popup

Report - cc.html

emotet Generic Malware Malicious Packer Malicious Library UPX Antivirus AntiDebug AntiVM PE File OS Processor Check PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.01.18 10:07 Machine s1_win7_x6402
Filename cc.html
Type data
AI Score Not founds Behavior Score
15.4
ZERO API file : clean
VT API (file) 6 detected (ExploitBlacole)
md5 8f12c9ff33ea9aa35e97faaeb09f63d7
sha256 c681e3bc032bdcc6923b7d17c1f7ba0fecc80826d9b9f11ebf512183c977b72f
ssdeep 192:aYA6VCkQyw90+qiJ54x7UODA0qJEMKsqBR43Yn+ebOe1uTJpUrH9U3GgVLrcTR6/:aYlUkPoNj5uAODA0qJdXqksOH70ArcT8
imphash
impfuzzy
  Network IP location

Signature (34cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch A command shell or script process was created by an unexpected parent process
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Created a service where a service was also not started
watch Installs itself for autorun at Windows startup
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch The process powershell.exe wrote an executable file to disk
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Expresses interest in specific running processes
notice File has been identified by 6 AntiVirus engines on VirusTotal as malicious
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice Searches running processes potentially to identify processes for sandbox evasion
notice URL downloaded by powershell script
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (17cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (24cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.7.214.7/PP91.PNG
whois
Unknown 185.7.214.7 11231 clean
http://mecaglobal.com/qxim/TlDTjlxYAdwU/
whois
US AS-26496-GO-DADDY-COM-LLC 198.12.243.55 malware
mecaglobal.com
whois
US AS-26496-GO-DADDY-COM-LLC 198.12.243.55 malware
51.38.71.0
whois
GB OVH SAS 51.38.71.0 mailcious
131.100.24.231
whois
BR GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME 131.100.24.231 mailcious
79.172.212.216
whois
HU SzerverPlex.hu KFT. 79.172.212.216 mailcious
203.114.109.124
whois
TH TOT Public Company Limited 203.114.109.124 mailcious
198.12.243.55
whois
US AS-26496-GO-DADDY-COM-LLC 198.12.243.55 mailcious
45.176.232.124
whois
CO CABLE Y TELECOMUNICACIONES DE COLOMBIA S.A.S (CABLETELCO) 45.176.232.124 mailcious
207.38.84.195
whois
US AS-30083-GO-DADDY-COM-LLC 207.38.84.195 mailcious
51.68.175.8
whois
FR OVH SAS 51.68.175.8 mailcious
178.79.147.66
whois
GB Linode, LLC 178.79.147.66 mailcious
192.254.71.210
whois
US DACEN-2 192.254.71.210 mailcious
103.8.26.102
whois
MY SKSA TECHNOLOGY SDN BHD 103.8.26.102 mailcious
217.182.143.207
whois
FR OVH SAS 217.182.143.207 mailcious
45.142.114.231
whois
DE First Colo GmbH 45.142.114.231 mailcious
185.7.214.7
whois
Unknown 185.7.214.7 clean
209.59.138.75
whois
US LIQUIDWEB 209.59.138.75 mailcious
58.227.42.236
whois
KR SK Broadband Co Ltd 58.227.42.236 mailcious
103.8.26.103
whois
MY SKSA TECHNOLOGY SDN BHD 103.8.26.103 mailcious
212.237.17.99
whois
IT Aruba S.p.A. 212.237.17.99 mailcious
178.63.25.185
whois
DE Hetzner Online GmbH 178.63.25.185 mailcious
46.55.222.11
whois
BG Cifrova Kabelna Korporacia EOOD 46.55.222.11 mailcious
104.168.155.129
whois
US HOSTWINDS 104.168.155.129 mailcious

Suricata ids


Similarity measure (PE file only) - Checking for service failure