popup

Report - MyNewFileChr.exe

RAT Gen1 Gen2 UPX Malicious Library Malicious Packer ScreenShot Internet API Http API AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
    Created 2022.10.11 09:51 Machine s1_win7_x6403
    Filename MyNewFileChr.exe
    Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    AI Score
    9
    		 Behavior Score
    12.0
    ZERO API file : malware
    VT API (file) 28 detected (Unsafe, Save, Kryptik, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, AGSL, score, PWSX, S + Mal, Artemis, moderate, Static AI, Malicious PE, Raccoon, Detected, CLOUD, susgen, AFTP, ZemsilF, Xm2@aeTc)
    md5 bd23004f9dce0af56443bcd736ed3873
    sha256 c2283fa67f9c570588fbe02ade91f2b4fd9109ddf06d029af8c7e7c47d3579d2
    ssdeep 24576:vSSdabSZf7GLpGLMMMHMMMvMMZMMMKzbKXOMMHMMMvMMZMMMKzbKX7GLMMMHMMM1:BdakfqMMHMMMvMMZMMMFOMMHMMMvMMZb
    imphash f34d5f2d4577ed6d9ceec516c1f5a744
    impfuzzy 3:rGsLdAIEK:tf
      Network IP location
    +
    Leaflet

    Signature (27cnts)

    Level Description
    danger Executed a process and injected code into it
    warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
    watch Allocates execute permission to another process indicative of possible code injection
    watch Code injection by writing an executable or DLL to the memory of another process
    watch Collects information about installed applications
    watch Communicates with host for which no DNS query was performed
    watch Potential code injection by writing to the memory of another process
    watch Resumed a suspended thread in a remote process potentially indicative of process injection
    watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
    notice Allocates read-write-execute memory (usually to unpack itself)
    notice An executable file was downloaded by the process vbc.exe
    notice Creates executable files on the filesystem
    notice Drops an executable to the user AppData folder
    notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
    notice One or more potentially interesting buffers were extracted
    notice Performs some HTTP requests
    notice Queries for potentially installed applications
    notice Sends data using the HTTP POST Method
    notice Steals private information from local Internet browsers
    notice The binary likely contains encrypted or compressed data indicative of a packer
    notice Yara rule detected in process memory
    info Checks amount of memory in system
    info Checks if process is being debugged by a debugger
    info Collects information to fingerprint the system (MachineGuid
    info The file contains an unknown PE resource name possibly indicative of a packer
    info Tries to locate where the browsers are installed
    info Uses Windows APIs to generate a cryptographic key

    Rules (25cnts)

    Level Name Description Collection
    danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
    watch Malicious_Library_Zero Malicious_Library binaries (download)
    watch Malicious_Packer_Zero Malicious Packer binaries (download)
    watch UPX_Zero UPX packed file binaries (download)
    watch UPX_Zero UPX packed file binaries (upload)
    notice ScreenShot Take ScreenShot memory
    notice Str_Win32_Http_API Match Windows Http API call memory
    notice Str_Win32_Internet_API Match Windows Inet API call memory
    info anti_dbg Checks if being debugged memory
    info DebuggerCheck__GlobalFlags (no description) memory
    info DebuggerCheck__QueryInfo (no description) memory
    info DebuggerHiding__Active (no description) memory
    info DebuggerHiding__Thread (no description) memory
    info disable_dep Bypass DEP memory
    info Is_DotNET_EXE (no description) binaries (upload)
    info IsDLL (no description) binaries (download)
    info IsPE32 (no description) binaries (download)
    info IsPE32 (no description) binaries (upload)
    info OS_Processor_Check_Zero OS Processor Check binaries (download)
    info PE_Header_Zero PE File Signature binaries (download)
    info PE_Header_Zero PE File Signature binaries (upload)
    info SEH__vectored (no description) memory
    info ThreadControl__Context (no description) memory
    info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
    info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

    Network (10cnts) ?

    Request CC ASN Co IP4 Rule ? ZERO ?
    http://77.73.133.7/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
    whois
    		Unknown 77.73.133.7 clean
    http://77.73.133.7/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
    whois
    		Unknown 77.73.133.7 clean
    http://77.73.133.7/d978126996ddb27849ad730eefea7bc8
    whois
    		Unknown 77.73.133.7 clean
    http://77.73.133.7/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
    whois
    		Unknown 77.73.133.7 clean
    http://77.73.133.7/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
    whois
    		Unknown 77.73.133.7 clean
    http://77.73.133.7/
    whois
    		Unknown 77.73.133.7 mailcious
    http://77.73.133.7/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
    whois
    		Unknown 77.73.133.7 clean
    http://77.73.133.7/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
    whois
    		Unknown 77.73.133.7 clean
    http://77.73.133.7/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
    whois
    		Unknown 77.73.133.7 clean
    77.73.133.7
    whois
    		Unknown 77.73.133.7 mailcious

    Suricata ids

    PE API

    IAT(Import Address Table) Library

    mscoree.dll
     0x402000 _CorExeMain

    EAT(Export Address Table) is none


    Similarity measure (PE file only) - Checking for service failure