popup

Report - bwmonitor.exe

Emotet RAT Gen1 Generic Malware Themida Packer Malicious Library Antivirus Malicious Packer UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File GIF Format .NET EXE PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.11 10:08 Machine s1_win7_x6401
Filename bwmonitor.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
15.4
ZERO API file : malware
VT API (file) 18 detected (Midie, Artemis, malicious, ccnc, ai score=87, Sabsik)
md5 583ec7c5fb5616cf290f0f5ec21582d7
sha256 b57dbb7601b0c59ee978d1201f31935c0d869f29c49259a879a627e768cff74c
ssdeep 98304:8SiiW/MPTZPY1kzHHS5UyLfgWJaJCUx0yT4z0AYY+nPcMy:ukUkzHy5zf/STbTEv5Kcj
imphash 5a594319a0d69dbc452e748bcf05892e
impfuzzy 48:ukHAxN9RJjD3vF9X1RfOz9O1hr8XNVXGSHAS4Fo/g/RvEj5MlVNb7q/cE:ukH+NbJj7N9X1tOz9Yhr8XbalVNb7CcE
  Network IP location

Signature (37cnts)

Level Description
warning Generates some ICMP traffic
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the version of Bios
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Virtual Machines through their custom firmware
watch Detects VMWare through the in instruction feature
watch File has been identified by 18 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local FTP client softwares
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Resolves a suspicious Top Level Domain (TLD)
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (29cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning themida_packer themida packer binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://8yfg.federguda.ru/
whois
RU JSC RTComm.RU 81.177.141.85 clean
https://iplogger.org/favicon.ico
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://iplogger.org/1hWNy7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
8yfg.federguda.ru
whois
RU JSC RTComm.RU 81.177.141.85 clean
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
40.121.139.210
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 40.121.139.210 clean
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
81.177.141.85
whois
RU JSC RTComm.RU 81.177.141.85 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x4c22e4 GetACP
 0x4c22e8 GetExitCodeProcess
 0x4c22ec LocalFree
 0x4c22f0 CloseHandle
 0x4c22f4 SizeofResource
 0x4c22f8 VirtualProtect
 0x4c22fc VirtualFree
 0x4c2300 GetFullPathNameW
 0x4c2304 ExitProcess
 0x4c2308 HeapAlloc
 0x4c230c GetCPInfoExW
 0x4c2310 RtlUnwind
 0x4c2314 GetCPInfo
 0x4c2318 GetStdHandle
 0x4c231c GetModuleHandleW
 0x4c2320 FreeLibrary
 0x4c2324 HeapDestroy
 0x4c2328 ReadFile
 0x4c232c CreateProcessW
 0x4c2330 GetLastError
 0x4c2334 GetModuleFileNameW
 0x4c2338 SetLastError
 0x4c233c FindResourceW
 0x4c2340 CreateThread
 0x4c2344 CompareStringW
 0x4c2348 LoadLibraryA
 0x4c234c ResetEvent
 0x4c2350 GetVersion
 0x4c2354 RaiseException
 0x4c2358 FormatMessageW
 0x4c235c SwitchToThread
 0x4c2360 GetExitCodeThread
 0x4c2364 GetCurrentThread
 0x4c2368 LoadLibraryExW
 0x4c236c LockResource
 0x4c2370 GetCurrentThreadId
 0x4c2374 UnhandledExceptionFilter
 0x4c2378 VirtualQuery
 0x4c237c VirtualQueryEx
 0x4c2380 Sleep
 0x4c2384 EnterCriticalSection
 0x4c2388 SetFilePointer
 0x4c238c LoadResource
 0x4c2390 SuspendThread
 0x4c2394 GetTickCount
 0x4c2398 GetFileSize
 0x4c239c GetStartupInfoW
 0x4c23a0 GetFileAttributesW
 0x4c23a4 InitializeCriticalSection
 0x4c23a8 GetThreadPriority
 0x4c23ac SetThreadPriority
 0x4c23b0 GetCurrentProcess
 0x4c23b4 VirtualAlloc
 0x4c23b8 GetSystemInfo
 0x4c23bc GetCommandLineW
 0x4c23c0 LeaveCriticalSection
 0x4c23c4 GetProcAddress
 0x4c23c8 ResumeThread
 0x4c23cc GetVersionExW
 0x4c23d0 VerifyVersionInfoW
 0x4c23d4 HeapCreate
 0x4c23d8 GetWindowsDirectoryW
 0x4c23dc VerSetConditionMask
 0x4c23e0 GetDiskFreeSpaceW
 0x4c23e4 FindFirstFileW
 0x4c23e8 GetUserDefaultUILanguage
 0x4c23ec lstrlenW
 0x4c23f0 QueryPerformanceCounter
 0x4c23f4 SetEndOfFile
 0x4c23f8 HeapFree
 0x4c23fc WideCharToMultiByte
 0x4c2400 FindClose
 0x4c2404 MultiByteToWideChar
 0x4c2408 LoadLibraryW
 0x4c240c SetEvent
 0x4c2410 CreateFileW
 0x4c2414 GetLocaleInfoW
 0x4c2418 GetSystemDirectoryW
 0x4c241c DeleteFileW
 0x4c2420 GetLocalTime
 0x4c2424 GetEnvironmentVariableW
 0x4c2428 WaitForSingleObject
 0x4c242c WriteFile
 0x4c2430 ExitThread
 0x4c2434 DeleteCriticalSection
 0x4c2438 TlsGetValue
 0x4c243c GetDateFormatW
 0x4c2440 SetErrorMode
 0x4c2444 IsValidLocale
 0x4c2448 TlsSetValue
 0x4c244c CreateDirectoryW
 0x4c2450 GetSystemDefaultUILanguage
 0x4c2454 EnumCalendarInfoW
 0x4c2458 LocalAlloc
 0x4c245c GetUserDefaultLangID
 0x4c2460 RemoveDirectoryW
 0x4c2464 CreateEventW
 0x4c2468 SetThreadLocale
 0x4c246c GetThreadLocale
comctl32.dll
 0x4c2474 InitCommonControls
version.dll
 0x4c247c GetFileVersionInfoSizeW
 0x4c2480 VerQueryValueW
 0x4c2484 GetFileVersionInfoW
user32.dll
 0x4c248c CreateWindowExW
 0x4c2490 TranslateMessage
 0x4c2494 CharLowerBuffW
 0x4c2498 CallWindowProcW
 0x4c249c CharUpperW
 0x4c24a0 PeekMessageW
 0x4c24a4 GetSystemMetrics
 0x4c24a8 SetWindowLongW
 0x4c24ac MessageBoxW
 0x4c24b0 DestroyWindow
 0x4c24b4 CharUpperBuffW
 0x4c24b8 CharNextW
 0x4c24bc MsgWaitForMultipleObjects
 0x4c24c0 LoadStringW
 0x4c24c4 ExitWindowsEx
 0x4c24c8 DispatchMessageW
oleaut32.dll
 0x4c24d0 SysAllocStringLen
 0x4c24d4 SafeArrayPtrOfIndex
 0x4c24d8 VariantCopy
 0x4c24dc SafeArrayGetLBound
 0x4c24e0 SafeArrayGetUBound
 0x4c24e4 VariantInit
 0x4c24e8 VariantClear
 0x4c24ec SysFreeString
 0x4c24f0 SysReAllocStringLen
 0x4c24f4 VariantChangeType
 0x4c24f8 SafeArrayCreate
netapi32.dll
 0x4c2500 NetWkstaGetInfo
 0x4c2504 NetApiBufferFree
advapi32.dll
 0x4c250c RegQueryValueExW
 0x4c2510 AdjustTokenPrivileges
 0x4c2514 LookupPrivilegeValueW
 0x4c2518 RegCloseKey
 0x4c251c OpenProcessToken
 0x4c2520 RegOpenKeyExW

EAT(Export Address Table) Library

0x454060 TMethodImplementationIntercept
0x40d0a0 __dbk_fcall_wrapper
0x4be63c dbkFCallWrapperAddr

Similarity measure (PE file only) - Checking for service failure