popup

Report - soccer.png

PE File PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.10 07:43 Machine s1_win7_x6401
Filename soccer.png
Type PE32 executable (DLL) (native) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
6.4
ZERO API file : clean
VT API (file)
md5 ccbaa028f68b0ffa02796dc3ced379d0
sha256 575b52c21f5011e5cde3fb4441854293b79deb71773e3594161b95bae40ab26a
ssdeep 6144:1uNDZo15/Lb175yZhtHQqPm52aYYiHx/874uQYKJHD4YsYrde7:qDSHL575qLP0tKJHo1
imphash 17cd9f87fbb27686b2cd8f8d33695e92
impfuzzy 6:/87mRxn5XobPbmRxGZRHmRxaj7bCmRxVUAo:kqRJJobiRgARQj7pRdo
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://46.99.175.217/soc1/TEST22-PC_W617601.378045778DBB3760B151EB7F4F5930FF/5/file/
whois
AL IPKO Telecommunications LLC 46.99.175.217 5810 mailcious
216.166.148.187
whois
US CYBERNET1 216.166.148.187 mailcious
46.99.175.217
whois
AL IPKO Telecommunications LLC 46.99.175.217 mailcious
185.56.175.122
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 mailcious
46.99.175.149
whois
AL IPKO Telecommunications LLC 46.99.175.149 mailcious
65.152.201.203
whois
US CENTURYLINK-US-LEGACY-QWEST 65.152.201.203 mailcious

Suricata ids

ET CNC Feodo Tracker Reported CnC Server group 9
ET CNC Feodo Tracker Reported CnC Server group 17
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x100a5000 CreateFileA
 0x100a5004 LeaveCriticalSection
 0x100a5008 GetLastError
 0x100a500c WaitForMultipleObjects
 0x100a5010 EnterCriticalSection
 0x100a5014 InitializeCriticalSection
 0x100a5018 WaitForSingleObject
 0x100a501c WideCharToMultiByte
 0x100a5020 DeleteCriticalSection
 0x100a5024 GetCurrentThread

EAT(Export Address Table) Library

0x1006d0f0 TyreDokgW

Similarity measure (PE file only) - Checking for service failure