popup

Report - NINJA.exe

Generic Malware Armageddon APT [C] All Process UPX PE32 PE File GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.01.28 23:33 Machine s1_win7_x6401
Filename NINJA.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
9.0
ZERO API
VT API (file) 49 detected (AIDetectNet, LodaRat, GenericKD, Unsafe, Save, malicious, AutoIt, Eldorado, Attribute, HighConfidence, score, Gkjl, AGEN, R03BC0PAQ23, TrojanAitInject, AutoItScript, GenKD, ai score=81, Sabsik, Convagent, Detected, Artemis, 888Rat, CLASSIC, susgen)
md5 9e870f801dd759298a34be67b104d930
sha256 6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b
ssdeep 24576:5sGzuMNu2HWJD2U1zANRGTfllqapvYaqom:5tLezwRW3vJ
imphash b9083dd82a429a49d949568d3647ca0d
impfuzzy 12:o1DoABZG/DzpM78r4B3ExjLAkcOaiTQQnd3mxCHoJ:UoC+DFM7PxExjLAkcOV2kw
  Network IP location

Signature (21cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Executes one or more WMI queries
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Connects to a Dynamic DNS Domain
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (10cnts)

Level Name Description Collection
warning enclosed (no description) binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning VBScript_Check_All_Process VBScript Check All Process binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info Lnk_Format_Zero LNK Format binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
ninja1337.zapto.org
whois
AE Emirates Integrated Telecommunications Company PJSC (EITC-DU) 94.207.64.73
94.207.64.73
whois
AE Emirates Integrated Telecommunications Company PJSC (EITC-DU) 94.207.64.73

Suricata ids

ET POLICY DNS Query to DynDNS Domain *.zapto .org

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x5bcd40 AddAce
COMCTL32.dll
 0x5bcd48 ImageList_Remove
COMDLG32.dll
 0x5bcd50 GetSaveFileNameW
GDI32.dll
 0x5bcd58 LineTo
IPHLPAPI.DLL
 0x5bcd60 IcmpSendEcho
KERNEL32.DLL
 0x5bcd68 LoadLibraryA
 0x5bcd6c ExitProcess
 0x5bcd70 GetProcAddress
 0x5bcd74 VirtualProtect
MPR.dll
 0x5bcd7c WNetUseConnectionW
ole32.dll
 0x5bcd84 CoGetObject
OLEAUT32.dll
 0x5bcd8c VariantInit
PSAPI.DLL
 0x5bcd94 GetProcessMemoryInfo
SHELL32.dll
 0x5bcd9c DragFinish
USER32.dll
 0x5bcda4 GetDC
USERENV.dll
 0x5bcdac LoadUserProfileW
UxTheme.dll
 0x5bcdb4 IsThemeActive
VERSION.dll
 0x5bcdbc VerQueryValueW
WININET.dll
 0x5bcdc4 FtpOpenFileW
WINMM.dll
 0x5bcdcc timeGetTime
WSOCK32.dll
 0x5bcdd4 socket

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure