popup

Report - git1.exe

RAT PWS .NET framework Gen1 UPX Malicious Library AntiDebug AntiVM PE32 .NET EXE PE File PNG Format MSOffice File OS Processor Check DLL JPEG Format GIF Format PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.02.02 11:39 Machine s1_win7_x6401
Filename git1.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
9
 Behavior Score
10.2
ZERO API file : malware
VT API (file) 29 detected (Gen:Variant.Strictor.266661, Unsafe, Malicious, HEUR:Trojan-Downloader.MSIL.Csdi.gen, not-a-virus:HEUR:AdWare.MSIL.Csdi.gen, malicious.0eae1d, ML.Attribute.HighConfidence, Generic.mg.49f8d26f22bbaaca, W32.AIDetectNet.01, Trojan.Malware.300983.susgen, Win32:AdwareX-gen [Adw, Generic ML PUA (PUA), a variant of MSIL/Adware.CsdiMonetize.BC, Trojan.Strictor.D411A5, Gen:NN.ZemsilF.36252.Jm0@aGXYJim, suspicious, Malicious (score: 100), Generic.Malware, malicious (high confidence), Static AI - Malicious PE, Suspicious.Win32.Save.a, Gen:Variant.Strictor.266661 (B), HEUR/AGEN.1255496, malware (ai score=82))
md5 49f8d26f22bbaaca363ae4e351b2e8e7
sha256 d462ba9ff530b219011dd745158ae159dd42322ad2bfa13818689f738f4b6aab
ssdeep 12288:UnFJkacArznQj3XaXXAE+gXw3OGsItH6JWWQ/N0huTW4N0:WixWD2zWZ
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (25cnts)

Level Description
warning Generates some ICMP traffic
watch Installs itself for autorun at Windows startup
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername

Rules (28cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info Is_DotNET_EXE (no description) binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (31cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
KR LG DACOM Corporation 61.111.58.34 clean
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
whois
RU RocketTelecom LLC 37.230.138.66 23046 mailcious
http://www.google.com/
whois
US GOOGLE 142.250.206.228 clean
https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/pub-LJWuMU9jpVNtx.exe
whois
DE Mod Mission Critical LLC 216.155.20.140 clean
https://connectini.net/Series/publisher/1/KR.json
whois
RU RocketTelecom LLC 37.230.138.123 23559 mailcious
https://connectini.net/Series/SuperNitouDisc.php
whois
RU RocketTelecom LLC 37.230.138.123 7619 mailcious
https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/up-do-dat-LJWuMU9jpVNtx.exe
whois
DE Mod Mission Critical LLC 216.155.20.140 clean
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
whois
RU RocketTelecom LLC 37.230.138.123 1972 mailcious
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
whois
DE AMAZON-02 52.219.75.132 23052 mailcious
https://connectini.net/Series/Conumer4Publisher.php
whois
RU RocketTelecom LLC 37.230.138.123 1976 mailcious
https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8
whois
RU RocketTelecom LLC 37.230.138.123 7620 mailcious
https://connectini.net/Series/configPoduct/2/goodchannel.json
whois
RU RocketTelecom LLC 37.230.138.123 1973 mailcious
https://n8w5.c12.e2-1.dev/doma/widgets/powerOff.exe
whois
DE Mod Mission Critical LLC 216.155.20.140 clean
https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/hand-LJWuMU9jpVNtx.exe
whois
DE Mod Mission Critical LLC 216.155.20.140 clean
https://connectini.net/Series/Conumer2kenpachi.php
whois
RU RocketTelecom LLC 37.230.138.123 1974 mailcious
n8w5.c12.e2-1.dev
whois
DE Mod Mission Critical LLC 216.155.20.140 malware
wewewe.s3.eu-central-1.amazonaws.com
whois
DE AMAZON-02 52.219.47.172 mailcious
www.google.com
whois
US GOOGLE 142.250.206.228 clean
google.com
whois
US GOOGLE 142.250.206.238 clean
360devtracking.com
whois
RU RocketTelecom LLC 37.230.138.66 mailcious
connectini.net
whois
RU RocketTelecom LLC 37.230.138.123 mailcious
www.profitabletrustednetwork.com
whois
US SERVERS 173.233.137.36 mailcious
apps.identrust.com
whois
KR LG DACOM Corporation 61.111.58.35 clean
52.219.75.132
whois
DE AMAZON-02 52.219.75.132 clean
192.243.59.20
whois
US DataWeb Global Group B.V. 192.243.59.20 mailcious
216.155.20.140
whois
DE Mod Mission Critical LLC 216.155.20.140 malware
142.251.42.174
whois
US GOOGLE 142.251.42.174 clean
121.254.136.57
whois
KR LG DACOM Corporation 121.254.136.57 clean
37.230.138.123
whois
RU RocketTelecom LLC 37.230.138.123 mailcious
142.250.207.36
whois
US GOOGLE 142.250.207.36 clean
37.230.138.66
whois
RU RocketTelecom LLC 37.230.138.66 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure