popup

Report - 64.exe

Emotet Malicious Packer Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.01 18:16 Machine s1_win7_x6402
Filename 64.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
7.0
ZERO API file : clean
VT API (file) 13 detected (malicious, high confidence, FileRepMalware, Sabsik, Static AI, Suspicious PE, ZexaF, Wq3@aGy, XXpc)
md5 ba0c30c85ff45d4a7dfbf010ebff1ca8
sha256 be1fe05856af0cb8678fff94ccbbb5ed99a7ebb8e4d2a0725e196d5c38f093b5
ssdeep 24576:wFkwZtqfuHOsY25nIMfZ5NS0Zu0IL/ysBRU9329BANJTFFF0:+HXHyis
imphash 5fbe210ef28d03949834513add9de949
impfuzzy 24:iDoVf2cfjeHs2QHuOovbOZyvgJ3b2RMmdlHCHpCwuZT4wo:decfCHQ3uoqRMmdBCHpCjcL
  Network IP location

Signature (13cnts)

Level Description
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch File has been identified by 13 AntiVirus engines on VirusTotal as malicious
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice One or more potentially interesting buffers were extracted
notice Yara rule detected in process memory
info Queries for the computername

Rules (13cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (21cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://45.77.127.230:8888/vvfboeffycvrynppulwwnath
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/fuzenqmkwrlygvxhtspbioaj
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/etasgyhyghhlwpfmecyevdev
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/jobzzbwswpetyulf
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/lfvhzlhblwzwnnogzyskqvbb
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/sbzteobxhgcskdoufsgivcyv
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/sdgrdfljmvpknoztwrwkanlr
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/mawvbiovgthpuddedpbmntnb
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/kmlpweovgrhfsbqanduitcjy
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/xjofesqimtzpnkduhvrlagyc
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/piqykabpjhlrvbhzhojdwhoo
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/iykcnfmbdeoxhzrajpvuqgwl
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/nvklteimfsubjgwxhrqcyoad
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/mrlodqwspxaehztivcykfbug
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/tqudtaxonhghgymszhfehjqc
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/myxbldskuilrpgymdkcdmzvw
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/doasxsmklfyjvgrqgiwnixpw
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/ibgvbcipiyghykqqsxmvhfiy
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/eqpynojbspcsxttzzxaogyol
whois
US AS-CHOOPA 45.77.127.230 clean
http://45.77.127.230:8888/zycogcqzstnhdjlwopnrenlm
whois
US AS-CHOOPA 45.77.127.230 clean
45.77.127.230
whois
US AS-CHOOPA 45.77.127.230 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x477000 GetLocalTime
 0x477004 GetProcAddress
 0x477008 LoadLibraryExW
 0x47700c GetModuleHandleA
 0x477010 GetStartupInfoW
 0x477014 GetVersionExA
 0x477018 HeapAlloc
 0x47701c RaiseException
 0x477020 HeapFree
 0x477024 DeleteCriticalSection
 0x477028 LeaveCriticalSection
 0x47702c EnterCriticalSection
 0x477030 GetLastError
 0x477034 GetFileAttributesA
 0x477038 ExitProcess
 0x47703c TerminateProcess
 0x477040 GetCurrentProcess
 0x477044 WriteFile
 0x477048 GetStdHandle
 0x47704c GetModuleFileNameA
 0x477050 UnhandledExceptionFilter
 0x477054 GetModuleFileNameW
 0x477058 FreeEnvironmentStringsA
 0x47705c MultiByteToWideChar
 0x477060 GetEnvironmentStrings
 0x477064 FreeEnvironmentStringsW
 0x477068 GetEnvironmentStringsW
 0x47706c GetCommandLineA
 0x477070 GetCommandLineW
 0x477074 SetHandleCount
 0x477078 GetFileType
 0x47707c GetStartupInfoA
 0x477080 TlsAlloc
 0x477084 SetLastError
 0x477088 GetCurrentThreadId
 0x47708c TlsFree
 0x477090 TlsSetValue
 0x477094 TlsGetValue
 0x477098 HeapDestroy
 0x47709c HeapCreate
 0x4770a0 VirtualFree
 0x4770a4 VirtualAlloc
 0x4770a8 HeapReAlloc
 0x4770ac HeapSize
 0x4770b0 SetUnhandledExceptionFilter
 0x4770b4 InitializeCriticalSection
 0x4770b8 RtlUnwind
 0x4770bc GetACP
 0x4770c0 GetOEMCP
 0x4770c4 GetCPInfo
 0x4770c8 WideCharToMultiByte
 0x4770cc InterlockedExchange
 0x4770d0 VirtualQuery
 0x4770d4 CloseHandle
 0x4770d8 CreateFileW
 0x4770dc LoadLibraryA
 0x4770e0 IsBadCodePtr
 0x4770e4 LCMapStringA
 0x4770e8 LCMapStringW
 0x4770ec GetStringTypeA
 0x4770f0 GetStringTypeW
 0x4770f4 CompareStringA
 0x4770f8 CompareStringW
 0x4770fc SetEnvironmentVariableA
 0x477100 FlushFileBuffers
 0x477104 SetFilePointer
 0x477108 QueryPerformanceCounter
 0x47710c GetTickCount
 0x477110 GetCurrentProcessId
 0x477114 GetSystemTimeAsFileTime
 0x477118 SetEndOfFile
 0x47711c ReadFile
 0x477120 SetStdHandle
 0x477124 GetLocaleInfoA
 0x477128 VirtualProtect
 0x47712c GetSystemInfo

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure