popup

Report - OqHwQ8xlWa5Goyo

Malicious Library DLL PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.05.23 09:40 Machine s1_win7_x6401
Filename OqHwQ8xlWa5Goyo
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
AI Score
6
 Behavior Score
8.6
ZERO API file : malware
VT API (file) 29 detected (Siggen17, GenericKDZ, Unsafe, malicious, confidence, 100%, Emotet, Eldorado, high confidence, Kryptik, cltr, BankerX, Ajkz, Wacatac, score, R493366, ai score=80, susgen, FUWI)
md5 e651e7c9f3ff0821ac85ac431ca367a3
sha256 179bb93a9eb4acded81ef0a6b4c9f25d0ca6629cfa03cb97809e4acbcb964504
ssdeep 6144:hlNuuXQASByX7PxoJcXy16qFHJ7wwD1w3pq6jTK/V9OT0u:hlNu9ASByX7Vy/BJ7rGTK/V3
imphash ad5c5b0f3e2e211c551f3b5059e614d7
impfuzzy 24:yXv+1dOovBtQzgxrmJbOafDSIlyvp688T4CcPOKyxTuKjM/wg:yX21IKtBZalKpkcCcexuVR
  Network IP location

Signature (16cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning File has been identified by 29 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Created a service where a service was also not started
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a suspicious process
notice Expresses interest in specific running processes
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (15cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
160.16.143.191
whois
JP SAKURA Internet Inc. 160.16.143.191 clean
202.29.239.162
whois
TH Chulalongkorn University 202.29.239.162 mailcious
202.28.34.99
whois
TH Mahasarakham University 202.28.34.99 clean
104.248.225.227
whois
US DIGITALOCEAN-ASN 104.248.225.227 mailcious
62.171.178.147
whois
DE Contabo GmbH 62.171.178.147 mailcious
196.44.98.190
whois
GH Ecoband 196.44.98.190 mailcious
195.77.239.39
whois
ES Telefonica De Espana 195.77.239.39 mailcious
87.106.97.83
whois
DE 1&1 Ionos Se 87.106.97.83 mailcious
210.57.209.142
whois
ID Universitas Airlangga 210.57.209.142 mailcious
190.90.233.66
whois
CO INTERNEXA S.A. E.S.P 190.90.233.66 mailcious
110.235.83.107
whois
HK Hong Kong Broadband Network Ltd. 110.235.83.107 clean
165.22.73.229
whois
DE DIGITALOCEAN-ASN 165.22.73.229 clean
134.122.119.23
whois
US DIGITALOCEAN-ASN 134.122.119.23 mailcious
37.44.244.177
whois
DE Hostinger International Limited 37.44.244.177 mailcious
88.217.172.165
whois
DE M-net Telekommunikations GmbH 88.217.172.165 mailcious

Suricata ids

ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 13

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x180022000 GetTimeFormatA
 0x180022008 GetDateFormatA
 0x180022010 GetThreadLocale
 0x180022018 FileTimeToSystemTime
 0x180022020 VirtualAlloc
 0x180022028 ExitProcess
 0x180022030 CloseHandle
 0x180022038 CreateFileW
 0x180022040 SetStdHandle
 0x180022048 GetCurrentThreadId
 0x180022050 FlsSetValue
 0x180022058 GetCommandLineA
 0x180022060 TerminateProcess
 0x180022068 GetCurrentProcess
 0x180022070 UnhandledExceptionFilter
 0x180022078 SetUnhandledExceptionFilter
 0x180022080 IsDebuggerPresent
 0x180022088 RtlVirtualUnwind
 0x180022090 RtlLookupFunctionEntry
 0x180022098 RtlCaptureContext
 0x1800220a0 RtlUnwindEx
 0x1800220a8 EncodePointer
 0x1800220b0 FlsGetValue
 0x1800220b8 FlsAlloc
 0x1800220c0 FlsFree
 0x1800220c8 SetLastError
 0x1800220d0 GetLastError
 0x1800220d8 HeapSize
 0x1800220e0 HeapValidate
 0x1800220e8 IsBadReadPtr
 0x1800220f0 DecodePointer
 0x1800220f8 GetProcAddress
 0x180022100 GetModuleHandleW
 0x180022108 SetHandleCount
 0x180022110 GetStdHandle
 0x180022118 InitializeCriticalSectionAndSpinCount
 0x180022120 GetFileType
 0x180022128 GetStartupInfoW
 0x180022130 DeleteCriticalSection
 0x180022138 GetModuleFileNameA
 0x180022140 FreeEnvironmentStringsW
 0x180022148 WideCharToMultiByte
 0x180022150 GetEnvironmentStringsW
 0x180022158 HeapSetInformation
 0x180022160 GetVersion
 0x180022168 HeapCreate
 0x180022170 HeapDestroy
 0x180022178 QueryPerformanceCounter
 0x180022180 GetTickCount
 0x180022188 GetCurrentProcessId
 0x180022190 GetSystemTimeAsFileTime
 0x180022198 EnterCriticalSection
 0x1800221a0 LeaveCriticalSection
 0x1800221a8 GetACP
 0x1800221b0 GetOEMCP
 0x1800221b8 GetCPInfo
 0x1800221c0 IsValidCodePage
 0x1800221c8 HeapAlloc
 0x1800221d0 GetModuleFileNameW
 0x1800221d8 HeapReAlloc
 0x1800221e0 HeapQueryInformation
 0x1800221e8 HeapFree
 0x1800221f0 WriteFile
 0x1800221f8 LoadLibraryW
 0x180022200 LCMapStringW
 0x180022208 MultiByteToWideChar
 0x180022210 GetStringTypeW
 0x180022218 OutputDebugStringA
 0x180022220 WriteConsoleW
 0x180022228 OutputDebugStringW
 0x180022230 RaiseException
 0x180022238 RtlPcToFileHeader
 0x180022240 SetFilePointer
 0x180022248 GetConsoleCP
 0x180022250 GetConsoleMode
 0x180022258 FlushFileBuffers
USER32.dll
 0x180022268 MessageBoxA
ole32.dll
 0x180022278 CoTaskMemFree
 0x180022280 CoTaskMemAlloc
 0x180022288 CoLoadLibrary

EAT(Export Address Table) Library

0x180001140 AddIn_FileTime
0x1800010b0 AddIn_SystemTime
0x180003110 DllRegisterServer

Similarity measure (PE file only) - Checking for service failure