popup

Report - octafx4setup.exe

Gen2 Formbook Generic Malware UPX Malicious Library PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.18 12:55 Machine s1_win7_x6401
Filename octafx4setup.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
5
 Behavior Score
10.6
ZERO API file : clean
VT API (file) 1 detected (Stelega)
md5 568e1204996456984c05f12de9201168
sha256 02f992c886f423ef0a2fb16bfbb31ae66309a6206baab5beb1d379891664e4cd
ssdeep 24576:44P0tnXo1pxRBlH56KNo37ig2OxyFrtRt1VnUtRJaPWHX0H/:3stnXo1pxRB/6KNo3OtOxyFZ1VUtXaPp
imphash 81b91a024710dd1fed3c03bac11a1ecd
impfuzzy 12:ov/lhcCKTAc+ABZG/DzHbcmrMbv0Ns4ITQfsAKvY:ylvC+DfsQiAKA
  Network IP location

Signature (22cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Attempts to create or modify system certificates
watch Attempts to identify installed AV products by installation directory
watch Checks the CPU name from registry
watch Communicates with host for which no DNS query was performed
watch Creates an Alternate Data Stream (ADS)
watch Detects the presence of Wine emulator
watch Queries information on disks
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice File has been identified by one AntiVirus engine on VirusTotal as malicious
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Checks amount of memory in system
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (11cnts)

Level Name Description Collection
danger Win_Trojan_Formbook_Zero Used Formbook binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (24cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://crt.usertrust.com/USERTrustECCAddTrustCA.crt
whois
GB Sectigo Limited 91.199.212.52 clean
api9.mql5.net
whois
JP PACKET 147.75.92.40 clean
download.mql5.com
whois
HK Equinix Asia Pacific 27.111.161.152 clean
crt.usertrust.com
whois
GB Sectigo Limited 91.199.212.52 clean
api14.mql5.net
whois
Unknown 0.0.0.0 clean
content.mql5.com
whois
HK Equinix Asia Pacific 27.111.161.150 clean
91.199.212.52
whois
GB Sectigo Limited 91.199.212.52 clean
47.91.24.164
whois
JP Alibaba (US) Technology Co., Ltd. 47.91.24.164 clean
27.111.161.152
whois
HK Equinix Asia Pacific 27.111.161.152 clean
195.201.80.82
whois
DE Hetzner Online GmbH 195.201.80.82 clean
142.215.208.235
whois
Unknown 142.215.208.235 clean
117.20.41.198
whois
SG INTERNAP-BLK4 117.20.41.198 clean
103.26.205.122
whois
US LeapSwitch Networks Pvt Ltd 103.26.205.122 clean
27.111.161.150
whois
HK Equinix Asia Pacific 27.111.161.150 clean
102.68.85.100
whois
NG Web4Africa 102.68.85.100 clean
147.75.92.40
whois
JP PACKET 147.75.92.40 clean
88.212.232.132
whois
RU SERVERS 88.212.232.132 clean
177.154.156.125
whois
BR EQUINIX BRASIL 177.154.156.125 clean
78.140.180.43
whois
NL Webzilla B.V. 78.140.180.43 clean
47.74.84.54
whois
US Alibaba (US) Technology Co., Ltd. 47.74.84.54 clean
156.38.206.21
whois
ZA xneelo 156.38.206.21 clean
156.38.206.18
whois
ZA xneelo 156.38.206.18 clean
147.75.48.214
whois
US PACKET 147.75.48.214 clean
147.139.41.121
whois
US Alibaba (US) Technology Co., Ltd. 147.139.41.121 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x751e6c GetAce
crypt.dll
 0x751e74 BCryptGenRandom
COMCTL32.dll
 0x751e7c ImageList_Draw
CRYPT32.dll
 0x751e84 CertNameToStrW
dbghelp.dll
 0x751e8c StackWalk64
GDI32.dll
 0x751e94 BitBlt
gdiplus.dll
 0x751e9c GdipFree
KERNEL32.DLL
 0x751ea4 LoadLibraryA
 0x751ea8 ExitProcess
 0x751eac GetProcAddress
 0x751eb0 VirtualProtect
MSIMG32.dll
 0x751eb8 GradientFill
ole32.dll
 0x751ec0 CoInitialize
OLEAUT32.dll
 0x751ec8 VarUI4FromStr
Secur32.dll
 0x751ed0 EncryptMessage
SHELL32.dll
 0x751ed8 ShellExecuteW
SHLWAPI.dll
 0x751ee0 PathCanonicalizeW
USER32.dll
 0x751ee8 GetDC
VERSION.dll
 0x751ef0 VerQueryValueW
WINTRUST.dll
 0x751ef8 WinVerifyTrust
WS2_32.dll
 0x751f00 WSACleanup

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure