popup

Report - iKrjYFB.exe

Emotet Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PE File PE32 OS Proc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.21 08:21 Machine s1_win7_x6401
Filename iKrjYFB.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
19.2
ZERO API file : clean
VT API (file) 34 detected (Bingoml, malicious, high confidence, Artemis, cobw, Barys, Attribute, HighConfidence, AS suspicious, FileRepMalware, Malware@#1jwrtb3ntu4o, Sabsik, R418855, ai score=85, Unsafe, Static AI, Malicious PE, Score, confidence)
md5 d75805611df55ea0b527e2c8b37be919
sha256 51c5f1806361f36e1e82c128b81e0c1f159196896459e3e90e3eb924b1423191
ssdeep 24576:SQB+A6iqWYUBH8KkTnitZ21I+Sr7YVmiXwTgzZMYiNpPXO0nF44Ptz1lTfH1kOov:SQB1bwEOwrxiXcY+XOAhfVkUU9
imphash bc70c4fa605f17c85050b7c7b6d42e44
impfuzzy 48:NKej6W7pnOT5p9OdGACStp+US1te4XoEpNLu8t+5RlKTACEG6x9V5aU95dSvrzph:NBGWNne5posACStp+US1tmIox/uGro
  Network IP location

Signature (43cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch A process attempted to delay the analysis task.
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Looks for the Windows Idle Time to determine the uptime
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates (office) documents on the filesystem
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Resolves a suspicious Top Level Domain (TLD)
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (42cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Hijack_Network Hijack network configuration memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice Persistence Install itself for autorun at Windows startup memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://eth0.me/
whois
AT interneX GmbH 5.132.162.27 clean
http://7fdt.federguda.ru/
whois
RU JSC RTComm.RU 81.177.141.85 clean
eth0.me
whois
AT interneX GmbH 5.132.162.27 clean
HgqhpFebtO.HgqhpFebtO
whois
Unknown clean
7fdt.federguda.ru
whois
RU JSC RTComm.RU 81.177.141.85 clean
81.177.141.85
whois
RU JSC RTComm.RU 81.177.141.85 mailcious
195.2.93.45
whois
NL Hosting technology LTD 195.2.93.45 clean
5.132.162.27
whois
AT interneX GmbH 5.132.162.27 clean

Suricata ids

ET MALWARE Arechclient2 Backdoor CnC Init

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x40a000 OpenProcessToken
 0x40a004 GetTokenInformation
 0x40a008 RegSetValueExA
 0x40a00c EqualSid
 0x40a010 RegQueryValueExA
 0x40a014 LookupPrivilegeValueA
 0x40a018 RegCreateKeyExA
 0x40a01c RegOpenKeyExA
 0x40a020 RegQueryInfoKeyA
 0x40a024 RegDeleteValueA
 0x40a028 AllocateAndInitializeSid
 0x40a02c FreeSid
 0x40a030 AdjustTokenPrivileges
 0x40a034 RegCloseKey
KERNEL32.dll
 0x40a060 GetPrivateProfileIntA
 0x40a064 GetFileAttributesA
 0x40a068 IsDBCSLeadByte
 0x40a06c GetSystemDirectoryA
 0x40a070 GlobalUnlock
 0x40a074 GetShortPathNameA
 0x40a078 CreateDirectoryA
 0x40a07c FindFirstFileA
 0x40a080 GetLastError
 0x40a084 GetProcAddress
 0x40a088 RemoveDirectoryA
 0x40a08c SetFileAttributesA
 0x40a090 GlobalFree
 0x40a094 FindClose
 0x40a098 GetPrivateProfileStringA
 0x40a09c LoadLibraryA
 0x40a0a0 LocalAlloc
 0x40a0a4 WritePrivateProfileStringA
 0x40a0a8 GetModuleFileNameA
 0x40a0ac FindNextFileA
 0x40a0b0 CompareStringA
 0x40a0b4 _lopen
 0x40a0b8 CloseHandle
 0x40a0bc LocalFree
 0x40a0c0 DeleteFileA
 0x40a0c4 ExitProcess
 0x40a0c8 DosDateTimeToFileTime
 0x40a0cc CreateFileA
 0x40a0d0 FindResourceA
 0x40a0d4 GlobalAlloc
 0x40a0d8 ExpandEnvironmentStringsA
 0x40a0dc LoadResource
 0x40a0e0 WaitForSingleObject
 0x40a0e4 SetEvent
 0x40a0e8 GetModuleHandleW
 0x40a0ec FormatMessageA
 0x40a0f0 SetFileTime
 0x40a0f4 WriteFile
 0x40a0f8 GetDriveTypeA
 0x40a0fc GetVolumeInformationA
 0x40a100 TerminateThread
 0x40a104 SizeofResource
 0x40a108 CreateEventA
 0x40a10c GetExitCodeProcess
 0x40a110 CreateProcessA
 0x40a114 _llseek
 0x40a118 SetCurrentDirectoryA
 0x40a11c GetTempFileNameA
 0x40a120 ResetEvent
 0x40a124 LockResource
 0x40a128 GetSystemInfo
 0x40a12c LoadLibraryExA
 0x40a130 CreateMutexA
 0x40a134 GetCurrentDirectoryA
 0x40a138 GetVersionExA
 0x40a13c GetVersion
 0x40a140 GetTempPathA
 0x40a144 CreateThread
 0x40a148 LocalFileTimeToFileTime
 0x40a14c SetFilePointer
 0x40a150 GetWindowsDirectoryA
 0x40a154 lstrcmpA
 0x40a158 _lclose
 0x40a15c GlobalLock
 0x40a160 GetCurrentProcess
 0x40a164 FreeResource
 0x40a168 FreeLibrary
 0x40a16c Sleep
 0x40a170 GetStartupInfoA
 0x40a174 UnhandledExceptionFilter
 0x40a178 SetUnhandledExceptionFilter
 0x40a17c TerminateProcess
 0x40a180 OutputDebugStringA
 0x40a184 RtlUnwind
 0x40a188 GetModuleHandleA
 0x40a18c QueryPerformanceCounter
 0x40a190 GetCurrentProcessId
 0x40a194 GetCurrentThreadId
 0x40a198 GetSystemTimeAsFileTime
 0x40a19c GetTickCount
 0x40a1a0 EnumResourceLanguagesA
 0x40a1a4 MulDiv
 0x40a1a8 GetDiskFreeSpaceA
 0x40a1ac ReadFile
GDI32.dll
 0x40a058 GetDeviceCaps
USER32.dll
 0x40a1b4 GetDC
 0x40a1b8 SendMessageA
 0x40a1bc SetForegroundWindow
 0x40a1c0 MsgWaitForMultipleObjects
 0x40a1c4 SendDlgItemMessageA
 0x40a1c8 GetWindowRect
 0x40a1cc MessageBoxA
 0x40a1d0 GetWindowLongA
 0x40a1d4 PeekMessageA
 0x40a1d8 ReleaseDC
 0x40a1dc GetDlgItem
 0x40a1e0 SetWindowPos
 0x40a1e4 ShowWindow
 0x40a1e8 DispatchMessageA
 0x40a1ec SetWindowTextA
 0x40a1f0 EnableWindow
 0x40a1f4 CallWindowProcA
 0x40a1f8 DialogBoxIndirectParamA
 0x40a1fc GetDlgItemTextA
 0x40a200 LoadStringA
 0x40a204 MessageBeep
 0x40a208 CharUpperA
 0x40a20c CharNextA
 0x40a210 ExitWindowsEx
 0x40a214 CharPrevA
 0x40a218 EndDialog
 0x40a21c GetDesktopWindow
 0x40a220 SetDlgItemTextA
 0x40a224 SetWindowLongA
 0x40a228 GetSystemMetrics
msvcrt.dll
 0x40a240 memset
 0x40a244 ?terminate@@YAXXZ
 0x40a248 _controlfp
 0x40a24c memcpy
 0x40a250 _ismbblead
 0x40a254 __p__fmode
 0x40a258 _cexit
 0x40a25c _exit
 0x40a260 exit
 0x40a264 __set_app_type
 0x40a268 __getmainargs
 0x40a26c _acmdln
 0x40a270 _initterm
 0x40a274 _amsg_exit
 0x40a278 __p__commode
 0x40a27c _XcptFilter
 0x40a280 _errno
 0x40a284 _vsnprintf
 0x40a288 __setusermatherr
COMCTL32.dll
 0x40a03c None
Cabinet.dll
 0x40a044 None
 0x40a048 None
 0x40a04c None
 0x40a050 None
VERSION.dll
 0x40a230 GetFileVersionInfoA
 0x40a234 GetFileVersionInfoSizeA
 0x40a238 VerQueryValueA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure