popup

Report - gyty.wbk

RTF File doc AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.06 13:34 Machine s1_win7_x6401
Filename gyty.wbk
Type data
AI Score Not founds Behavior Score
5.8
ZERO API file : mailcious
VT API (file) 27 detected (ObfsStrm, RTFObfustream, Save, CVE-2017-1188, Camelot, Bloodhound, multiple detections, dinbqn, Obfuscated, CVE-2020-1711, CVE201711882, SMYNBFR, Malformed, ASDOH, Malicious, score, Malform, Probably Heur, RTFBadHeader, ai score=87)
md5 9f33914979fc685f81ab79066877d01c
sha256 4fe2dad2a4aa831e4c64fed6a52949e7d9eff9dee767efe9ff91ccfc1eb00dc7
ssdeep 192:9mOdF6ZH1MZLijkFDXKtBXan89nkhKXYMzS4BOQeco8NaCHsEQ/aaL+hUFeXKbcu:9RqJ1M9ijgwn7Y/4wsjJ1Q3L+h2cf7a
imphash
impfuzzy
  Network IP location

Signature (15cnts)

Level Description
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed

Rules (9cnts)

Level Name Description Collection
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (57cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.wandawallinbristow.com/p08r/
whois
US IMH-WEST 192.249.119.170 clean
http://www.apeironnature.com/p08r/?sZ=2/kdXLcJs10/2cxW7t+Sgy9pAx78D6goaK23LVVxeGeEx+y6ZAUjhmiP7vRD9HtJk4HFEsVc&4hO=NVxxIf
whois
US GOOGLE 34.102.136.180 clean
http://www.minisoshop.com/p08r/
whois
US AMAZON-AES 3.223.115.185 clean
http://198.12.107.117/0789/vbc.exe
whois
US AS-COLOCROSSING 198.12.107.117 malware
http://www.oarlary.xyz/p08r/
whois
US CLOUDFLARENET 172.67.166.87 clean
http://www.110cy.top/p08r/?sZ=MhB7f0VRGu4oeye/TacVaH4JpmGIqSeDQM+dXwNRcYHzFlxosf73jULnoJMcxlrSEXGcWsCB&4hO=NVxxIf
whois
HK Anchnet Asia Limited 156.241.132.45 clean
http://www.tasteofgadsdencounty.com/p08r/
whois
US GOOGLE 34.102.136.180 clean
http://www.happinessfashionline.com/p08r/
whois
US AMAZON-AES 100.24.208.97 clean
http://www.tradeplay.net/p08r/?sZ=4thJWcvRSTe4hV1bGSZ95meEdt450t9mNZxRaqxPEFoJU5xgEKef2WLJHyAlacZU2kQP+u82&4hO=NVxxIf
whois
US CLOUDFLARENET 104.21.2.9 clean
http://www.happinessfashionline.com/p08r/?sZ=it2rKjXdnbVdg6Y0HoOw2Hy/OdzuHI5rq3rX4BBmEIww4S6XrH8d+i6ixz5qwTyrhXsqwNMN&4hO=NVxxIf
whois
US AMAZON-AES 35.172.94.1 clean
http://www.oarlary.xyz/p08r/?sZ=HWuJJXMS6EhDI+SwYjpjarifwZNGFMDpOH1wTDyGnvjHCAjlH9SD6hFmgIuMNdw6hyZKLj5p&4hO=NVxxIf
whois
US CLOUDFLARENET 172.67.166.87 clean
http://www.110cy.top/p08r/
whois
HK Anchnet Asia Limited 156.241.132.45 clean
http://www.xaudix.com/p08r/?sZ=AfsQzanRa/K71Sp+FC4vF/VUIPkDyKYCI0bhlWQZ5rKPtKnDleIrjtZ/eJx+lPng/2gI4886&4hO=NVxxIf
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.tradeplay.net/p08r/
whois
US CLOUDFLARENET 104.21.2.9 clean
http://www.puremicrodosing.com/p08r/?sZ=S62BtV/OXf7l+Oi9TcRmwChwada/mHY3jxfUfEoy5xEvr99fIfi+QJg3WuTcsjgo8nY7wmXr&4hO=NVxxIf
whois
NL Hostnet B.V. 91.184.0.100 5950 mailcious
http://www.shopmoly.com/p08r/
whois
SG DIGITALOCEAN-ASN 128.199.158.128 clean
http://www.blinglj.com/p08r/?sZ=VhZ5aNjufsg8yIKFt86vwNN5rsRGseTwSosfAD2rdPJJdPLarQSvJQIy1XR6o6k+V62Ea4hf&4hO=NVxxIf
whois
CA CLOUDFLARENET 23.227.38.74 clean
http://www.shopmoly.com/p08r/?sZ=haQmUSKM/WHARPa2Lp+DqCKAjRoaKWuSZ/KrsjvHPH5ydyX7t0iOLK3MGHUJ/6Ys8itQ83ll&4hO=NVxxIf
whois
SG DIGITALOCEAN-ASN 128.199.158.128 clean
http://www.wandawallinbristow.com/p08r/?sZ=rIasJTgHnlhvn49Ec1ufSUMfKeevfsoIo8VQBxBAm8yCbmuzA/iYh299dFqwI1FD4s8UWgPB&4hO=NVxxIf
whois
US IMH-WEST 192.249.119.170 clean
http://www.apeironnature.com/p08r/
whois
US GOOGLE 34.102.136.180 clean
http://www.minisoshop.com/p08r/?sZ=yt/y475BYeETL6/9CyyYP81IgtfMvB7e1GH5lU8k0UJ3W/3fb9aNkbEZFhB5uAoBowubwcMf&4hO=NVxxIf
whois
US AMAZON-AES 3.223.115.185 clean
http://www.blinglj.com/p08r/
whois
CA CLOUDFLARENET 23.227.38.74 clean
http://www.tasteofgadsdencounty.com/p08r/?sZ=r9Yl5R9exgSt+THckHRGQHMSQ7lUP1MIKTFoA2QCQOTNM6XNLCYZhM17LQ5O2O7QDP/PNXJW&4hO=NVxxIf
whois
US GOOGLE 34.102.136.180 clean
http://www.xaudix.com/p08r/
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.standunitedforamerica.us/p08r/?sZ=B2ekqSjam2FgOpOVxsnLxAFuSlZHI4NAcaOSHs117iNT154ovp+tvM1jF1ib5fJR9u9nduUX&4hO=NVxxIf
whois
US GOOGLE 34.102.136.180 clean
http://www.puremicrodosing.com/p08r/
whois
NL Hostnet B.V. 91.184.0.100 5950 mailcious
http://www.tamaracastrillejo.com/p08r/?sZ=CnBaoYh9B4vymKiOFoQY3BcfDLNsJjln6ysWXfUNxXKSA6sOsy6cNvjP7hJHh5O3EQTGDoh3&4hO=NVxxIf
whois
US CLOUDFLARENET 172.67.155.197 clean
http://www.standunitedforamerica.us/p08r/
whois
US GOOGLE 34.102.136.180 clean
http://www.tamaracastrillejo.com/p08r/
whois
US CLOUDFLARENET 172.67.155.197 clean
www.tradeplay.net
whois
US CLOUDFLARENET 172.67.128.125 clean
www.happinessfashionline.com
whois
US AMAZON-AES 100.24.208.97 clean
www.minisoshop.com
whois
US AMAZON-AES 3.223.115.185 clean
www.bgcs.online
whois
Unknown clean
www.puremicrodosing.com
whois
NL Hostnet B.V. 91.184.0.100 clean
www.apeironnature.com
whois
US GOOGLE 34.102.136.180 clean
www.shopmoly.com
whois
SG DIGITALOCEAN-ASN 128.199.158.128 clean
www.xaudix.com
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
www.blinglj.com
whois
CA CLOUDFLARENET 23.227.38.74 clean
www.110cy.top
whois
HK Anchnet Asia Limited 156.241.132.45 clean
www.tasteofgadsdencounty.com
whois
US GOOGLE 34.102.136.180 clean
www.tamaracastrillejo.com
whois
US CLOUDFLARENET 104.21.42.37 clean
www.standunitedforamerica.us
whois
US GOOGLE 34.102.136.180 clean
www.wandawallinbristow.com
whois
US IMH-WEST 192.249.119.170 clean
www.oarlary.xyz
whois
US CLOUDFLARENET 104.21.34.240 clean
128.199.158.128
whois
SG DIGITALOCEAN-ASN 128.199.158.128 clean
156.241.132.45
whois
HK Anchnet Asia Limited 156.241.132.45 clean
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
100.24.208.97
whois
US AMAZON-AES 100.24.208.97 clean
182.50.132.242
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 mailcious
192.249.119.170
whois
US IMH-WEST 192.249.119.170 clean
198.12.107.117
whois
US AS-COLOCROSSING 198.12.107.117 malware
3.223.115.185
whois
US AMAZON-AES 3.223.115.185 mailcious
172.67.155.197
whois
US CLOUDFLARENET 172.67.155.197 clean
172.67.166.87
whois
US CLOUDFLARENET 172.67.166.87 clean
104.21.2.9
whois
US CLOUDFLARENET 104.21.2.9 clean
23.227.38.74
whois
CA CLOUDFLARENET 23.227.38.74 mailcious
91.184.0.100
whois
NL Hostnet B.V. 91.184.0.100 mailcious

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to a *.top domain
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers

Similarity measure (PE file only) - Checking for service failure