popup

Report - St4_soft.exe

Emotet UPX Malicious Library Anti_VM Malicious Packer Create Service Socket ScreenShot DNS PWS[m] KeyLogger Escalate priviledges persistence BitCoin AntiDebug AntiVM OS Processor Check PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.20 11:29 Machine s1_win7_x6403
Filename St4_soft.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
4
 Behavior Score
11.6
ZERO API file : clean
VT API (file) 45 detected (Coins, malicious, high confidence, GenericKD, Artemis, Vujn, confidence, 100%, TrojanPSW, ABRisk, ESIH, Attribute, HighConfidence, a variant of WinGo, score, PWSX, QQPass, QQRob, Mgil, AURORASTEALER, YXDCQZ, Redcap, ebkir, ai score=84, Aurora, Malware@#g0v5wkxmmnax, Trickbot, Detected, R559668, unsafe, CLOUD, WinGo, susgen)
md5 1431d295525534f244dd34a8a311b87f
sha256 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
ssdeep 24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1
imphash 9cbefe68f395e67356e2a5d8d1b285c0
impfuzzy 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP
  Network IP location

Signature (24cnts)

Level Description
danger File has been identified by 45 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known multi-family ransomware file extension to files that have been encrypted
watch Code injection by writing an executable or DLL to the memory of another process
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
watch Harvests credentials from local email clients
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice One or more potentially interesting buffers were extracted
notice Potentially malicious URLs were found in the process memory dump
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (27cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (upload)
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice Persistence Install itself for autorun at Windows startup memory
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Virtual_currency_Zero Virtual currency memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
45.15.156.172
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.172 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xb621a0 WriteFile
 0xb621a8 WriteConsoleW
 0xb621b0 WaitForMultipleObjects
 0xb621b8 WaitForSingleObject
 0xb621c0 VirtualQuery
 0xb621c8 VirtualFree
 0xb621d0 VirtualAlloc
 0xb621d8 SwitchToThread
 0xb621e0 SuspendThread
 0xb621e8 SetWaitableTimer
 0xb621f0 SetUnhandledExceptionFilter
 0xb621f8 SetProcessPriorityBoost
 0xb62200 SetEvent
 0xb62208 SetErrorMode
 0xb62210 SetConsoleCtrlHandler
 0xb62218 ResumeThread
 0xb62220 PostQueuedCompletionStatus
 0xb62228 LoadLibraryA
 0xb62230 LoadLibraryW
 0xb62238 SetThreadContext
 0xb62240 GetThreadContext
 0xb62248 GetSystemInfo
 0xb62250 GetSystemDirectoryA
 0xb62258 GetStdHandle
 0xb62260 GetQueuedCompletionStatusEx
 0xb62268 GetProcessAffinityMask
 0xb62270 GetProcAddress
 0xb62278 GetEnvironmentStringsW
 0xb62280 GetConsoleMode
 0xb62288 FreeEnvironmentStringsW
 0xb62290 ExitProcess
 0xb62298 DuplicateHandle
 0xb622a0 CreateWaitableTimerExW
 0xb622a8 CreateThread
 0xb622b0 CreateIoCompletionPort
 0xb622b8 CreateFileA
 0xb622c0 CreateEventA
 0xb622c8 CloseHandle
 0xb622d0 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure