0 SetWindowsHookExA
 0x4ee4b4 SetWindowPos
 0x4ee4b8 SetWindowPlacement
 0x4ee4bc SetWindowLongA
 0x4ee4c0 SetTimer
 0x4ee4c4 SetScrollRange
 0x4ee4c8 SetScrollPos
 0x4ee4cc SetScrollInfo
 0x4ee4d0 SetRect
 0x4ee4d4 SetPropA
 0x4ee4d8 SetParent
 0x4ee4dc SetMenuItemInfoA
 0x4ee4e0 SetMenu
 0x4ee4e4 SetForegroundWindow
 0x4ee4e8 SetFocus
 0x4ee4ec SetCursor
 0x4ee4f0 SetClassLongA
 0x4ee4f4 SetCapture
 0x4ee4f8 SetActiveWindow
 0x4ee4fc SendMessageA
 0x4ee500 ScrollWindow
 0x4ee504 ScreenToClient
 0x4ee508 RemovePropA
 0x4ee50c RemoveMenu
 0x4ee510 ReleaseDC
 0x4ee514 ReleaseCapture
 0x4ee518 RegisterWindowMessageA
 0x4ee51c RegisterClipboardFormatA
 0x4ee520 RegisterClassA
 0x4ee524 RedrawWindow
 0x4ee528 PtInRect
 0x4ee52c PostQuitMessage
 0x4ee530 PostMessageA
 0x4ee534 PeekMessageA
 0x4ee538 OffsetRect
 0x4ee53c OemToCharA
 0x4ee540 MessageBoxA
 0x4ee544 MapWindowPoints
 0x4ee548 MapVirtualKeyA
 0x4ee54c LoadStringA
 0x4ee550 LoadKeyboardLayoutA
 0x4ee554 LoadIconA
 0x4ee558 LoadCursorA
 0x4ee55c LoadBitmapA
 0x4ee560 KillTimer
 0x4ee564 IsZoomed
 0x4ee568 IsWindowVisible
 0x4ee56c IsWindowEnabled
 0x4ee570 IsWindow
 0x4ee574 IsRectEmpty
 0x4ee578 IsIconic
 0x4ee57c IsDialogMessageA
 0x4ee580 IsChild
 0x4ee584 InvalidateRect
 0x4ee588 IntersectRect
 0x4ee58c InsertMenuItemA
 0x4ee590 InsertMenuA
 0x4ee594 InflateRect
 0x4ee598 GetWindowThreadProcessId
 0x4ee59c GetWindowTextA
 0x4ee5a0 GetWindowRect
 0x4ee5a4 GetWindowPlacement
 0x4ee5a8 GetWindowLongA
 0x4ee5ac GetWindowDC
 0x4ee5b0 GetTopWindow
 0x4ee5b4 GetSystemMetrics
 0x4ee5b8 GetSystemMenu
 0x4ee5bc GetSysColorBrush
 0x4ee5c0 GetSysColor
 0x4ee5c4 GetSubMenu
 0x4ee5c8 GetScrollRange
 0x4ee5cc GetScrollPos
 0x4ee5d0 GetScrollInfo
 0x4ee5d4 GetPropA
 0x4ee5d8 GetParent
 0x4ee5dc GetWindow
 0x4ee5e0 GetMessageTime
 0x4ee5e4 GetMenuStringA
 0x4ee5e8 GetMenuState
 0x4ee5ec GetMenuItemInfoA
 0x4ee5f0 GetMenuItemID
 0x4ee5f4 GetMenuItemCount
 0x4ee5f8 GetMenu
 0x4ee5fc GetLastActivePopup
 0x4ee600 GetKeyboardState
 0x4ee604 GetKeyboardLayoutList
 0x4ee608 GetKeyboardLayout
 0x4ee60c GetKeyState
 0x4ee610 GetKeyNameTextA
 0x4ee614 GetIconInfo
 0x4ee618 GetForegroundWindow
 0x4ee61c GetFocus
 0x4ee620 GetDesktopWindow
 0x4ee624 GetDCEx
 0x4ee628 GetDC
 0x4ee62c GetCursorPos
 0x4ee630 GetCursor
 0x4ee634 GetClipboardData
 0x4ee638 GetClientRect
 0x4ee63c GetClassNameA
 0x4ee640 GetClassInfoA
 0x4ee644 GetCapture
 0x4ee648 GetActiveWindow
 0x4ee64c FrameRect
 0x4ee650 FindWindowA
 0x4ee654 FillRect
 0x4ee658 EqualRect
 0x4ee65c EnumWindows
 0x4ee660 EnumThreadWindows
 0x4ee664 EndPaint
 0x4ee668 EnableWindow
 0x4ee66c EnableScrollBar
 0x4ee670 EnableMenuItem
 0x4ee674 DrawTextA
 0x4ee678 DrawMenuBar
 0x4ee67c DrawIconEx
 0x4ee680 DrawIcon
 0x4ee684 DrawFrameControl
 0x4ee688 DrawEdge
 0x4ee68c DispatchMessageA
 0x4ee690 DestroyWindow
 0x4ee694 DestroyMenu
 0x4ee698 DestroyIcon
 0x4ee69c DestroyCursor
 0x4ee6a0 DeleteMenu
 0x4ee6a4 DefWindowProcA
 0x4ee6a8 DefMDIChildProcA
 0x4ee6ac DefFrameProcA
 0x4ee6b0 CreatePopupMenu
 0x4ee6b4 CreateMenu
 0x4ee6b8 CreateIcon
 0x4ee6bc ClientToScreen
 0x4ee6c0 CheckMenuItem
 0x4ee6c4 CallWindowProcA
 0x4ee6c8 CallNextHookEx
 0x4ee6cc BeginPaint
 0x4ee6d0 CharNextA
 0x4ee6d4 CharLowerBuffA
 0x4ee6d8 CharLowerA
 0x4ee6dc CharToOemA
 0x4ee6e0 AdjustWindowRectEx
 0x4ee6e4 ActivateKeyboardLayout
kernel32.dll
 0x4ee6ec Sleep
oleaut32.dll
 0x4ee6f4 SafeArrayPtrOfIndex
 0x4ee6f8 SafeArrayGetUBound
 0x4ee6fc SafeArrayGetLBound
 0x4ee700 SafeArrayCreate
 0x4ee704 VariantChangeType
 0x4ee708 VariantCopy
 0x4ee70c VariantClear
 0x4ee710 VariantInit
ole32.dll
 0x4ee718 CreateStreamOnHGlobal
 0x4ee71c IsAccelerator
 0x4ee720 OleDraw
 0x4ee724 OleSetMenuDescriptor
 0x4ee728 CoTaskMemFree
 0x4ee72c ProgIDFromCLSID
 0x4ee730 StringFromCLSID
 0x4ee734 CoCreateInstance
 0x4ee738 CoGetClassObject
 0x4ee73c CoUninitialize
 0x4ee740 CoInitialize
 0x4ee744 IsEqualGUID
oleaut32.dll
 0x4ee74c GetErrorInfo
 0x4ee750 GetActiveObject
 0x4ee754 SysFreeString
comctl32.dll
 0x4ee75c ImageList_SetIconSize
 0x4ee760 ImageList_GetIconSize
 0x4ee764 ImageList_Write
 0x4ee768 ImageList_Read
 0x4ee76c ImageList_GetDragImage
 0x4ee770 ImageList_DragShowNolock
 0x4ee774 ImageList_SetDragCursorImage
 0x4ee778 ImageList_DragMove
 0x4ee77c ImageList_DragLeave
 0x4ee780 ImageList_DragEnter
 0x4ee784 ImageList_EndDrag
 0x4ee788 ImageList_BeginDrag
 0x4ee78c ImageList_Remove
 0x4ee790 ImageList_DrawEx
 0x4ee794 ImageList_Draw
 0x4ee798 ImageList_GetBkColor
 0x4ee79c ImageList_SetBkColor
 0x4ee7a0 ImageList_ReplaceIcon
 0x4ee7a4 ImageList_Add
 0x4ee7a8 ImageList_SetImageCount
 0x4ee7ac ImageList_GetImageCount
 0x4ee7b0 ImageList_Destroy
 0x4ee7b4 ImageList_Create

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure