popup

Report - EYWCET97LV2U.html

Malicious Library AntiDebug AntiVM MSOffice File PNG Format JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.12 07:57 Machine s1_win7_x6402
Filename EYWCET97LV2U.html
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
3.8
ZERO API file : clean
VT API (file) 14 detected (Exp.CVE-2021-40444!g1, Exploit.CVE-2021-40444, Generic.JS.Downloader.Z.39665A4E (B), Generic.JS.Downloader.Z.39665A4E, HEUR:Exploit.Script.Generic, JS/CVE_2021_40444.181B!exploit, malware (ai score=83))
md5 cf43050494012ba1f8ec57b3d07e070c
sha256 9b3a5b1c64e211c9e523a297db8cb67359301be04035ee9971aab3a5ca349b50
ssdeep 192:1QhKCIZWsITd0VTLoYj6EwnH6Z9qYJw+g000000000SAWRYaFu:CsCICgTIx6Dqg/D
imphash
impfuzzy
  Network IP location

Signature (9cnts)

Level Description
watch Communicates with host for which no DNS query was performed
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info One or more processes crashed

Rules (12cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://tigerdrill.xyz/EYWCET97LV2U.cab
whois
Unknown 159.223.68.213 clean
http://tigerdrill.xyz/EYWCET97LV2U.html
whois
Unknown 159.223.68.213 clean
tigerdrill.xyz
whois
Unknown 159.223.68.213 clean
159.223.68.213
whois
Unknown 159.223.68.213 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure