popup

Report - ww_testFS_0211_single.exe

RAT Gen1 Generic Malware Malicious Library UPX Malicious Packer ASPack PE File OS Processor Check PE32 PE64 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.04 15:09 Machine s1_win7_x6401
Filename ww_testFS_0211_single.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
16.4
ZERO API file : clean
VT API (file) 23 detected (Convagent, Fragtor, Unsafe, Attribute, HighConfidence, Malicious, DropperX, ZexaF, ku0@aGavv0aO, Sabsik, BScope, FileCryptor, Pgxa)
md5 4ea672ca05b3c1e7d131ecc108c7e7f1
sha256 95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f
ssdeep 3072:LSftzo1YmKFiiIKhb6xKcB3bV3g2Zh+15/yyvcOGkXOxTxoAHL+laxn1955Nh8uq:8H4qMxKeV3PANyyvcOGkXYTxjil61b55
imphash 2c02c1999142edb52caad79376c81ce6
impfuzzy 24:TCvNoXcD0aXFJBlgtX1rMYDc+i9rosvDSOovbO9Z2M9z:exXxKtX1rMmc+iZzJ3X
  Network IP location

Signature (35cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Disables Windows Security features
warning File has been identified by 23 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Attempts to create or modify system certificates
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes ww_testfs_0211_single.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername

Rules (17cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (63cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://staticimg.youtuuee.com/api/?sid=2098765&key=a7620f1fdb5530186e00465d6d97c1bb
whois
LV ENZUINC 45.136.151.102 5258 mailcious
http://imgs.googlwaa.com/lqosko/p18j/cust9.exe
whois
NL ENZUINC 45.136.113.13 malware
http://www.hzradiant.com/askinstall42.exe
whois
DE PlusServer GmbH 194.163.158.120 clean
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1 clean
http://dataonestorage.com/search_hyperfs_209.exe
whois
DE XSServer GmbH 45.142.182.152 clean
http://45.133.1.182/proxies.txt
whois
US DEDIPATH-LLC 45.133.1.182 6139 mailcious
http://212.192.241.62/base/api/statistics.php
whois
Unknown 212.192.241.62 clean
http://eguntong.com/pub33.exe
whois
RU OOO Network of data-centers Selectel 5.8.76.205 clean
http://staticimg.youtuuee.com/api/fbtime
whois
LV ENZUINC 45.136.151.102 6464 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.216.159.9 clean
http://212.192.241.62/base/api/getData.php
whois
Unknown 212.192.241.62 clean
http://45.133.1.107/server.txt
whois
US DEDIPATH-LLC 45.133.1.107 clean
http://45.133.1.107/download/NiceProcessX64.bmp
whois
US DEDIPATH-LLC 45.133.1.107 malware
http://212.192.241.62/service/communication.php
whois
Unknown 212.192.241.62 clean
http://www.hzradiant.com/askhelp42/askinstall42.exe
whois
DE PlusServer GmbH 194.163.158.120 clean
https://f.gogamef.com/userhome/22/23ce6573d0b61d1c6b7a3a8c1cdf07b2.exe
whois
US CLOUDFLARENET 172.67.136.94 clean
https://cdn.discordapp.com/attachments/891006172130345095/905376099935080508/realV2_0301.bmp
whois
Unknown 162.159.134.233 clean
https://cdn.discordapp.com/attachments/896617596772839426/897483264074350653/Service.bmp
whois
Unknown 162.159.134.233 clean
https://cdn.discordapp.com/attachments/896617596772839426/899593707228135434/Cube_WW14.bmp
whois
Unknown 162.159.134.233 clean
https://d.gogamed.com/userhome/22/any.exe
whois
US CLOUDFLARENET 104.21.59.236 clean
https://yandex.ru/
whois
RU YANDEX LLC 5.255.255.70 clean
https://el5en1977834657.s3.ap-south-1.amazonaws.com/kak.exe
whois
Unknown 52.219.156.6 clean
https://cdn.discordapp.com/attachments/891006172130345095/905393686618193921/help0301.bmp
whois
Unknown 162.159.134.233 clean
https://ipinfo.io/widget
whois
US GOOGLE 34.117.59.81 clean
https://cdn.discordapp.com/attachments/891021838312931420/902505896159113296/PL_Client.bmp
whois
Unknown 162.159.134.233 clean
d.gogamed.com
whois
US CLOUDFLARENET 104.21.59.236 clean
imgs.googlwaa.com
whois
NL ENZUINC 45.136.113.13 malware
el5en1977834657.s3.ap-south-1.amazonaws.com
whois
Unknown 52.219.158.50 clean
t.gogamec.com
whois
US CLOUDFLARENET 104.21.85.99 clean
apps.identrust.com
whois
US CCCH-3 23.216.159.81 clean
iplis.ru
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
eguntong.com
whois
RU OOO Network of data-centers Selectel 5.8.76.205 clean
f.gogamef.com
whois
US CLOUDFLARENET 104.21.72.228 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
twitter.com
whois
US TWITTER 104.244.42.65 clean
dataonestorage.com
whois
DE XSServer GmbH 45.142.182.152 malware
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
cdn.discordapp.com
whois
Unknown 162.159.130.233 malware
yandex.ru
whois
RU YANDEX LLC 5.255.255.70 clean
www.hzradiant.com
whois
DE PlusServer GmbH 194.163.158.120 clean
staticimg.youtuuee.com
whois
LV ENZUINC 45.136.151.102 mailcious
52.219.156.6
whois
Unknown 52.219.156.6 clean
119.207.65.81
whois
KR Korea Telecom 119.207.65.81 suspicious
172.67.136.94
whois
US CLOUDFLARENET 172.67.136.94 clean
5.8.76.205
whois
RU OOO Network of data-centers Selectel 5.8.76.205 clean
5.255.255.70
whois
RU YANDEX LLC 5.255.255.70 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 clean
45.142.182.152
whois
DE XSServer GmbH 45.142.182.152 clean
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
45.133.1.107
whois
US DEDIPATH-LLC 45.133.1.107 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
45.133.1.182
whois
US DEDIPATH-LLC 45.133.1.182 malware
23.216.159.81
whois
US CCCH-3 23.216.159.81 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
45.136.151.102
whois
LV ENZUINC 45.136.151.102 mailcious
162.159.134.233
whois
Unknown 162.159.134.233 malware
194.163.158.120
whois
DE PlusServer GmbH 194.163.158.120 malware
45.136.113.13
whois
NL ENZUINC 45.136.113.13 malware
212.192.241.62
whois
Unknown 212.192.241.62 clean
104.244.42.193
whois
US TWITTER 104.244.42.193 suspicious
172.67.204.112
whois
US CLOUDFLARENET 172.67.204.112 clean
104.21.59.236
whois
US CLOUDFLARENET 104.21.59.236 clean

Suricata ids

SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x423000 ReadFile
 0x423004 GetCurrentProcess
 0x423008 lstrcatA
 0x42300c GetModuleHandleA
 0x423010 SetCurrentDirectoryA
 0x423014 GetModuleHandleExA
 0x423018 CreateFileA
 0x42301c lstrcpyA
 0x423020 CloseHandle
 0x423024 GetFileSize
 0x423028 GetLastError
 0x42302c GetProcAddress
 0x423030 HeapFree
 0x423034 WriteFile
 0x423038 lstrlenA
 0x42303c lstrcpynA
 0x423040 WriteConsoleW
 0x423044 QueryPerformanceCounter
 0x423048 SetLastError
 0x42304c InitializeCriticalSectionAndSpinCount
 0x423050 TlsAlloc
 0x423054 TlsGetValue
 0x423058 TlsSetValue
 0x42305c TlsFree
 0x423060 GetSystemTimeAsFileTime
 0x423064 GetModuleHandleW
 0x423068 UnhandledExceptionFilter
 0x42306c SetUnhandledExceptionFilter
 0x423070 TerminateProcess
 0x423074 IsProcessorFeaturePresent
 0x423078 IsDebuggerPresent
 0x42307c GetStartupInfoW
 0x423080 GetCurrentProcessId
 0x423084 GetCurrentThreadId
 0x423088 InitializeSListHead
 0x42308c RtlUnwind
 0x423090 RaiseException
 0x423094 EncodePointer
 0x423098 EnterCriticalSection
 0x42309c LeaveCriticalSection
 0x4230a0 DeleteCriticalSection
 0x4230a4 FreeLibrary
 0x4230a8 LoadLibraryExW
 0x4230ac ExitProcess
 0x4230b0 GetModuleHandleExW
 0x4230b4 GetModuleFileNameW
 0x4230b8 GetStdHandle
 0x4230bc SetFilePointerEx
 0x4230c0 GetFileType
 0x4230c4 HeapAlloc
 0x4230c8 LCMapStringW
 0x4230cc FindClose
 0x4230d0 FindFirstFileExW
 0x4230d4 FindNextFileW
 0x4230d8 IsValidCodePage
 0x4230dc GetACP
 0x4230e0 GetOEMCP
 0x4230e4 GetCPInfo
 0x4230e8 GetCommandLineA
 0x4230ec GetCommandLineW
 0x4230f0 MultiByteToWideChar
 0x4230f4 WideCharToMultiByte
 0x4230f8 GetEnvironmentStringsW
 0x4230fc FreeEnvironmentStringsW
 0x423100 GetProcessHeap
 0x423104 SetStdHandle
 0x423108 GetStringTypeW
 0x42310c GetConsoleMode
 0x423110 FlushFileBuffers
 0x423114 GetConsoleOutputCP
 0x423118 HeapSize
 0x42311c HeapReAlloc
 0x423120 CreateFileW
 0x423124 DecodePointer

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure