popup

Report - 171.exe

Gen1 Gen2 Malicious Library UPX Malicious Packer ASPack PE File PE32 DLL OS Processor Check JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.01 10:30 Machine s1_win7_x6401
Filename 171.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
7
 Behavior Score
8.0
ZERO API file : clean
VT API (file) 24 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, Attribute, HighConfidence, GenKryptik, FMTU, Racealer, MultiPlug, VirRansom, Static AI, Malicious PE, Sabsik, score, R447768, Artemis, PasswordStealer, ZexaF, jHW@aS2h6fk, confidence)
md5 f1542d07c0aa2b2727b4ebdeeabc21f4
sha256 eab5f3d7e83f7bc51045f22745fd71ec9e7e1e60194e8400c54bb9d0d165841b
ssdeep 24576:0knsnrhiMgnFimm36pd5/uYjExMAqkozpBCNtzwAb6FSGLTEZl+:RsFYFKIGaeNoVBCTzgIGXQ
imphash 835da68f7e7e29ef9a08f899d20e0925
impfuzzy 24:8fCejrOov1lDIcLVr+X53XZxr9WNOqz2GMZO:8fCCaVc5KXlJeNOqz2GJ
  Network IP location

Signature (19cnts)

Level Description
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (13cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://toptelete.top/vvhotsummer
whois
US CLOUDFLARENET 172.67.160.46 clean
http://91.219.236.97/
whois
HU ServerAstra Kft. 91.219.236.97 clean
http://91.219.236.97//l/f/iJ4a2XwB3dP17SpzW9k5/f9936c6dcab7f0e94aedce65556b8dc854846e65
whois
HU ServerAstra Kft. 91.219.236.97 clean
http://91.219.236.97//l/f/iJ4a2XwB3dP17SpzW9k5/224d59f47d4eab7e71549ac5144226bf66bfb7a6
whois
HU ServerAstra Kft. 91.219.236.97 clean
toptelete.top
whois
US CLOUDFLARENET 104.21.9.146 clean
telegalive.top
whois
Unknown clean
104.21.9.146
whois
US CLOUDFLARENET 104.21.9.146 clean
91.219.236.97
whois
HU ServerAstra Kft. 91.219.236.97 clean

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x798130 DeleteCriticalSection
 0x798134 EnterCriticalSection
 0x798138 ExitProcess
 0x79813c FindClose
 0x798140 FindFirstFileA
 0x798144 FindNextFileA
 0x798148 FreeLibrary
 0x79814c GetCommandLineA
 0x798150 GetLastError
 0x798154 GetModuleHandleA
 0x798158 GetProcAddress
 0x79815c InitializeCriticalSection
 0x798160 LeaveCriticalSection
 0x798164 LoadLibraryA
 0x798168 SetUnhandledExceptionFilter
 0x79816c TlsGetValue
 0x798170 VirtualProtect
 0x798174 VirtualQuery
msvcrt.dll
 0x79817c _strdup
 0x798180 _stricoll
msvcrt.dll
 0x798188 __getmainargs
 0x79818c __mb_cur_max
 0x798190 __p__environ
 0x798194 __p__fmode
 0x798198 __set_app_type
 0x79819c _cexit
 0x7981a0 _errno
 0x7981a4 _fmode
 0x7981a8 _fpreset
 0x7981ac _fullpath
 0x7981b0 _iob
 0x7981b4 _isctype
 0x7981b8 _onexit
 0x7981bc _pctype
 0x7981c0 _setmode
 0x7981c4 abort
 0x7981c8 atexit
 0x7981cc calloc
 0x7981d0 free
 0x7981d4 fwrite
 0x7981d8 malloc
 0x7981dc mbstowcs
 0x7981e0 memcpy
 0x7981e4 memset
 0x7981e8 realloc
 0x7981ec setlocale
 0x7981f0 signal
 0x7981f4 strcoll
 0x7981f8 strcpy
 0x7981fc strlen
 0x798200 tolower
 0x798204 vfprintf
 0x798208 wcstombs

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure