popup

Report - 237.exe

Gen1 RAT Gen2 Generic Malware Malicious Library UPX Malicious Packer ASPack PE File PE32 DLL OS Processor Check PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.12 10:39 Machine s1_win7_x6401
Filename 237.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
8
 Behavior Score
9.8
ZERO API file : clean
VT API (file) 24 detected (malicious, high confidence, Unsafe, Attribute, HighConfidence, Kryptik, HNGO, FileRepMalware, Static AI, Suspicious PE, Racealer, X107WI, kcloud, Sabsik, score, Artemis, 100%, ZexaCO, eTW@aSnLe3ii, confidence)
md5 c8753945c41821a7e3d9f5da2091cfb9
sha256 58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc
ssdeep 24576:4D39vwHvYu7HKmbp+3dHxrmKfjTC8dUGeZgMi:RvYaqop26qxUGCW
imphash 335487b50c180fdca285bc221817b6ec
impfuzzy 3:sU9KTXzhAXwSx2AEZsWBJAEm0uCALMAJKOmqMElaELCxol4Qn:HGDmErBJAEmZD4sKn3EUe
  Network IP location

Signature (25cnts)

Level Description
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info Tries to locate where the browsers are installed

Rules (15cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://91.219.236.143//l/f/tqPHEX0B3dP17SpzrvfV/910802d68dc1ffb9b9bd625890844113aa936e4f
whois
HU ServerAstra Kft. 91.219.236.143 clean
http://185.163.47.176/nabiuspelen
whois
MD MivoCloud SRL 185.163.47.176 clean
http://91.219.236.143//l/f/tqPHEX0B3dP17SpzrvfV/11132c416b2ed16b26d0c1da5c29f230fc246678
whois
HU ServerAstra Kft. 91.219.236.143 clean
http://91.219.236.143/
whois
HU ServerAstra Kft. 91.219.236.143 clean
https://cdn.discordapp.com/attachments/904860177872855122/904872245145505802/Gainsaying.exe
whois
Unknown 162.159.133.233 clean
cdn.discordapp.com
whois
Unknown 162.159.133.233 malware
91.219.236.162
whois
HU ServerAstra Kft. 91.219.236.162 clean
162.159.133.233
whois
Unknown 162.159.133.233 malware
91.219.236.143
whois
HU ServerAstra Kft. 91.219.236.143 clean
185.163.47.176
whois
MD MivoCloud SRL 185.163.47.176 mailcious

Suricata ids

ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x765bf4 GetProcAddress
 0x765bf8 GetModuleHandleA
 0x765bfc LoadLibraryA
msvcrt.dll
 0x765cf0 _strdup
msvcrt.dll
 0x765cf8 __getmainargs
oleaut32.dll
 0x765d00 VariantChangeTypeEx
kernel32.dll
 0x765d08 RaiseException

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure