popup

Report - inlinelots.png

Emotet Gen1 Malicious Packer Malicious Library AntiDebug AntiVM PE File OS Processor Check DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.23 17:27 Machine s1_win7_x6401
Filename inlinelots.png
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
10.6
ZERO API file : malware
VT API (file)
md5 dd37687f508cb88b08f932fae1e2a767
sha256 e92330964ca276210c85dc0a0637b38e0233360e244d8768497a032993a429ab
ssdeep 6144:tIl3f5on8R0CBtsabvbV0iRugpw8mI3R5y4MAIJ+CczfBsx2X/HSpu9SiWaKMVe1:tk32q0CB5lwq6cBsxsPUmYa1B3js
imphash 5c9a9773c96ef9c47915be337e1489a1
impfuzzy 96:/icBuAJqtFrIpmADyz+MMM021vu2Q3vxsx8RxcncoLRTPP3siM:XIWK+x21vu2Q3vxsGXcncOPPVM
  Network IP location

Signature (22cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername

Rules (16cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (20cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://43.252.158.104/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabb64/
whois
ID PT Media Sarana Data 43.252.158.104 clean
https://105.27.205.34/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabc64/
whois
ZA SEACOM-AS 105.27.205.34 clean
https://ident.me/
whois
GB Linode, LLC 176.58.123.25 clean
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
whois
BR Pedro F Arruda Junior ME 128.201.76.252 clean
https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ZhP7RHTDpJf3xpRdHfhTN/
whois
CO EPM Telecomunicaciones S.A. E.S.P. 181.129.167.82 clean
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/user/test22/0/
whois
BR Pedro F Arruda Junior ME 128.201.76.252 clean
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/file/
whois
BR Pedro F Arruda Junior ME 128.201.76.252 clean
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/NAT%20status/client%20is%20behind%20NAT/0/
whois
BR Pedro F Arruda Junior ME 128.201.76.252 clean
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/10/62/TJJNLPBFNNBTXBZBFLF/7/
whois
BR Pedro F Arruda Junior ME 128.201.76.252 clean
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/cN8siDphAP0SDyFMo/
whois
BR Pedro F Arruda Junior ME 128.201.76.252 clean
https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CiLogicMonitorUB2IF8%5Cgxinlinelots.pngxp.our/0/
whois
CO EPM Telecomunicaciones S.A. E.S.P. 181.129.167.82 clean
ident.me
whois
GB Linode, LLC 176.58.123.25 clean
105.27.205.34
whois
ZA SEACOM-AS 105.27.205.34 mailcious
128.201.76.252
whois
BR Pedro F Arruda Junior ME 128.201.76.252 mailcious
221.147.172.5
whois
KR Korea Telecom 221.147.172.5 mailcious
176.58.123.25
whois
GB Linode, LLC 176.58.123.25 clean
185.56.175.122
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 mailcious
43.252.158.104
whois
ID PT Media Sarana Data 43.252.158.104 clean
60.51.47.65
whois
MY TM Net, Internet Service Provider 60.51.47.65 mailcious
181.129.167.82
whois
CO EPM Telecomunicaciones S.A. E.S.P. 181.129.167.82 mailcious

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x10022098 VirtualAlloc
 0x1002209c GetSystemInfo
 0x100220a0 VirtualQuery
 0x100220a4 GetCommandLineA
 0x100220a8 HeapReAlloc
 0x100220ac TerminateProcess
 0x100220b0 HeapSize
 0x100220b4 HeapDestroy
 0x100220b8 HeapCreate
 0x100220bc VirtualFree
 0x100220c0 IsBadWritePtr
 0x100220c4 SetHandleCount
 0x100220c8 GetStdHandle
 0x100220cc GetFileType
 0x100220d0 GetStartupInfoA
 0x100220d4 FreeEnvironmentStringsA
 0x100220d8 GetEnvironmentStrings
 0x100220dc FreeEnvironmentStringsW
 0x100220e0 GetEnvironmentStringsW
 0x100220e4 VirtualProtect
 0x100220e8 QueryPerformanceCounter
 0x100220ec GetTickCount
 0x100220f0 GetCurrentProcessId
 0x100220f4 GetSystemTimeAsFileTime
 0x100220f8 LCMapStringA
 0x100220fc LCMapStringW
 0x10022100 GetStringTypeA
 0x10022104 GetStringTypeW
 0x10022108 SetUnhandledExceptionFilter
 0x1002210c IsBadReadPtr
 0x10022110 IsBadCodePtr
 0x10022114 SetStdHandle
 0x10022118 HeapAlloc
 0x1002211c RtlUnwind
 0x10022120 HeapFree
 0x10022124 GetCurrentProcess
 0x10022128 FlushFileBuffers
 0x1002212c SetFilePointer
 0x10022130 WriteFile
 0x10022134 ReadFile
 0x10022138 WritePrivateProfileStringA
 0x1002213c GetOEMCP
 0x10022140 GetCPInfo
 0x10022144 GlobalFlags
 0x10022148 InterlockedIncrement
 0x1002214c TlsFree
 0x10022150 LocalReAlloc
 0x10022154 TlsSetValue
 0x10022158 TlsAlloc
 0x1002215c TlsGetValue
 0x10022160 EnterCriticalSection
 0x10022164 GlobalHandle
 0x10022168 LeaveCriticalSection
 0x1002216c LocalAlloc
 0x10022170 DeleteCriticalSection
 0x10022174 InitializeCriticalSection
 0x10022178 RaiseException
 0x1002217c InterlockedDecrement
 0x10022180 CloseHandle
 0x10022184 GetCurrentThread
 0x10022188 lstrcmpA
 0x1002218c GetModuleFileNameA
 0x10022190 ConvertDefaultLocale
 0x10022194 EnumResourceLanguagesA
 0x10022198 lstrcpyA
 0x1002219c FreeResource
 0x100221a0 GetCurrentThreadId
 0x100221a4 GlobalGetAtomNameA
 0x100221a8 GlobalAddAtomA
 0x100221ac GlobalFindAtomA
 0x100221b0 GlobalDeleteAtom
 0x100221b4 LoadLibraryA
 0x100221b8 FreeLibrary
 0x100221bc lstrcatA
 0x100221c0 lstrcmpW
 0x100221c4 GetModuleHandleA
 0x100221c8 GetProcAddress
 0x100221cc GlobalReAlloc
 0x100221d0 SetLastError
 0x100221d4 GlobalFree
 0x100221d8 MulDiv
 0x100221dc GlobalSize
 0x100221e0 GlobalAlloc
 0x100221e4 GlobalLock
 0x100221e8 GlobalUnlock
 0x100221ec FormatMessageA
 0x100221f0 LocalFree
 0x100221f4 lstrcpynA
 0x100221f8 LoadLibraryW
 0x100221fc ExitProcess
 0x10022200 LoadResource
 0x10022204 LockResource
 0x10022208 SizeofResource
 0x1002220c FindResourceA
 0x10022210 GetLastError
 0x10022214 lstrlenA
 0x10022218 lstrcmpiA
 0x1002221c WideCharToMultiByte
 0x10022220 MultiByteToWideChar
 0x10022224 GetVersion
 0x10022228 GetThreadLocale
 0x1002222c GetLocaleInfoA
 0x10022230 GetACP
 0x10022234 GetVersionExA
 0x10022238 UnhandledExceptionFilter
 0x1002223c InterlockedExchange
USER32.dll
 0x10022284 LoadCursorA
 0x10022288 GetSysColorBrush
 0x1002228c DestroyMenu
 0x10022290 wsprintfA
 0x10022294 GetDesktopWindow
 0x10022298 CreateDialogIndirectParamA
 0x1002229c GetNextDlgTabItem
 0x100222a0 EndDialog
 0x100222a4 GetMessageA
 0x100222a8 TranslateMessage
 0x100222ac GetActiveWindow
 0x100222b0 GetCursorPos
 0x100222b4 ValidateRect
 0x100222b8 SetCursor
 0x100222bc PostQuitMessage
 0x100222c0 EndPaint
 0x100222c4 BeginPaint
 0x100222c8 ReleaseDC
 0x100222cc GetDC
 0x100222d0 ClientToScreen
 0x100222d4 GrayStringA
 0x100222d8 DrawTextExA
 0x100222dc DrawTextA
 0x100222e0 TabbedTextOutA
 0x100222e4 SetMenuItemBitmaps
 0x100222e8 ModifyMenuA
 0x100222ec EnableMenuItem
 0x100222f0 CheckMenuItem
 0x100222f4 GetMenuCheckMarkDimensions
 0x100222f8 LoadBitmapA
 0x100222fc IsWindowEnabled
 0x10022300 ShowWindow
 0x10022304 SetWindowTextA
 0x10022308 IsDialogMessageA
 0x1002230c RegisterWindowMessageA
 0x10022310 GetCapture
 0x10022314 CreateWindowExA
 0x10022318 SetWindowsHookExA
 0x1002231c CallNextHookEx
 0x10022320 GetClassLongA
 0x10022324 GetClassInfoExA
 0x10022328 GetClassNameA
 0x1002232c SetPropA
 0x10022330 GetPropA
 0x10022334 RemovePropA
 0x10022338 SendDlgItemMessageA
 0x1002233c IsWindow
 0x10022340 SetFocus
 0x10022344 GetWindowTextLengthA
 0x10022348 GetWindowTextA
 0x1002234c GetForegroundWindow
 0x10022350 GetLastActivePopup
 0x10022354 SetActiveWindow
 0x10022358 DispatchMessageA
 0x1002235c GetDlgItem
 0x10022360 GetTopWindow
 0x10022364 DestroyWindow
 0x10022368 UnhookWindowsHookEx
 0x1002236c GetMessageTime
 0x10022370 GetMessagePos
 0x10022374 PeekMessageA
 0x10022378 EnableWindow
 0x1002237c InvertRect
 0x10022380 FrameRect
 0x10022384 CopyRect
 0x10022388 SendMessageA
 0x1002238c LoadIconA
 0x10022390 MessageBoxA
 0x10022394 GetWindowRect
 0x10022398 AppendMenuA
 0x1002239c MapWindowPoints
 0x100223a0 GetKeyState
 0x100223a4 SetForegroundWindow
 0x100223a8 IsWindowVisible
 0x100223ac UpdateWindow
 0x100223b0 GetMenu
 0x100223b4 PostMessageA
 0x100223b8 GetSysColor
 0x100223bc AdjustWindowRectEx
 0x100223c0 GetParent
 0x100223c4 ScreenToClient
 0x100223c8 GetClassInfoA
 0x100223cc RegisterClassA
 0x100223d0 UnregisterClassA
 0x100223d4 WinHelpA
 0x100223d8 GetSystemMenu
 0x100223dc DrawIcon
 0x100223e0 GetClientRect
 0x100223e4 GetSystemMetrics
 0x100223e8 IsIconic
 0x100223ec GetFocus
 0x100223f0 GetSubMenu
 0x100223f4 GetMenuItemCount
 0x100223f8 GetMenuItemID
 0x100223fc GetMenuState
 0x10022400 GetWindow
 0x10022404 PtInRect
 0x10022408 GetWindowPlacement
 0x1002240c SystemParametersInfoA
 0x10022410 SetWindowPos
 0x10022414 SetWindowLongA
 0x10022418 GetDlgCtrlID
 0x1002241c DefWindowProcA
 0x10022420 CallWindowProcA
 0x10022424 GetWindowLongA
GDI32.dll
 0x10022030 CreateSolidBrush
 0x10022034 GetStockObject
 0x10022038 DeleteDC
 0x1002203c ScaleWindowExtEx
 0x10022040 SetWindowExtEx
 0x10022044 TextOutA
 0x10022048 ScaleViewportExtEx
 0x1002204c SetViewportExtEx
 0x10022050 OffsetViewportOrgEx
 0x10022054 SetViewportOrgEx
 0x10022058 SelectObject
 0x1002205c Escape
 0x10022060 GetDeviceCaps
 0x10022064 RectVisible
 0x10022068 PtVisible
 0x1002206c DeleteObject
 0x10022070 SetMapMode
 0x10022074 RestoreDC
 0x10022078 SaveDC
 0x1002207c CreateBitmap
 0x10022080 GetObjectA
 0x10022084 SetBkColor
 0x10022088 SetTextColor
 0x1002208c GetClipBox
 0x10022090 ExtTextOutA
WINSPOOL.DRV
 0x1002242c OpenPrinterA
 0x10022430 DocumentPropertiesA
 0x10022434 ClosePrinter
ADVAPI32.dll
 0x10022000 RegOpenKeyA
 0x10022004 RegQueryValueExA
 0x10022008 RegOpenKeyExA
 0x1002200c RegDeleteKeyA
 0x10022010 RegEnumKeyA
 0x10022014 RegQueryValueA
 0x10022018 RegCreateKeyExA
 0x1002201c RegSetValueExA
 0x10022020 RegCloseKey
COMCTL32.dll
 0x10022028 None
SHLWAPI.dll
 0x1002227c PathFindExtensionA
ole32.dll
 0x1002243c CoInitialize
 0x10022440 CoGetClassObject
 0x10022444 CoUninitialize
OLEAUT32.dll
 0x10022244 VariantChangeType
 0x10022248 VariantClear
 0x1002224c SysAllocStringByteLen
 0x10022250 VariantInit
 0x10022254 SafeArrayUnaccessData
 0x10022258 SafeArrayAccessData
 0x1002225c SafeArrayGetUBound
 0x10022260 SafeArrayGetLBound
 0x10022264 SafeArrayGetDim
 0x10022268 SafeArrayCreate
 0x1002226c SafeArrayRedim
 0x10022270 VariantCopy
 0x10022274 SysAllocString

EAT(Export Address Table) Library

0x10004390 runquery

Similarity measure (PE file only) - Checking for service failure