Report - customer6.exe

ASPack Malicious Library UPX PE64 PE File OS Processor Check
ScreenShot
Created 2021.10.18 09:32 Machine s1_win7_x6402
Filename customer6.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
3
Behavior Score
4.4
ZERO API file : clean
VT API (file) 47 detected (QuiccellK, Fabookie, trRO, Mikey, TrojanPWS, GenericRXAA, PasswordStealer, malicious, confidence, 100%, TurtleLoader, R002C0DJE21, Spyagent, Gencirc, Siggen3, Artemis, owtog, ASMalwS, PSWTroj, kcloud, score, R444062, TrojanPSW, ai score=100, Unsafe, PWSX, FBAdsCard, CLASSIC, ztmnNuryMyE, susgen)
md5 807f55cee679ba76724aee80756a0c4f
sha256 d788b085cc98c274abd24c4ac8d00f870297dc4f5b68684af8a5c328cc50beb4
ssdeep 24576:ur0Y0b3wTBY0zc3OHmIOss9/DQTBlFadP6WNltPSQv:ub6gT20iOHmIPWDQll86Ytfv
imphash 0e0b1327b851d652046461e0a8be7593
impfuzzy 96:PQJd+pvvu7Z36BF1Hyvt8V/cgPqr+VKlMoCjc:2uu7ZoFNe0ApRCjc
  Network IP location

Signature (11cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (6cnts)

Level Name Description Collection
watch ASPack_Zero ASPack packed file binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://staticimg.youtuuee.com/api/?sid=664553&key=e31e220fe7337c68de757dbfab9338d2 LV ENZUINC 45.136.151.102 5258 mailcious
http://staticimg.youtuuee.com/api/fbtime LV ENZUINC 45.136.151.102 6464 mailcious
http://ip-api.com/json/ US TUT-AS 208.95.112.1 clean
ip-api.com US TUT-AS 208.95.112.1 clean
staticimg.youtuuee.com LV ENZUINC 45.136.151.102 mailcious
45.136.151.102 LV ENZUINC 45.136.151.102 mailcious
208.95.112.1 US TUT-AS 208.95.112.1 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x140106038 AreFileApisANSI
 0x140106040 ReadFile
 0x140106048 TryEnterCriticalSection
 0x140106050 HeapCreate
 0x140106058 HeapFree
 0x140106060 EnterCriticalSection
 0x140106068 GetFullPathNameW
 0x140106070 WriteFile
 0x140106078 GetDiskFreeSpaceW
 0x140106080 LockFile
 0x140106088 LeaveCriticalSection
 0x140106090 InitializeCriticalSection
 0x140106098 SetFilePointer
 0x1401060a0 GetFullPathNameA
 0x1401060a8 SetEndOfFile
 0x1401060b0 UnlockFileEx
 0x1401060b8 GetTempPathW
 0x1401060c0 CreateMutexW
 0x1401060c8 WaitForSingleObject
 0x1401060d0 CreateFileW
 0x1401060d8 GetFileAttributesW
 0x1401060e0 GetCurrentThreadId
 0x1401060e8 UnmapViewOfFile
 0x1401060f0 HeapValidate
 0x1401060f8 HeapSize
 0x140106100 MultiByteToWideChar
 0x140106108 GetTempPathA
 0x140106110 GetDiskFreeSpaceA
 0x140106118 GetFileAttributesA
 0x140106120 GetFileAttributesExW
 0x140106128 OutputDebugStringW
 0x140106130 CreateFileA
 0x140106138 LoadLibraryA
 0x140106140 WaitForSingleObjectEx
 0x140106148 DeleteFileA
 0x140106150 DeleteFileW
 0x140106158 HeapReAlloc
 0x140106160 CloseHandle
 0x140106168 GetSystemInfo
 0x140106170 LoadLibraryW
 0x140106178 HeapAlloc
 0x140106180 HeapCompact
 0x140106188 HeapDestroy
 0x140106190 UnlockFile
 0x140106198 GetProcAddress
 0x1401061a0 CreateFileMappingA
 0x1401061a8 LockFileEx
 0x1401061b0 GetFileSize
 0x1401061b8 DeleteCriticalSection
 0x1401061c0 GetCurrentProcessId
 0x1401061c8 GetProcessHeap
 0x1401061d0 SystemTimeToFileTime
 0x1401061d8 FreeLibrary
 0x1401061e0 WideCharToMultiByte
 0x1401061e8 GetSystemTimeAsFileTime
 0x1401061f0 GetSystemTime
 0x1401061f8 FormatMessageA
 0x140106200 CreateFileMappingW
 0x140106208 MapViewOfFile
 0x140106210 QueryPerformanceCounter
 0x140106218 GetTickCount
 0x140106220 FlushFileBuffers
 0x140106228 LocalFree
 0x140106230 GetLastError
 0x140106238 FormatMessageW
 0x140106240 lstrlenW
 0x140106248 FindResourceW
 0x140106250 LoadResource
 0x140106258 LockResource
 0x140106260 SizeofResource
 0x140106268 GetStringTypeW
 0x140106270 EncodePointer
 0x140106278 DecodePointer
 0x140106280 GetCPInfo
 0x140106288 CompareStringW
 0x140106290 LCMapStringW
 0x140106298 GetLocaleInfoW
 0x1401062a0 SetLastError
 0x1401062a8 InitializeCriticalSectionAndSpinCount
 0x1401062b0 CreateEventW
 0x1401062b8 TlsAlloc
 0x1401062c0 TlsGetValue
 0x1401062c8 TlsSetValue
 0x1401062d0 TlsFree
 0x1401062d8 GetModuleHandleW
 0x1401062e0 SetEvent
 0x1401062e8 ResetEvent
 0x1401062f0 InitializeSListHead
 0x1401062f8 RtlCaptureContext
 0x140106300 RtlLookupFunctionEntry
 0x140106308 RtlVirtualUnwind
 0x140106310 IsDebuggerPresent
 0x140106318 UnhandledExceptionFilter
 0x140106320 SetUnhandledExceptionFilter
 0x140106328 GetStartupInfoW
 0x140106330 IsProcessorFeaturePresent
 0x140106338 GetCurrentProcess
 0x140106340 TerminateProcess
 0x140106348 QueryPerformanceFrequency
 0x140106350 GetCurrentThread
 0x140106358 GetThreadTimes
 0x140106360 RtlUnwindEx
 0x140106368 InterlockedPushEntrySList
 0x140106370 RtlPcToFileHeader
 0x140106378 RaiseException
 0x140106380 LoadLibraryExW
 0x140106388 CreateThread
 0x140106390 ExitThread
 0x140106398 FreeLibraryAndExitThread
 0x1401063a0 GetModuleHandleExW
 0x1401063a8 ExitProcess
 0x1401063b0 GetModuleFileNameW
 0x1401063b8 GetStdHandle
 0x1401063c0 IsValidLocale
 0x1401063c8 GetUserDefaultLCID
 0x1401063d0 EnumSystemLocalesW
 0x1401063d8 GetFileType
 0x1401063e0 GetTimeZoneInformation
 0x1401063e8 GetConsoleOutputCP
 0x1401063f0 GetConsoleMode
 0x1401063f8 GetFileSizeEx
 0x140106400 SetFilePointerEx
 0x140106408 ReadConsoleW
 0x140106410 FindClose
 0x140106418 FindFirstFileExW
 0x140106420 FindNextFileW
 0x140106428 IsValidCodePage
 0x140106430 GetACP
 0x140106438 GetOEMCP
 0x140106440 GetCommandLineA
 0x140106448 GetCommandLineW
 0x140106450 GetEnvironmentStringsW
 0x140106458 FreeEnvironmentStringsW
 0x140106460 SetEnvironmentVariableW
 0x140106468 SetStdHandle
 0x140106470 WriteConsoleW
 0x140106478 Sleep
 0x140106480 OutputDebugStringA
 0x140106488 RtlUnwind
ADVAPI32.dll
 0x140106000 RegOpenKeyExW
 0x140106008 RegSetValueExW
 0x140106010 RegCreateKeyW
 0x140106018 RegCloseKey
SHELL32.dll
 0x140106498 SHGetFolderPathW
WINHTTP.dll
 0x1401064a8 WinHttpQueryDataAvailable
 0x1401064b0 WinHttpConnect
 0x1401064b8 WinHttpReceiveResponse
 0x1401064c0 WinHttpOpen
 0x1401064c8 WinHttpAddRequestHeaders
 0x1401064d0 WinHttpQueryHeaders
 0x1401064d8 WinHttpReadData
 0x1401064e0 WinHttpOpenRequest
 0x1401064e8 WinHttpSetOption
 0x1401064f0 WinHttpCloseHandle
 0x1401064f8 WinHttpGetIEProxyConfigForCurrentUser
 0x140106500 WinHttpQueryAuthSchemes
 0x140106508 WinHttpGetProxyForUrl
 0x140106510 WinHttpSendRequest
 0x140106518 WinHttpSetCredentials
CRYPT32.dll
 0x140106028 CryptUnprotectData

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure