popup

Report - Cube_WW14.bmp

RAT Gen1 Generic Malware Malicious Packer Malicious Library UPX ASPack PE File OS Processor Check PE32 .NET EXE PE64 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.05 09:23 Machine s1_win7_x6403
Filename Cube_WW14.bmp
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
14.8
ZERO API file : clean
VT API (file) 49 detected (AntiSandbox, GenericKDS, GenericRI, S23914449, GenericRXQJ, Unsafe, Disbuk, TrojanPSW, ZexaF, zu0@a04L9YiO, Zusy, Eldorado, Attribute, HighConfidence, Malicious, DropperX, R049C0PJL21, fnplw, ai score=100, ASMalwS, PSWTroj, kcloud, score, R446027, BScope, FileCryptor, Gencirc, susgen, confidence, 100%, HgIASeYA)
md5 7c53b803484c308fa9e64a81afba9608
sha256 a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
ssdeep 6144:fkP3bQ/UCg7m1ugaSIv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FLfM:f23k/b1ugajS2zt
imphash 6256ca6fb1d33cce27dff272311e3072
impfuzzy 24:TEvNoXcD0aXFJBlgtV1rMYDc+i9rosvDSOovbO9Z2M9z:AxXxKtV1rMmc+iZzJ3X
  Network IP location

Signature (32cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger Disables Windows Security features
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes cube_ww14.bmp
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Resolves a suspicious Top Level Domain (TLD)
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (21cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (65cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.hzradiant.com/askhelp42/askinstall42.exe
whois
DE PlusServer GmbH 194.163.158.120 clean
http://212.192.241.15/base/api/statistics.php
whois
Unknown 212.192.241.15 clean
http://imgs.googlwaa.com/lqosko/p18j/cust9.exe
whois
NL ENZUINC 45.136.113.13 malware
http://staticimg.youtuuee.com/api/?sid=600653&key=bfe10d3bf124f043738c20f287bfc0c2
whois
LV ENZUINC 45.136.151.102 5258 mailcious
http://www.hzradiant.com/askinstall42.exe
whois
DE PlusServer GmbH 194.163.158.120 7569 clean
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1 clean
http://dataonestorage.com/search_hyperfs_209.exe
whois
DE XSServer GmbH 45.142.182.152 7576 clean
http://fouratlinks.com/stockmerchandise/zillaCPM/r4XZt5MYHpEdcdmzqr2D.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://fouratlinks.com/stockmerchandise/serious_punch_upd/HttpTwcyK3R6gQj7t7EY.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://fouratlinks.com/installpartners/ShareFolder.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://eguntong.com/pub33.exe
whois
RU Domain names registrar REG.RU, Ltd 194.87.185.127 7568 clean
http://staticimg.youtuuee.com/api/fbtime
whois
LV ENZUINC 45.136.151.102 6464 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.216.159.9 clean
http://45.133.1.107/server.txt
whois
US DEDIPATH-LLC 45.133.1.107 7522 clean
http://45.133.1.107/download/NiceProcessX64.bmp
whois
US DEDIPATH-LLC 45.133.1.107 malware
http://requestimedout.com/xenocrates/zoroaster
whois
US NAMECHEAP-NET 162.255.117.78 clean
http://fouratlinks.com/Widgets/FolderShare.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://fouratlinks.com/stockmerchandise/total_out_hand/v8hBqWuKscbjZRqNatPw.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://212.192.241.15/base/api/getData.php
whois
Unknown 212.192.241.15 clean
https://connectini.net/Series/SuperNitouDisc.php
whois
CA ACP 162.0.210.44 clean
https://d.gogamed.com/userhome/22/any.exe
whois
US CLOUDFLARENET 172.67.185.110 7571 clean
https://el5en1977834657.s3.ap-south-1.amazonaws.com/kak.exe
whois
Unknown 52.219.158.38 7573 clean
https://connectini.net/S2S/Disc/Disc.php?ezok=folderlyla1&tesla=7
whois
CA ACP 162.0.210.44 clean
https://cdn.discordapp.com/attachments/891006172130345095/905393686618193921/help0301.bmp
whois
Unknown 162.159.130.233 7572 clean
https://ipinfo.io/widget
whois
US GOOGLE 34.117.59.81 clean
https://cdn.discordapp.com/attachments/891021838312931420/902505896159113296/PL_Client.bmp
whois
Unknown 162.159.130.233 7575 clean
requestimedout.com
whois
US NAMECHEAP-NET 162.255.117.78 clean
d.gogamed.com
whois
US CLOUDFLARENET 104.21.59.236 clean
imgs.googlwaa.com
whois
NL ENZUINC 45.136.113.13 malware
fouratlinks.com
whois
US NAMECHEAP-NET 199.192.17.247 clean
t.gogamec.com
whois
US CLOUDFLARENET 172.67.204.112 clean
apps.identrust.com
whois
US CCCH-3 23.216.159.9 clean
iplis.ru
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
eguntong.com
whois
RU Domain names registrar REG.RU, Ltd 194.87.185.127 clean
f.gogamef.com
whois
US CLOUDFLARENET 104.21.72.228 clean
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
connectini.net
whois
CA ACP 162.0.210.44 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
dataonestorage.com
whois
DE XSServer GmbH 45.142.182.152 malware
cdn.discordapp.com
whois
Unknown 162.159.134.233 malware
www.hzradiant.com
whois
DE PlusServer GmbH 194.163.158.120 clean
el5en1977834657.s3.ap-south-1.amazonaws.com
whois
IN AMAZON-02 52.219.66.51 clean
staticimg.youtuuee.com
whois
LV ENZUINC 45.136.151.102 mailcious
182.162.106.42
whois
KR LG DACOM Corporation 182.162.106.42 mailcious
172.67.136.94
whois
US CLOUDFLARENET 172.67.136.94 clean
52.219.158.38
whois
Unknown 52.219.158.38 clean
162.255.117.78
whois
US NAMECHEAP-NET 162.255.117.78 clean
45.142.182.152
whois
DE XSServer GmbH 45.142.182.152 clean
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
162.0.210.44
whois
CA ACP 162.0.210.44 mailcious
45.133.1.107
whois
US DEDIPATH-LLC 45.133.1.107 malware
212.192.241.15
whois
Unknown 212.192.241.15 clean
194.87.185.127
whois
RU Domain names registrar REG.RU, Ltd 194.87.185.127 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
104.21.85.99
whois
US CLOUDFLARENET 104.21.85.99 clean
162.159.130.233
whois
Unknown 162.159.130.233 malware
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
45.136.151.102
whois
LV ENZUINC 45.136.151.102 mailcious
194.163.158.120
whois
DE PlusServer GmbH 194.163.158.120 malware
45.136.113.13
whois
NL ENZUINC 45.136.113.13 malware
199.192.17.247
whois
US NAMECHEAP-NET 199.192.17.247 clean
172.67.204.112
whois
US CLOUDFLARENET 172.67.204.112 clean
172.67.185.110
whois
US CLOUDFLARENET 172.67.185.110 clean
23.76.153.107
whois
US Akamai International B.V. 23.76.153.107 clean

Suricata ids

SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET POLICY External IP Lookup ip-api.com
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x417000 ReadFile
 0x417004 lstrcatA
 0x417008 GetModuleHandleA
 0x41700c SetCurrentDirectoryA
 0x417010 GetModuleHandleExA
 0x417014 CreateFileA
 0x417018 lstrcpyA
 0x41701c CloseHandle
 0x417020 GetFileSize
 0x417024 GetLastError
 0x417028 GetProcAddress
 0x41702c HeapFree
 0x417030 WriteFile
 0x417034 lstrlenA
 0x417038 lstrcpynA
 0x41703c WriteConsoleW
 0x417040 QueryPerformanceCounter
 0x417044 SetLastError
 0x417048 InitializeCriticalSectionAndSpinCount
 0x41704c TlsAlloc
 0x417050 TlsGetValue
 0x417054 TlsSetValue
 0x417058 TlsFree
 0x41705c GetSystemTimeAsFileTime
 0x417060 GetModuleHandleW
 0x417064 UnhandledExceptionFilter
 0x417068 SetUnhandledExceptionFilter
 0x41706c GetCurrentProcess
 0x417070 TerminateProcess
 0x417074 IsProcessorFeaturePresent
 0x417078 IsDebuggerPresent
 0x41707c GetStartupInfoW
 0x417080 GetCurrentProcessId
 0x417084 GetCurrentThreadId
 0x417088 InitializeSListHead
 0x41708c RtlUnwind
 0x417090 RaiseException
 0x417094 EncodePointer
 0x417098 EnterCriticalSection
 0x41709c LeaveCriticalSection
 0x4170a0 DeleteCriticalSection
 0x4170a4 FreeLibrary
 0x4170a8 LoadLibraryExW
 0x4170ac ExitProcess
 0x4170b0 GetModuleHandleExW
 0x4170b4 GetModuleFileNameW
 0x4170b8 GetStdHandle
 0x4170bc SetFilePointerEx
 0x4170c0 GetFileType
 0x4170c4 HeapAlloc
 0x4170c8 LCMapStringW
 0x4170cc FindClose
 0x4170d0 FindFirstFileExW
 0x4170d4 FindNextFileW
 0x4170d8 IsValidCodePage
 0x4170dc GetACP
 0x4170e0 GetOEMCP
 0x4170e4 GetCPInfo
 0x4170e8 GetCommandLineA
 0x4170ec GetCommandLineW
 0x4170f0 MultiByteToWideChar
 0x4170f4 WideCharToMultiByte
 0x4170f8 GetEnvironmentStringsW
 0x4170fc FreeEnvironmentStringsW
 0x417100 GetProcessHeap
 0x417104 SetStdHandle
 0x417108 GetStringTypeW
 0x41710c GetConsoleMode
 0x417110 FlushFileBuffers
 0x417114 GetConsoleOutputCP
 0x417118 HeapSize
 0x41711c HeapReAlloc
 0x417120 CreateFileW
 0x417124 DecodePointer

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure