popup

Report - Bolt.exe

Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format .NET EXE MSOffice File DLL OS Processor Check JPEG Format PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.11.10 09:56 Machine s1_win7_x6401
Filename Bolt.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
12.4
ZERO API file : malware
VT API (file) 19 detected (AIDetect, malware2, DownLoader44, malicious, high confidence, Csdi, Manuscrypt, Agen, Kjgl, AdwareFileTour, Generic ML PUA, kcloud, Phonzy, score, susgen, confidence)
md5 0c51d5838eaa310b8d009ab265c1846e
sha256 1449e7a3111fdfb697c631367fcbc08eb0ab911bc280fd0c3d132cc3918d1da6
ssdeep 6144:x/QiQXCkkm+ksmpk3U9j0Iunb+OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglMb:pQi3kP6m6UR0IunClL//plmW9bTXeVh8
imphash 884310b1928934402ea6fec1dbd3cf5e
impfuzzy 48:8cfp1rcQX0gebPCDr+ZbldH9AOZGwt+Eu55T/lGB:8cfpdcqNebqDrmrHW2
  Network IP location

Signature (30cnts)

Level Description
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch File has been identified by 19 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes bolt.tmp
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (28cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (39cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/up-da-b135l0bjgejx.exe
whois
PL Online S.a.s. 151.115.10.1 malware
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
whois
RU RocketTelecom LLC 37.230.138.66 23046 mailcious
http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/hand-b135l0bjgejx.exe
whois
PL Online S.a.s. 151.115.10.1 clean
http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/pub-b135l0bjgejx.exe
whois
PL Online S.a.s. 151.115.10.1 malware
http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe
whois
PL Online S.a.s. 151.115.10.1 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.43.165.66 clean
http://www.google.com/
whois
US GOOGLE 142.250.76.132 clean
https://connectini.net/Series/SuperNitouDisc.php
whois
RU RocketTelecom LLC 37.230.138.123 7619 mailcious
https://connectini.net/Series/publisher/1/KR.json
whois
RU RocketTelecom LLC 37.230.138.123 23559 mailcious
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
whois
RU RocketTelecom LLC 37.230.138.123 1972 mailcious
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
whois
Unknown 52.219.170.66 23052 mailcious
https://connectini.net/Series/Conumer4Publisher.php
whois
RU RocketTelecom LLC 37.230.138.123 1976 mailcious
https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8
whois
RU RocketTelecom LLC 37.230.138.123 7620 mailcious
https://connectini.net/Series/configPoduct/2/goodchannel.json
whois
RU RocketTelecom LLC 37.230.138.123 1973 mailcious
https://connectini.net/Series/Conumer2kenpachi.php
whois
RU RocketTelecom LLC 37.230.138.123 1974 mailcious
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
whois
PL Online S.a.s. 151.115.10.1 23145 mailcious
wewewe.s3.eu-central-1.amazonaws.com
whois
DE AMAZON-02 52.219.72.172 mailcious
nova-brothers.s3.pl-waw.scw.cloud
whois
PL Online S.a.s. 151.115.10.1 malware
160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud
whois
PL Online S.a.s. 151.115.10.1 clean
google.com
whois
US GOOGLE 142.250.76.142 clean
doll.s3.pl-waw.scw.cloud
whois
PL Online S.a.s. 151.115.10.1 mailcious
360devtracking.com
whois
RU RocketTelecom LLC 37.230.138.66 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
connectini.net
whois
RU RocketTelecom LLC 37.230.138.123 mailcious
www.profitabletrustednetwork.com
whois
US DataWeb Global Group B.V. 192.243.61.227 mailcious
apps.identrust.com
whois
US CCCH-3 23.43.165.66 clean
www.google.com
whois
US GOOGLE 142.250.76.132 clean
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
23.43.165.105
whois
US CCCH-3 23.43.165.105 clean
151.115.10.1
whois
PL Online S.a.s. 151.115.10.1 malware
142.250.76.132
whois
US GOOGLE 142.250.76.132 clean
23.43.165.66
whois
US CCCH-3 23.43.165.66 clean
185.213.208.196
whois
NL Zomro B.V. 185.213.208.196 clean
23.216.159.9
whois
US CCCH-3 23.216.159.9 clean
37.230.138.123
whois
RU RocketTelecom LLC 37.230.138.123 mailcious
142.250.76.142
whois
US GOOGLE 142.250.76.142 mailcious
173.233.137.36
whois
US SERVERS 173.233.137.36 clean
37.230.138.66
whois
RU RocketTelecom LLC 37.230.138.66 mailcious
52.219.170.66
whois
Unknown 52.219.170.66 clean

Suricata ids

ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
ET INFO TLS Handshake Failure

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x40d0b4 DeleteCriticalSection
 0x40d0b8 LeaveCriticalSection
 0x40d0bc EnterCriticalSection
 0x40d0c0 InitializeCriticalSection
 0x40d0c4 VirtualFree
 0x40d0c8 VirtualAlloc
 0x40d0cc LocalFree
 0x40d0d0 LocalAlloc
 0x40d0d4 WideCharToMultiByte
 0x40d0d8 TlsSetValue
 0x40d0dc TlsGetValue
 0x40d0e0 MultiByteToWideChar
 0x40d0e4 GetModuleHandleA
 0x40d0e8 GetLastError
 0x40d0ec GetCommandLineA
 0x40d0f0 WriteFile
 0x40d0f4 SetFilePointer
 0x40d0f8 SetEndOfFile
 0x40d0fc RtlUnwind
 0x40d100 ReadFile
 0x40d104 RaiseException
 0x40d108 GetStdHandle
 0x40d10c GetFileSize
 0x40d110 GetSystemTime
 0x40d114 GetFileType
 0x40d118 ExitProcess
 0x40d11c CreateFileA
 0x40d120 CloseHandle
user32.dll
 0x40d128 MessageBoxA
oleaut32.dll
 0x40d130 VariantChangeTypeEx
 0x40d134 VariantCopyInd
 0x40d138 VariantClear
 0x40d13c SysStringLen
 0x40d140 SysAllocStringLen
advapi32.dll
 0x40d148 RegQueryValueExA
 0x40d14c RegOpenKeyExA
 0x40d150 RegCloseKey
 0x40d154 OpenProcessToken
 0x40d158 LookupPrivilegeValueA
kernel32.dll
 0x40d160 WriteFile
 0x40d164 VirtualQuery
 0x40d168 VirtualProtect
 0x40d16c VirtualFree
 0x40d170 VirtualAlloc
 0x40d174 Sleep
 0x40d178 SizeofResource
 0x40d17c SetLastError
 0x40d180 SetFilePointer
 0x40d184 SetErrorMode
 0x40d188 SetEndOfFile
 0x40d18c RemoveDirectoryA
 0x40d190 ReadFile
 0x40d194 LockResource
 0x40d198 LoadResource
 0x40d19c LoadLibraryA
 0x40d1a0 IsDBCSLeadByte
 0x40d1a4 GetWindowsDirectoryA
 0x40d1a8 GetVersionExA
 0x40d1ac GetUserDefaultLangID
 0x40d1b0 GetSystemInfo
 0x40d1b4 GetSystemDefaultLCID
 0x40d1b8 GetProcAddress
 0x40d1bc GetModuleHandleA
 0x40d1c0 GetModuleFileNameA
 0x40d1c4 GetLocaleInfoA
 0x40d1c8 GetLastError
 0x40d1cc GetFullPathNameA
 0x40d1d0 GetFileSize
 0x40d1d4 GetFileAttributesA
 0x40d1d8 GetExitCodeProcess
 0x40d1dc GetEnvironmentVariableA
 0x40d1e0 GetCurrentProcess
 0x40d1e4 GetCommandLineA
 0x40d1e8 GetACP
 0x40d1ec InterlockedExchange
 0x40d1f0 FormatMessageA
 0x40d1f4 FindResourceA
 0x40d1f8 DeleteFileA
 0x40d1fc CreateProcessA
 0x40d200 CreateFileA
 0x40d204 CreateDirectoryA
 0x40d208 CloseHandle
user32.dll
 0x40d210 TranslateMessage
 0x40d214 SetWindowLongA
 0x40d218 PeekMessageA
 0x40d21c MsgWaitForMultipleObjects
 0x40d220 MessageBoxA
 0x40d224 LoadStringA
 0x40d228 ExitWindowsEx
 0x40d22c DispatchMessageA
 0x40d230 DestroyWindow
 0x40d234 CreateWindowExA
 0x40d238 CallWindowProcA
 0x40d23c CharPrevA
comctl32.dll
 0x40d244 InitCommonControls
advapi32.dll
 0x40d24c AdjustTokenPrivileges

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure