popup

Report - 106.exe

Gen1 Gen2 Malicious Library UPX Malicious Packer PE32 PE File OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.06 09:43 Machine s1_win7_x6401
Filename 106.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score Not founds Behavior Score
7.4
ZERO API file : clean
VT API (file) 17 detected (AIDetectNet, Attribute, HighConfidence, malicious, high confidence, VMProtect, AU suspicious, score, Generic ML PUA, Sabsik, Generic@AI, RDML, LHbfmfKsQ5WnSH7COtA, susgen, ZexaF, @F0@aCc1mHxi, confidence)
md5 c3b975941fbb27386657f9cdec4dd02b
sha256 5352edfcfc3a9777717b92c82a4ee0bd63be0f8e5614135eb8db3746d34d92cd
ssdeep 393216:NvuYLmmGF+BsPxHs2qHAfFmCN6FWi4mNvQBuxC:h1kF6SfFm69iDvVA
imphash 68126a27c1574bca5a50909c5527308a
impfuzzy 6:HGDfAjIjyc9OajXA8VyH/JLGMZ/OiBJAEnERGDW:mDfACfw8sZGMZGqAJcDW
  Network IP location

Signature (19cnts)

Level Description
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch File has been identified by 17 AntiVirus engines on VirusTotal as malicious
watch Network activity contains more than one unique useragent
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process 106.exe
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (12cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://45.9.74.36/
whois
Unknown 45.9.74.36 clean
http://45.9.74.36/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
whois
Unknown 45.9.74.36 clean
http://45.9.74.36/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
whois
Unknown 45.9.74.36 clean
http://45.9.74.36/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
whois
Unknown 45.9.74.36 clean
http://45.9.74.36/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
whois
Unknown 45.9.74.36
http://45.9.74.36/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
whois
Unknown 45.9.74.36
http://45.9.74.36/c3bdf1b0a7b9fb651b36d7baa7139b6b
whois
Unknown 45.9.74.36
http://45.9.74.36/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
whois
Unknown 45.9.74.36
http://45.9.74.36/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
whois
Unknown 45.9.74.36
45.9.74.36
whois
Unknown 45.9.74.36

Suricata ids

ET INFO Dotted Quad Host DLL Request
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0xe3b000 GetProcAddress
USER32.dll
 0xe3b008 DestroyWindow
ole32.dll
 0xe3b010 CoInitialize
KERNEL32.dll
 0xe3b018 GetSystemTimeAsFileTime
USER32.dll
 0xe3b020 CharUpperBuffW
KERNEL32.dll
 0xe3b028 LocalAlloc
 0xe3b02c LocalFree
 0xe3b030 GetModuleFileNameW
 0xe3b034 ExitProcess
 0xe3b038 LoadLibraryA
 0xe3b03c GetModuleHandleA
 0xe3b040 GetProcAddress

EAT(Export Address Table) Library


Similarity measure (PE file only) - Checking for service failure