popup

Report - TUN.exe

Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format MSOffice File GIF Format OS Processor Check .NET EXE DLL JPEG Format PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.12.02 10:58 Machine s1_win7_x6401
Filename TUN.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
15.4
ZERO API file : malware
VT API (file) 36 detected (AIDetect, malware2, Csdi, GenericKD, Unsafe, Vuem, malicious, ABRisk, NNBA, high confidence, PRIVATELOADER, YXCK4Z, score, FileRepMalware, Misc, Gajl, Generic ML PUA, Malware@#2q0mwq1ko9jd8, AGEN, TrojDownloader, kcloud, Phonzy, Detected, PossibleThreat, grayware, confidence)
md5 c4807ea6c4ee04746a88248c855cb71d
sha256 5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e
ssdeep 6144:x/QiQXCpkm+ksmpk3U9j0IJaOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3pP6m6UR0IJalL//plmW9bTXeVhD4
imphash 884310b1928934402ea6fec1dbd3cf5e
impfuzzy 48:8cfp1rcQX0gebPCDr+ZbldH9AOZGwt+Eu55T/lGB:8cfpdcqNebqDrmrHW2
  Network IP location

Signature (33cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 36 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process tun.tmp
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (29cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (62cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.53.228.10 clean
http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
whois
PL Online S.a.s. 151.115.10.1 clean
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
whois
RU RocketTelecom LLC 37.230.138.66 23046 mailcious
http://www.google.com/
whois
US GOOGLE 142.250.76.132 clean
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/hand-h6vuy332pnrr8zq9.exe
whois
PL Online S.a.s. 151.115.10.1 clean
https://connectini.net/Series/publisher/1/KR.json
whois
RU RocketTelecom LLC 37.230.138.123 23559 mailcious
https://connectini.net/Series/SuperNitouDisc.php
whois
RU RocketTelecom LLC 37.230.138.123 7619 mailcious
https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=6
whois
RU RocketTelecom LLC 37.230.138.123 7620 mailcious
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
whois
Unknown 3.5.136.176 23052 mailcious
https://connectini.net/Series/Conumer4Publisher.php
whois
RU RocketTelecom LLC 37.230.138.123 1976 mailcious
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
whois
RU RocketTelecom LLC 37.230.138.123 1972 mailcious
https://connectini.net/Series/Conumer2kenpachi.php
whois
RU RocketTelecom LLC 37.230.138.123 1974 mailcious
https://connectini.net/Series/configPoduct/2/goodchannel.json
whois
RU RocketTelecom LLC 37.230.138.123 1973 mailcious
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/pub-nv5fyed7t8r9ykva.exe
whois
PL Online S.a.s. 151.115.10.1 clean
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/up-da-nv5fyed7t8r9ykva.exe
whois
PL Online S.a.s. 151.115.10.1 clean
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe
whois
PL Online S.a.s. 151.115.10.1 clean
stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud
whois
PL Online S.a.s. 151.115.10.1 clean
wewewe.s3.eu-central-1.amazonaws.com
whois
DE AMAZON-02 52.219.72.188 mailcious
www.google.com
whois
US GOOGLE 142.250.76.132 clean
google.com
whois
US GOOGLE 172.217.25.174 clean
360devtracking.com
whois
RU RocketTelecom LLC 37.230.138.66 mailcious
connectini.net
whois
RU RocketTelecom LLC 37.230.138.123 mailcious
www.profitabletrustednetwork.com
whois
US SERVERS 173.233.139.164 mailcious
5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud
whois
PL Online S.a.s. 151.115.10.1 clean
apps.identrust.com
whois
US Akamai International B.V. 23.53.228.10 clean
202.124.241.201
whois
AU NetRegistry Pty Ltd. 202.124.241.201 clean
199.250.214.152
whois
US IMH-WEST 199.250.214.152 clean
95.214.53.210
whois
PL Meverywhere sp. z o.o. 95.214.53.210 clean
207.32.181.122
whois
US NEXCESS-NET 207.32.181.122 clean
3.5.136.176
whois
Unknown 3.5.136.176 clean
104.74.168.254
whois
US Akamai International B.V. 104.74.168.254 clean
190.228.29.114
whois
AR Telecom Argentina S.A. 190.228.29.114 clean
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
186.202.127.56
whois
BR Locaweb Servicos de Internet S/A 186.202.127.56 clean
184.168.97.42
whois
US AS-26496-GO-DADDY-COM-LLC 184.168.97.42 mailcious
142.250.207.78
whois
US GOOGLE 142.250.207.78 clean
61.111.58.34
whois
KR LG DACOM Corporation 61.111.58.34 malware
177.11.54.131
whois
BR Brasil Site Informatica LTDA 177.11.54.131 malware
151.115.10.1
whois
PL Online S.a.s. 151.115.10.1 malware
195.219.57.43
whois
DE None 195.219.57.43 clean
104.21.73.149
whois
US CLOUDFLARENET 104.21.73.149 clean
217.70.178.4
whois
FR GANDI SAS 217.70.178.4 clean
52.73.17.211
whois
US AMAZON-AES 52.73.17.211 clean
85.13.163.220
whois
DE Neue Medien Muennich GmbH 85.13.163.220 clean
93.186.117.3
whois
TR Vital Teknoloji Telekomunikasyon Bilgisayar Hizmetleri Ve Sanayi Ticaret Ltd Sirketi 93.186.117.3 clean
154.35.175.225
whois
US RETHEMHOSTING 154.35.175.225 mailcious
23.216.159.81
whois
US CCCH-3 23.216.159.81 clean
80.237.132.210
whois
DE Host Europe GmbH 80.237.132.210 clean
178.63.41.183
whois
DE Hetzner Online GmbH 178.63.41.183 mailcious
37.230.138.123
whois
RU RocketTelecom LLC 37.230.138.123 mailcious
142.93.169.197
whois
DE DIGITALOCEAN-ASN 142.93.169.197 clean
142.251.220.4
whois
US GOOGLE 142.251.220.4 clean
81.2.195.201
whois
CZ INTERNET CZ, a.s. 81.2.195.201 clean
70.39.146.5
whois
US INMOTI-1 70.39.146.5 clean
192.243.59.12
whois
US DataWeb Global Group B.V. 192.243.59.12 clean
51.68.204.139
whois
FR OVH SAS 51.68.204.139 mailcious
107.180.41.158
whois
US AS-26496-GO-DADDY-COM-LLC 107.180.41.158 mailcious
162.241.24.197
whois
US UNIFIEDLAYER-AS-1 162.241.24.197 malware
43.250.140.44
whois
AU SYNERGY WHOLESALE PTY LTD 43.250.140.44 clean
64.13.192.154
whois
US MEDIATEMPLE 64.13.192.154 clean
37.230.138.66
whois
RU RocketTelecom LLC 37.230.138.66 mailcious
178.20.55.16
whois
FR Ielo-liazo Services SAS 178.20.55.16 clean

Suricata ids

ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Observed DNS Query to .cloud TLD
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193
ET TOR Known Tor Exit Node Traffic group 25
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 793
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x40d0b4 DeleteCriticalSection
 0x40d0b8 LeaveCriticalSection
 0x40d0bc EnterCriticalSection
 0x40d0c0 InitializeCriticalSection
 0x40d0c4 VirtualFree
 0x40d0c8 VirtualAlloc
 0x40d0cc LocalFree
 0x40d0d0 LocalAlloc
 0x40d0d4 WideCharToMultiByte
 0x40d0d8 TlsSetValue
 0x40d0dc TlsGetValue
 0x40d0e0 MultiByteToWideChar
 0x40d0e4 GetModuleHandleA
 0x40d0e8 GetLastError
 0x40d0ec GetCommandLineA
 0x40d0f0 WriteFile
 0x40d0f4 SetFilePointer
 0x40d0f8 SetEndOfFile
 0x40d0fc RtlUnwind
 0x40d100 ReadFile
 0x40d104 RaiseException
 0x40d108 GetStdHandle
 0x40d10c GetFileSize
 0x40d110 GetSystemTime
 0x40d114 GetFileType
 0x40d118 ExitProcess
 0x40d11c CreateFileA
 0x40d120 CloseHandle
user32.dll
 0x40d128 MessageBoxA
oleaut32.dll
 0x40d130 VariantChangeTypeEx
 0x40d134 VariantCopyInd
 0x40d138 VariantClear
 0x40d13c SysStringLen
 0x40d140 SysAllocStringLen
advapi32.dll
 0x40d148 RegQueryValueExA
 0x40d14c RegOpenKeyExA
 0x40d150 RegCloseKey
 0x40d154 OpenProcessToken
 0x40d158 LookupPrivilegeValueA
kernel32.dll
 0x40d160 WriteFile
 0x40d164 VirtualQuery
 0x40d168 VirtualProtect
 0x40d16c VirtualFree
 0x40d170 VirtualAlloc
 0x40d174 Sleep
 0x40d178 SizeofResource
 0x40d17c SetLastError
 0x40d180 SetFilePointer
 0x40d184 SetErrorMode
 0x40d188 SetEndOfFile
 0x40d18c RemoveDirectoryA
 0x40d190 ReadFile
 0x40d194 LockResource
 0x40d198 LoadResource
 0x40d19c LoadLibraryA
 0x40d1a0 IsDBCSLeadByte
 0x40d1a4 GetWindowsDirectoryA
 0x40d1a8 GetVersionExA
 0x40d1ac GetUserDefaultLangID
 0x40d1b0 GetSystemInfo
 0x40d1b4 GetSystemDefaultLCID
 0x40d1b8 GetProcAddress
 0x40d1bc GetModuleHandleA
 0x40d1c0 GetModuleFileNameA
 0x40d1c4 GetLocaleInfoA
 0x40d1c8 GetLastError
 0x40d1cc GetFullPathNameA
 0x40d1d0 GetFileSize
 0x40d1d4 GetFileAttributesA
 0x40d1d8 GetExitCodeProcess
 0x40d1dc GetEnvironmentVariableA
 0x40d1e0 GetCurrentProcess
 0x40d1e4 GetCommandLineA
 0x40d1e8 GetACP
 0x40d1ec InterlockedExchange
 0x40d1f0 FormatMessageA
 0x40d1f4 FindResourceA
 0x40d1f8 DeleteFileA
 0x40d1fc CreateProcessA
 0x40d200 CreateFileA
 0x40d204 CreateDirectoryA
 0x40d208 CloseHandle
user32.dll
 0x40d210 TranslateMessage
 0x40d214 SetWindowLongA
 0x40d218 PeekMessageA
 0x40d21c MsgWaitForMultipleObjects
 0x40d220 MessageBoxA
 0x40d224 LoadStringA
 0x40d228 ExitWindowsEx
 0x40d22c DispatchMessageA
 0x40d230 DestroyWindow
 0x40d234 CreateWindowExA
 0x40d238 CallWindowProcA
 0x40d23c CharPrevA
comctl32.dll
 0x40d244 InitCommonControls
advapi32.dll
 0x40d24c AdjustTokenPrivileges

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure