popup

Report - stown1.exe

Malicious Library VMProtect UPX PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.01.22 16:03 Machine s1_win7_x6401
Filename stown1.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
8.4
ZERO API file : malware
VT API (file) 24 detected (malicious, high confidence, score, Artemis, Unsafe, Save, Attribute, HighConfidence, high, VMProtBad, Static AI, Suspicious PE, Redline, Detected, ZexaF, xB0@autCihfi, BScope, Tiggre, GenKryptik, ykRemS4CiSD, susgen, VMProtect)
md5 b00fe17fccad1c5f877029217da5c175
sha256 960adba1385780365bed7eded36309aba3f0fa281f304900abd1e381a3f78fbe
ssdeep 49152:uEuqnAJc3G5aAx4qcNPXAIsUbEdD3Nm3YYgLi5VaTwcXZTPBIeRU333:uhcm1x4q1RgEZ3NygCAHXhqV333
imphash 27646fe1057f21eaccb79bddb2ab15c5
impfuzzy 48:gQ8NIbXQcfEt4ITbuWlpChaTHQPXpcM5Q8:gQ8NIbAcfEt4IvuWvmarQPXpcu/
  Network IP location

Signature (22cnts)

Level Description
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch Collects information about installed applications
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://api.ip.sb/ip
whois
US CLOUDFLARENET 104.26.13.31 clean
librchichelpai.shop
whois
UA Mulgin Alexander Sergeevich 45.129.97.243 mailcious
api.ip.sb
whois
US CLOUDFLARENET 104.26.12.31 clean
45.129.97.243
whois
UA Mulgin Alexander Sergeevich 45.129.97.243 clean
104.26.13.31
whois
US CLOUDFLARENET 104.26.13.31 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x735000 RaiseException
 0x735004 GetLastError
 0x735008 MultiByteToWideChar
 0x73500c lstrlenA
 0x735010 InterlockedDecrement
 0x735014 GetProcAddress
 0x735018 LoadLibraryA
 0x73501c FreeResource
 0x735020 SizeofResource
 0x735024 LockResource
 0x735028 LoadResource
 0x73502c FindResourceA
 0x735030 GetModuleHandleA
 0x735034 Module32Next
 0x735038 CloseHandle
 0x73503c Module32First
 0x735040 CreateToolhelp32Snapshot
 0x735044 GetCurrentProcessId
 0x735048 SetEndOfFile
 0x73504c GetStringTypeW
 0x735050 GetStringTypeA
 0x735054 LCMapStringW
 0x735058 LCMapStringA
 0x73505c GetLocaleInfoA
 0x735060 HeapFree
 0x735064 GetProcessHeap
 0x735068 HeapAlloc
 0x73506c GetCommandLineA
 0x735070 HeapCreate
 0x735074 VirtualFree
 0x735078 DeleteCriticalSection
 0x73507c LeaveCriticalSection
 0x735080 EnterCriticalSection
 0x735084 VirtualAlloc
 0x735088 HeapReAlloc
 0x73508c HeapSize
 0x735090 TerminateProcess
 0x735094 GetCurrentProcess
 0x735098 UnhandledExceptionFilter
 0x73509c SetUnhandledExceptionFilter
 0x7350a0 IsDebuggerPresent
 0x7350a4 GetModuleHandleW
 0x7350a8 Sleep
 0x7350ac ExitProcess
 0x7350b0 WriteFile
 0x7350b4 GetStdHandle
 0x7350b8 GetModuleFileNameA
 0x7350bc WideCharToMultiByte
 0x7350c0 GetConsoleCP
 0x7350c4 GetConsoleMode
 0x7350c8 ReadFile
 0x7350cc TlsGetValue
 0x7350d0 TlsAlloc
 0x7350d4 TlsSetValue
 0x7350d8 TlsFree
 0x7350dc InterlockedIncrement
 0x7350e0 SetLastError
 0x7350e4 GetCurrentThreadId
 0x7350e8 FlushFileBuffers
 0x7350ec SetFilePointer
 0x7350f0 SetHandleCount
 0x7350f4 GetFileType
 0x7350f8 GetStartupInfoA
 0x7350fc RtlUnwind
 0x735100 FreeEnvironmentStringsA
 0x735104 GetEnvironmentStrings
 0x735108 FreeEnvironmentStringsW
 0x73510c GetEnvironmentStringsW
 0x735110 QueryPerformanceCounter
 0x735114 GetTickCount
 0x735118 GetSystemTimeAsFileTime
 0x73511c InitializeCriticalSectionAndSpinCount
 0x735120 GetCPInfo
 0x735124 GetACP
 0x735128 GetOEMCP
 0x73512c IsValidCodePage
 0x735130 CompareStringA
 0x735134 CompareStringW
 0x735138 SetEnvironmentVariableA
 0x73513c WriteConsoleA
 0x735140 GetConsoleOutputCP
 0x735144 WriteConsoleW
 0x735148 SetStdHandle
 0x73514c CreateFileA
ole32.dll
 0x735154 OleInitialize
OLEAUT32.dll
 0x73515c SafeArrayCreate
 0x735160 SafeArrayAccessData
 0x735164 SafeArrayUnaccessData
 0x735168 SafeArrayDestroy
 0x73516c SafeArrayCreateVector
 0x735170 VariantClear
 0x735174 VariantInit
 0x735178 SysFreeString
 0x73517c SysAllocString
KERNEL32.dll
 0x735184 LocalAlloc
 0x735188 LocalFree
 0x73518c GetModuleFileNameW
 0x735190 GetProcessAffinityMask
 0x735194 SetProcessAffinityMask
 0x735198 SetThreadAffinityMask
 0x73519c Sleep
 0x7351a0 ExitProcess
 0x7351a4 FreeLibrary
 0x7351a8 LoadLibraryA
 0x7351ac GetModuleHandleA
 0x7351b0 GetProcAddress
USER32.dll
 0x7351b8 GetProcessWindowStation
 0x7351bc GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure