popup

Report - Done.exe

Themida Packer Generic Malware Malicious Library UPX Anti_VM Antivirus Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE Fi
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.18 14:39 Machine s1_win7_x6401
Filename Done.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score
5
 Behavior Score
12.6
ZERO API file : clean
VT API (file) 32 detected (AIDetect, malware2, malicious, high confidence, Siggen15, Bulz, Attribute, HighConfidence, multiple detections, Razy, agzx, DangerousSig, jftko, ai score=86, Reline, Ilgergop, 02AUFD, score, R441806, Artemis, BScope, IPLogger, NSIS, CLASSIC, confidence)
md5 aaea0b2a1b429283fe48d824d1c40c4b
sha256 899212cef8387993ef7e01d930fd9b946a5531c63ab885f4641b7a3061d05f73
ssdeep 98304:mGEIvAnwYddT3vfDba20kaJnsngI62dbPr2feBg/QYgyDECv4dFasrly9P8DoT:+nwIN3itJnU6QLr2GBmQgECwD/x0PB
imphash e9c0657252137ac61c1eeeba4c021000
impfuzzy 48:T1SKmvYO1wQ2nr+t8Alt8tz4eOGLlla/5LRFpV74dT+45EQX/1EowSv0Qxly6U0D:TMKeY0wQ2i42fw4rtu
  Network IP location

Signature (29cnts)

Level Description
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the version of Bios
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Virtual Machines through their custom firmware
watch Detects VMWare through the in instruction feature
watch Harvests credentials from local FTP client softwares
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (45cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning themida_packer themida packer binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info vmdetect Possibly employs anti-virtualization techniques memory
info win_hook Affect hook table memory

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
modenm.site
whois
PL WorldStream B.V. 80.66.87.32 clean
79.174.13.108
whois
RU JSC The First 79.174.13.108 mailcious
80.66.87.32
whois
PL WorldStream B.V. 80.66.87.32 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x408070 GetTempPathA
 0x408074 GetFileSize
 0x408078 GetModuleFileNameA
 0x40807c GetCurrentProcess
 0x408080 CopyFileA
 0x408084 ExitProcess
 0x408088 SetEnvironmentVariableA
 0x40808c Sleep
 0x408090 GetTickCount
 0x408094 GetCommandLineA
 0x408098 lstrlenA
 0x40809c GetVersion
 0x4080a0 SetErrorMode
 0x4080a4 lstrcpynA
 0x4080a8 GetDiskFreeSpaceA
 0x4080ac GlobalUnlock
 0x4080b0 GetWindowsDirectoryA
 0x4080b4 SetFileAttributesA
 0x4080b8 GetLastError
 0x4080bc CreateDirectoryA
 0x4080c0 CreateProcessA
 0x4080c4 RemoveDirectoryA
 0x4080c8 CreateFileA
 0x4080cc GetTempFileNameA
 0x4080d0 ReadFile
 0x4080d4 WriteFile
 0x4080d8 lstrcpyA
 0x4080dc MoveFileExA
 0x4080e0 lstrcatA
 0x4080e4 GetSystemDirectoryA
 0x4080e8 GetProcAddress
 0x4080ec GetExitCodeProcess
 0x4080f0 WaitForSingleObject
 0x4080f4 CompareFileTime
 0x4080f8 SetFileTime
 0x4080fc GetFileAttributesA
 0x408100 SetCurrentDirectoryA
 0x408104 MoveFileA
 0x408108 GetFullPathNameA
 0x40810c GetShortPathNameA
 0x408110 SearchPathA
 0x408114 CloseHandle
 0x408118 lstrcmpiA
 0x40811c CreateThread
 0x408120 GlobalLock
 0x408124 lstrcmpA
 0x408128 DeleteFileA
 0x40812c FindFirstFileA
 0x408130 FindNextFileA
 0x408134 FindClose
 0x408138 SetFilePointer
 0x40813c GetPrivateProfileStringA
 0x408140 WritePrivateProfileStringA
 0x408144 MulDiv
 0x408148 MultiByteToWideChar
 0x40814c FreeLibrary
 0x408150 LoadLibraryExA
 0x408154 GetModuleHandleA
 0x408158 GlobalAlloc
 0x40815c GlobalFree
 0x408160 ExpandEnvironmentStringsA
USER32.dll
 0x408184 GetSystemMenu
 0x408188 SetClassLongA
 0x40818c EnableMenuItem
 0x408190 IsWindowEnabled
 0x408194 SetWindowPos
 0x408198 GetSysColor
 0x40819c GetWindowLongA
 0x4081a0 SetCursor
 0x4081a4 LoadCursorA
 0x4081a8 CheckDlgButton
 0x4081ac GetMessagePos
 0x4081b0 CallWindowProcA
 0x4081b4 IsWindowVisible
 0x4081b8 CloseClipboard
 0x4081bc SetClipboardData
 0x4081c0 EmptyClipboard
 0x4081c4 OpenClipboard
 0x4081c8 ScreenToClient
 0x4081cc GetWindowRect
 0x4081d0 GetDlgItem
 0x4081d4 GetSystemMetrics
 0x4081d8 SetDlgItemTextA
 0x4081dc GetDlgItemTextA
 0x4081e0 MessageBoxIndirectA
 0x4081e4 CharPrevA
 0x4081e8 DispatchMessageA
 0x4081ec PeekMessageA
 0x4081f0 GetDC
 0x4081f4 ReleaseDC
 0x4081f8 EnableWindow
 0x4081fc InvalidateRect
 0x408200 SendMessageA
 0x408204 DefWindowProcA
 0x408208 BeginPaint
 0x40820c GetClientRect
 0x408210 FillRect
 0x408214 EndDialog
 0x408218 RegisterClassA
 0x40821c SystemParametersInfoA
 0x408220 CreateWindowExA
 0x408224 GetClassInfoA
 0x408228 DialogBoxParamA
 0x40822c CharNextA
 0x408230 ExitWindowsEx
 0x408234 LoadImageA
 0x408238 CreateDialogParamA
 0x40823c SetTimer
 0x408240 SetWindowTextA
 0x408244 SetForegroundWindow
 0x408248 ShowWindow
 0x40824c SetWindowLongA
 0x408250 SendMessageTimeoutA
 0x408254 FindWindowExA
 0x408258 IsWindow
 0x40825c AppendMenuA
 0x408260 TrackPopupMenu
 0x408264 CreatePopupMenu
 0x408268 DrawTextA
 0x40826c EndPaint
 0x408270 DestroyWindow
 0x408274 wsprintfA
 0x408278 PostQuitMessage
GDI32.dll
 0x40804c SelectObject
 0x408050 SetTextColor
 0x408054 SetBkMode
 0x408058 CreateFontIndirectA
 0x40805c CreateBrushIndirect
 0x408060 DeleteObject
 0x408064 GetDeviceCaps
 0x408068 SetBkColor
SHELL32.dll
 0x408168 SHGetSpecialFolderLocation
 0x40816c ShellExecuteExA
 0x408170 SHGetPathFromIDListA
 0x408174 SHBrowseForFolderA
 0x408178 SHGetFileInfoA
 0x40817c SHFileOperationA
ADVAPI32.dll
 0x408000 AdjustTokenPrivileges
 0x408004 RegCreateKeyExA
 0x408008 RegOpenKeyExA
 0x40800c SetFileSecurityA
 0x408010 OpenProcessToken
 0x408014 LookupPrivilegeValueA
 0x408018 RegEnumValueA
 0x40801c RegDeleteKeyA
 0x408020 RegDeleteValueA
 0x408024 RegCloseKey
 0x408028 RegSetValueExA
 0x40802c RegQueryValueExA
 0x408030 RegEnumKeyA
COMCTL32.dll
 0x408038 ImageList_Create
 0x40803c ImageList_AddMasked
 0x408040 None
 0x408044 ImageList_Destroy
ole32.dll
 0x408280 OleUninitialize
 0x408284 OleInitialize
 0x408288 CoTaskMemFree
 0x40828c CoCreateInstance

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure