popup

Report - nppshell.exe

Generic Malware UPX Antivirus Malicious Library Malicious Packer PE32 OS Processor Check PE File PE64 DLL JPEG Format BMP Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.12.10 14:49 Machine s1_win7_x6403
Filename nppshell.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
14.2
ZERO API file : malware
VT API (file) 11 detected (AIDetect, malware2, malicious, moderate confidence, Deyma, FileRepMalware, Artemis, kcloud, Sabsik)
md5 45a95da55d4eb1e4d7f8d08f52e1f0ee
sha256 e83cc90eaa0bafe3145cdc992932ac30a1e652a7db32c675fb2d2690b2b1df78
ssdeep 6144:YMzOWna0dbZdKWXmBeirnD1Pz/+AcxZgyAb3plR:YM0EZdn2BJbJz/gxpArrR
imphash a4c6d11a9210ef851a0e136314d86581
impfuzzy 24:tAq1JnD8r7b9BBwkg6yWNwyWPWci+YLSWQSatBbAocAD4ujbzAmvAZhaihAJCJLq:Wq1Krv9BB/gmNgpYLSWQSatBKm8K4ZLY
  Network IP location

Signature (35cnts)

Level Description
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
watch File has been identified by 11 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process gntuud.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates (office) documents on the filesystem
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path
info Uses Windows APIs to generate a cryptographic key

Rules (16cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info bmp_file_format bmp file format binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (15cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://85.209.135.109/jg94cVd30f/index.php?scr=1
whois
DE CMCS 85.209.135.109 clean
http://ripple-wells-2022.net/n8exrcvvse1m2/syncfiles.dll
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.243 clean
http://85.209.135.109/jg94cVd30f/Plugins/cred64.dll
whois
DE CMCS 85.209.135.109 clean
http://ripple-wells-2022.net/mwr8f3vdi2h22/umciavi64.exe
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.243 clean
http://ripple-wells-2022.net/n8exrcvvse1m2/Emit64.exe
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.243 clean
http://45.159.188.118/bot/online?guid=test22-PC\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
whois
NL HOSTING-SOLUTIONS 45.159.188.118 24799 mailcious
http://ripple-wells-2022.net/n8exrcvvse1m2/avicapn32.exe
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.243 clean
http://ripple-wells-2022.net/mwr8f3vdi2h22/umciavi32.exe
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.243 clean
http://85.209.135.109/jg94cVd30f/index.php
whois
DE CMCS 85.209.135.109 clean
http://45.159.188.118/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
whois
NL HOSTING-SOLUTIONS 45.159.188.118 24798 mailcious
ripple-wells-2022.net
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.243 malware
89.22.236.225
whois
TR M247 Ltd 89.22.236.225 clean
188.93.233.243
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.243 malware
85.209.135.109
whois
DE CMCS 85.209.135.109 clean
45.159.188.118
whois
NL HOSTING-SOLUTIONS 45.159.188.118 mailcious

Suricata ids

ET MALWARE Amadey CnC Check-In
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET USER_AGENTS Go HTTP Client User-Agent
ET INFO Dotted Quad Host DLL Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x448380 CreateThread
 0x448384 ExitProcess
 0x448388 GetCurrentProcess
 0x44838c GetCurrentProcessId
 0x448390 GetCurrentThreadId
 0x448394 GetLastError
 0x448398 GetModuleHandleW
 0x44839c GetProcAddress
 0x4483a0 GetStartupInfoW
 0x4483a4 GetSystemTimeAsFileTime
 0x4483a8 GetUserDefaultLangID
 0x4483ac InitializeSListHead
 0x4483b0 IsDebuggerPresent
 0x4483b4 IsProcessorFeaturePresent
 0x4483b8 LoadLibraryW
 0x4483bc QueryPerformanceCounter
 0x4483c0 SetUnhandledExceptionFilter
 0x4483c4 TerminateProcess
 0x4483c8 UnhandledExceptionFilter
 0x4483cc VirtualAlloc
 0x4483d0 VirtualProtect
USER32.dll
 0x4483d8 MessageBoxW
 0x4483dc wsprintfW
VCRUNTIME140.dll
 0x4483e4 __current_exception
 0x4483e8 __current_exception_context
 0x4483ec _except_handler4_common
 0x4483f0 memcpy
 0x4483f4 memset
api-ms-win-crt-stdio-l1-1-0.dll
 0x4483fc __p__commode
 0x448400 _fcloseall
 0x448404 _set_fmode
 0x448408 fopen
 0x44840c fread
api-ms-win-crt-math-l1-1-0.dll
 0x448414 __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll
 0x44841c _c_exit
 0x448420 _cexit
 0x448424 _configure_wide_argv
 0x448428 _controlfp_s
 0x44842c _crt_atexit
 0x448430 _exit
 0x448434 _get_wide_winmain_command_line
 0x448438 _initialize_onexit_table
 0x44843c _initialize_wide_environment
 0x448440 _initterm
 0x448444 _initterm_e
 0x448448 _register_onexit_function
 0x44844c _register_thread_local_exe_atexit_callback
 0x448450 _seh_filter_exe
 0x448454 _set_app_type
 0x448458 exit
 0x44845c terminate
api-ms-win-crt-locale-l1-1-0.dll
 0x448464 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
 0x44846c _set_new_mode
 0x448470 malloc

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure