popup

Report - 3NXwcYNCa

Gen2 Gen1 Emotet Malicious Packer Malicious Library UPX PE File OS Processor Check DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.03.15 10:30 Machine s1_win7_x6401
Filename 3NXwcYNCa
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
5.6
ZERO API file : malware
VT API (file) 4 detected (Convagent, ASCommon, Sabsik, Kryptik, YzY0Oh, jx0YklSUX)
md5 2d9f428fe4782858a3761e597649f9d6
sha256 37031a9441200d6490726292538a203d02fcde53e590d2be38b41f602d3d7210
ssdeep 24576:k8dlVJKB+nLkT3G1u6UkgKkSwLBeUNKsuG31Pt8H:3dlV0EnIT0wgeKsh56H
imphash 2a986943d8440d2f00f13ad10b553808
impfuzzy 96:JEI5GnLro142teSauZbw4SE4yAGbpJDEucTcRcL/rVbQP1:tuuZ04SE4ynbEucTcRcrxQP1
  Network IP location

Signature (12cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Expresses interest in specific running processes
notice File has been identified by 4 AntiVirus engines on VirusTotal as malicious
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (10cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (31cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
177.87.70.10
whois
BR S. C. Terres e Cia Ltda 177.87.70.10 mailcious
195.154.133.20
whois
FR Online S.a.s. 195.154.133.20 mailcious
5.9.116.246
whois
DE Hetzner Online GmbH 5.9.116.246 mailcious
212.24.98.99
whois
LT UAB Rakrejus 212.24.98.99 mailcious
185.8.212.130
whois
UZ UZINFOCOM State Unitary Enterprise 185.8.212.130 mailcious
209.126.98.206
whois
US AS-30083-GO-DADDY-COM-LLC 209.126.98.206 mailcious
196.218.30.83
whois
EG TE-AS 196.218.30.83 mailcious
103.75.201.2
whois
TH CDN PLUS CO., LTD. 103.75.201.2 mailcious
103.75.201.4
whois
TH CDN PLUS CO., LTD. 103.75.201.4 mailcious
51.91.7.5
whois
FR OVH SAS 51.91.7.5 mailcious
153.126.146.25
whois
JP SAKURA Internet Inc. 153.126.146.25 clean
45.118.135.203
whois
SG Linode, LLC 45.118.135.203 mailcious
45.176.232.124
whois
CO CABLE Y TELECOMUNICACIONES DE COLOMBIA S.A.S (CABLETELCO) 45.176.232.124 mailcious
162.214.118.104
whois
US UNIFIEDLAYER-AS-1 162.214.118.104 mailcious
207.38.84.195
whois
US AS-30083-GO-DADDY-COM-LLC 207.38.84.195 mailcious
158.69.222.101
whois
CA OVH SAS 158.69.222.101 mailcious
146.59.226.45
whois
Unknown 146.59.226.45 mailcious
110.232.117.186
whois
AU RackCorp 110.232.117.186 mailcious
45.142.114.231
whois
DE First Colo GmbH 45.142.114.231 mailcious
46.55.222.11
whois
BG Cifrova Kabelna Korporacia EOOD 46.55.222.11 mailcious
164.68.99.3
whois
DE Contabo GmbH 164.68.99.3 mailcious
185.4.135.27
whois
GR Fragkoulis Maounis & Sia OE 185.4.135.27 mailcious
151.106.112.196
whois
DE PlusServer GmbH 151.106.112.196 clean
176.56.128.118
whois
CH SEEWEB s.r.l. 176.56.128.118 mailcious
185.157.82.211
whois
PL S-NET Sp. z o.o. 185.157.82.211 mailcious
212.237.17.99
whois
IT Aruba S.p.A. 212.237.17.99 mailcious
173.212.193.249
whois
DE Contabo GmbH 173.212.193.249 mailcious
217.182.143.248
whois
FR OVH SAS 217.182.143.248 mailcious
192.99.251.50
whois
CA OVH SAS 192.99.251.50 mailcious
186.250.48.117
whois
BR Redfox Telecomunicacoes Ltda. 186.250.48.117 mailcious
31.24.158.56
whois
ES Infortelecom Hosting S.L. 31.24.158.56 mailcious

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 18

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x1008d108 HeapSize
 0x1008d10c VirtualFree
 0x1008d110 VirtualAlloc
 0x1008d114 HeapCreate
 0x1008d118 HeapDestroy
 0x1008d11c GetStdHandle
 0x1008d120 GetModuleFileNameA
 0x1008d124 GetCPInfo
 0x1008d128 GetACP
 0x1008d12c GetOEMCP
 0x1008d130 IsValidCodePage
 0x1008d134 LCMapStringW
 0x1008d138 GetConsoleCP
 0x1008d13c GetConsoleMode
 0x1008d140 SetHandleCount
 0x1008d144 GetFileType
 0x1008d148 GetStartupInfoA
 0x1008d14c FreeEnvironmentStringsA
 0x1008d150 GetEnvironmentStrings
 0x1008d154 Sleep
 0x1008d158 GetEnvironmentStringsW
 0x1008d15c QueryPerformanceCounter
 0x1008d160 GetSystemTimeAsFileTime
 0x1008d164 InitializeCriticalSectionAndSpinCount
 0x1008d168 LCMapStringA
 0x1008d16c GetStringTypeA
 0x1008d170 GetStringTypeW
 0x1008d174 GetLocaleInfoA
 0x1008d178 WriteConsoleA
 0x1008d17c GetConsoleOutputCP
 0x1008d180 WriteConsoleW
 0x1008d184 SetStdHandle
 0x1008d188 GetProcessHeap
 0x1008d18c CreateFileA
 0x1008d190 HeapReAlloc
 0x1008d194 RaiseException
 0x1008d198 RtlUnwind
 0x1008d19c GetCommandLineA
 0x1008d1a0 IsDebuggerPresent
 0x1008d1a4 SetUnhandledExceptionFilter
 0x1008d1a8 UnhandledExceptionFilter
 0x1008d1ac TerminateProcess
 0x1008d1b0 HeapFree
 0x1008d1b4 HeapAlloc
 0x1008d1b8 GetCurrentProcess
 0x1008d1bc SetEndOfFile
 0x1008d1c0 FlushFileBuffers
 0x1008d1c4 SetFilePointer
 0x1008d1c8 WritePrivateProfileStringW
 0x1008d1cc GlobalFlags
 0x1008d1d0 TlsFree
 0x1008d1d4 DeleteCriticalSection
 0x1008d1d8 LocalReAlloc
 0x1008d1dc TlsSetValue
 0x1008d1e0 TlsAlloc
 0x1008d1e4 InitializeCriticalSection
 0x1008d1e8 GlobalHandle
 0x1008d1ec GlobalReAlloc
 0x1008d1f0 EnterCriticalSection
 0x1008d1f4 TlsGetValue
 0x1008d1f8 LeaveCriticalSection
 0x1008d1fc InterlockedIncrement
 0x1008d200 GetCurrentThread
 0x1008d204 ConvertDefaultLocale
 0x1008d208 EnumResourceLanguagesW
 0x1008d20c GetLocaleInfoW
 0x1008d210 InterlockedExchange
 0x1008d214 lstrlenA
 0x1008d218 lstrcmpA
 0x1008d21c InterlockedDecrement
 0x1008d220 GetCurrentProcessId
 0x1008d224 GetModuleHandleA
 0x1008d228 GetCurrentThreadId
 0x1008d22c GlobalAddAtomW
 0x1008d230 GlobalFindAtomW
 0x1008d234 GlobalDeleteAtom
 0x1008d238 GetVersionExW
 0x1008d23c CompareStringW
 0x1008d240 LoadLibraryA
 0x1008d244 lstrcmpW
 0x1008d248 GetVersionExA
 0x1008d24c FreeResource
 0x1008d250 GlobalFree
 0x1008d254 FormatMessageW
 0x1008d258 LocalUnlock
 0x1008d25c LocalFree
 0x1008d260 LocalLock
 0x1008d264 LocalAlloc
 0x1008d268 GetModuleFileNameW
 0x1008d26c ReadFile
 0x1008d270 GetTickCount
 0x1008d274 lstrcmpiW
 0x1008d278 GetWindowsDirectoryW
 0x1008d27c lstrcpyW
 0x1008d280 WideCharToMultiByte
 0x1008d284 WinExec
 0x1008d288 lstrlenW
 0x1008d28c lstrcatW
 0x1008d290 FreeLibrary
 0x1008d294 LoadLibraryExW
 0x1008d298 ExitProcess
 0x1008d29c MulDiv
 0x1008d2a0 GetProcAddress
 0x1008d2a4 GetModuleHandleW
 0x1008d2a8 LoadLibraryW
 0x1008d2ac GetLastError
 0x1008d2b0 SetLastError
 0x1008d2b4 GlobalAlloc
 0x1008d2b8 GlobalUnlock
 0x1008d2bc MultiByteToWideChar
 0x1008d2c0 GlobalLock
 0x1008d2c4 CloseHandle
 0x1008d2c8 WriteFile
 0x1008d2cc CreateFileW
 0x1008d2d0 FindResourceW
 0x1008d2d4 LoadResource
 0x1008d2d8 LockResource
 0x1008d2dc FreeEnvironmentStringsW
 0x1008d2e0 SizeofResource
USER32.dll
 0x1008d308 DestroyMenu
 0x1008d30c GetSysColorBrush
 0x1008d310 SetMenuItemBitmaps
 0x1008d314 GetMenuCheckMarkDimensions
 0x1008d318 LoadBitmapW
 0x1008d31c ModifyMenuW
 0x1008d320 CheckMenuItem
 0x1008d324 SendDlgItemMessageW
 0x1008d328 SendDlgItemMessageA
 0x1008d32c GetCapture
 0x1008d330 SetWindowsHookExW
 0x1008d334 CallNextHookEx
 0x1008d338 GetClassLongW
 0x1008d33c SetPropW
 0x1008d340 GetPropW
 0x1008d344 RemovePropW
 0x1008d348 GetFocus
 0x1008d34c GetForegroundWindow
 0x1008d350 GetTopWindow
 0x1008d354 UnhookWindowsHookEx
 0x1008d358 GetMessageTime
 0x1008d35c PeekMessageW
 0x1008d360 MapWindowPoints
 0x1008d364 TrackPopupMenu
 0x1008d368 SetMenu
 0x1008d36c GetClassInfoExW
 0x1008d370 RegisterClassW
 0x1008d374 AdjustWindowRectEx
 0x1008d378 GetDlgCtrlID
 0x1008d37c CallWindowProcW
 0x1008d380 GetMenu
 0x1008d384 SystemParametersInfoA
 0x1008d388 GetWindowPlacement
 0x1008d38c GetWindowTextLengthW
 0x1008d390 GetScrollPos
 0x1008d394 SetScrollPos
 0x1008d398 GetWindow
 0x1008d39c GetDesktopWindow
 0x1008d3a0 CreateDialogIndirectParamW
 0x1008d3a4 DestroyWindow
 0x1008d3a8 GetNextDlgTabItem
 0x1008d3ac DialogBoxIndirectParamW
 0x1008d3b0 EndDialog
 0x1008d3b4 SetWindowTextW
 0x1008d3b8 MoveWindow
 0x1008d3bc SetForegroundWindow
 0x1008d3c0 SetWindowPos
 0x1008d3c4 SetFocus
 0x1008d3c8 CheckDlgButton
 0x1008d3cc EnableMenuItem
 0x1008d3d0 GetDlgItem
 0x1008d3d4 GetDialogBaseUnits
 0x1008d3d8 EndPaint
 0x1008d3dc BeginPaint
 0x1008d3e0 MessageBoxW
 0x1008d3e4 GetLastActivePopup
 0x1008d3e8 GetActiveWindow
 0x1008d3ec GetSubMenu
 0x1008d3f0 LoadMenuW
 0x1008d3f4 MessageBeep
 0x1008d3f8 SetWindowLongW
 0x1008d3fc TranslateAcceleratorW
 0x1008d400 CreatePopupMenu
 0x1008d404 IsIconic
 0x1008d408 AppendMenuW
 0x1008d40c GetSystemMenu
 0x1008d410 LoadAcceleratorsW
 0x1008d414 LoadIconW
 0x1008d418 UpdateWindow
 0x1008d41c DispatchMessageW
 0x1008d420 TranslateMessage
 0x1008d424 GetKeyState
 0x1008d428 DrawTextW
 0x1008d42c WindowFromDC
 0x1008d430 IsWindowVisible
 0x1008d434 InvalidateRect
 0x1008d438 ReleaseCapture
 0x1008d43c GetMessagePos
 0x1008d440 SetCapture
 0x1008d444 FrameRect
 0x1008d448 DrawEdge
 0x1008d44c InflateRect
 0x1008d450 DrawFocusRect
 0x1008d454 RedrawWindow
 0x1008d458 DrawIcon
 0x1008d45c GetClientRect
 0x1008d460 GetAsyncKeyState
 0x1008d464 GetMenuState
 0x1008d468 GetMenuItemID
 0x1008d46c GetMenuItemCount
 0x1008d470 CopyRect
 0x1008d474 PtInRect
 0x1008d478 GetWindowTextW
 0x1008d47c GetWindowLongW
 0x1008d480 IsWindowEnabled
 0x1008d484 ChildWindowFromPoint
 0x1008d488 GetParent
 0x1008d48c ClientToScreen
 0x1008d490 WindowFromPoint
 0x1008d494 GetMessageW
 0x1008d498 ValidateRect
 0x1008d49c PostQuitMessage
 0x1008d4a0 GetWindowThreadProcessId
 0x1008d4a4 GetWindowDC
 0x1008d4a8 GrayStringW
 0x1008d4ac SetWindowRgn
 0x1008d4b0 OffsetRect
 0x1008d4b4 SetRect
 0x1008d4b8 SetTimer
 0x1008d4bc EqualRect
 0x1008d4c0 KillTimer
 0x1008d4c4 DrawTextExW
 0x1008d4c8 TabbedTextOutW
 0x1008d4cc SetActiveWindow
 0x1008d4d0 IsDialogMessageW
 0x1008d4d4 ScreenToClient
 0x1008d4d8 GetCursorPos
 0x1008d4dc IsWindow
 0x1008d4e0 DefWindowProcW
 0x1008d4e4 GetClassInfoW
 0x1008d4e8 SetRectEmpty
 0x1008d4ec GetClassNameW
 0x1008d4f0 LoadCursorW
 0x1008d4f4 GetSystemMetrics
 0x1008d4f8 SetCursor
 0x1008d4fc SystemParametersInfoW
 0x1008d500 LoadStringW
 0x1008d504 LoadImageW
 0x1008d508 DestroyCursor
 0x1008d50c DestroyIcon
 0x1008d510 CopyIcon
 0x1008d514 FillRect
 0x1008d518 CreateIconIndirect
 0x1008d51c ReleaseDC
 0x1008d520 GetDC
 0x1008d524 GetIconInfo
 0x1008d528 CreateWindowExW
 0x1008d52c ShowWindow
 0x1008d530 IsRectEmpty
 0x1008d534 DrawFrameControl
 0x1008d538 GetSysColor
 0x1008d53c SetClipboardData
 0x1008d540 EmptyClipboard
 0x1008d544 CloseClipboard
 0x1008d548 OpenClipboard
 0x1008d54c PostMessageW
 0x1008d550 GetWindowRect
 0x1008d554 SendMessageW
 0x1008d558 RegisterWindowMessageW
 0x1008d55c EnableWindow
 0x1008d560 WinHelpW
GDI32.dll
 0x1008d038 PtVisible
 0x1008d03c RectVisible
 0x1008d040 ExtTextOutW
 0x1008d044 Escape
 0x1008d048 SetViewportOrgEx
 0x1008d04c OffsetViewportOrgEx
 0x1008d050 SetViewportExtEx
 0x1008d054 ScaleViewportExtEx
 0x1008d058 SetWindowExtEx
 0x1008d05c ScaleWindowExtEx
 0x1008d060 DPtoLP
 0x1008d064 SaveDC
 0x1008d068 SetMapMode
 0x1008d06c DeleteDC
 0x1008d070 GetCharWidthW
 0x1008d074 GetCurrentObject
 0x1008d078 GetClipBox
 0x1008d07c Rectangle
 0x1008d080 GetStockObject
 0x1008d084 CreatePolygonRgn
 0x1008d088 CreateRoundRectRgn
 0x1008d08c OffsetRgn
 0x1008d090 CombineRgn
 0x1008d094 CreateRectRgn
 0x1008d098 SelectClipRgn
 0x1008d09c FillRgn
 0x1008d0a0 FrameRgn
 0x1008d0a4 TextOutW
 0x1008d0a8 GetTextExtentPoint32W
 0x1008d0ac SetTextJustification
 0x1008d0b0 GetTextMetricsW
 0x1008d0b4 SetBkColor
 0x1008d0b8 SetBkMode
 0x1008d0bc CreateFontIndirectW
 0x1008d0c0 LineTo
 0x1008d0c4 MoveToEx
 0x1008d0c8 CreatePen
 0x1008d0cc SetTextColor
 0x1008d0d0 CreateSolidBrush
 0x1008d0d4 StretchBlt
 0x1008d0d8 CreateBitmap
 0x1008d0dc GetObjectW
 0x1008d0e0 GetDeviceCaps
 0x1008d0e4 CreateDCW
 0x1008d0e8 CreateCompatibleBitmap
 0x1008d0ec BitBlt
 0x1008d0f0 SelectObject
 0x1008d0f4 CreateCompatibleDC
 0x1008d0f8 CreateDIBSection
 0x1008d0fc DeleteObject
 0x1008d100 RestoreDC
WINSPOOL.DRV
 0x1008d570 ClosePrinter
 0x1008d574 OpenPrinterW
 0x1008d578 DocumentPropertiesW
ADVAPI32.dll
 0x1008d000 RegOpenKeyW
 0x1008d004 RegQueryValueW
 0x1008d008 RegCloseKey
 0x1008d00c RegQueryValueExW
 0x1008d010 RegCreateKeyExW
 0x1008d014 RegOpenKeyExW
 0x1008d018 RegEnumKeyW
 0x1008d01c RegDeleteKeyW
 0x1008d020 RegSetValueExW
SHELL32.dll
 0x1008d2f8 ShellExecuteW
COMCTL32.dll
 0x1008d028 ImageList_GetImageCount
 0x1008d02c ImageList_GetIcon
 0x1008d030 None
SHLWAPI.dll
 0x1008d300 PathFindExtensionW
OLEAUT32.dll
 0x1008d2e8 VariantClear
 0x1008d2ec VariantChangeType
 0x1008d2f0 VariantInit
WINMM.dll
 0x1008d568 PlaySoundW

EAT(Export Address Table) Library

0x10079b90 DllRegisterServer
0x1006bf00 DllUnregisterServer

Similarity measure (PE file only) - Checking for service failure