popup

Report - cock.mp4

Gen2 Gen1 VMProtect Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.19 09:55 Machine s1_win7_x6401
Filename cock.mp4
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
13.8
ZERO API file : malware
VT API (file) 24 detected (Androm, Unsafe, ZexaE, @F1@aydqv0hi, Attribute, HighConfidence, a variant of Generik, JQZCPUD, Malicious, uuli, VMProtBad, Artemis, Static AI, Suspicious PE, CredStealer, 5F65S2, InvalidSig, kcloud, Sabsik, Outbreak, susgen, PossibleThreat)
md5 d050948cba26749ca0ae38c401cae549
sha256 ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
ssdeep 98304:Jf0gnUUlBQgyoOqHAvtgWgyuccfQ+qDh/d8:h0gUUlqHqMgyuTfQ2
imphash 2c58ba983cbcad8b3c06c5b4f999bb55
impfuzzy 12:8QwDiQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:8Qw2Q58QtXJHc9NDI5Q8
  Network IP location

Signature (32cnts)

Level Description
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to remove evidence of file being downloaded from the Internet
watch Checks the version of Bios
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local FTP client softwares
watch Network activity contains more than one unique useragent
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process cock.mp4
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Reads the systems User Agent and subsequently performs requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (14cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch VMProtect_Zero VMProtect packed file binaries (download)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://128.199.63.64/deepanal/gate.php?type=report&tag=traffic3&uid=39B06D4D868D1303186797&passwords=0&cookies=0&autofill=0&cc=0&wallets=0&steam=0&battlenet=0&telegram=1&discord=0&jabber=0&vpn=0&ftp=1
whois
NL DIGITALOCEAN-ASN 128.199.63.64 clean
http://128.199.63.64/deepanal/gate.php?type=settings
whois
NL DIGITALOCEAN-ASN 128.199.63.64 clean
http://128.199.63.64/deepanal/gate.php?type=loader&tag=traffic3
whois
NL DIGITALOCEAN-ASN 128.199.63.64 clean
http://128.199.63.64/hoetnaca/exps/1.exe
whois
NL DIGITALOCEAN-ASN 128.199.63.64 clean
http://128.199.63.64/deepanal/gate.php?type=ip
whois
NL DIGITALOCEAN-ASN 128.199.63.64 clean
http://128.199.63.64/deepanal/system/assets/bundle.bin
whois
NL DIGITALOCEAN-ASN 128.199.63.64 clean
128.199.63.64
whois
NL DIGITALOCEAN-ASN 128.199.63.64 malware
185.121.177.177
whois
AQ Silent Ghost e.U. 185.121.177.177 mailcious

Suricata ids

ET MALWARE Generic .bin download from Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic gate .php GET with minimal headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
ET HUNTING Suspicious GET To gate.php with no Referer
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x925000 VirtualAlloc
USER32.dll
 0x925008 MessageBoxW
WTSAPI32.dll
 0x925010 WTSSendMessageW
KERNEL32.dll
 0x925018 VirtualQuery
USER32.dll
 0x925020 GetProcessWindowStation
KERNEL32.dll
 0x925028 LocalAlloc
 0x92502c LocalFree
 0x925030 GetModuleFileNameW
 0x925034 GetProcessAffinityMask
 0x925038 SetProcessAffinityMask
 0x92503c SetThreadAffinityMask
 0x925040 Sleep
 0x925044 ExitProcess
 0x925048 FreeLibrary
 0x92504c LoadLibraryA
 0x925050 GetModuleHandleA
 0x925054 GetProcAddress
USER32.dll
 0x92505c GetProcessWindowStation
 0x925060 GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure