popup

Report - power.exe

RAT Emotet Gen2 Ave Maria WARZONE RAT Gen1 Generic Malware UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) .NET EXE PE32 PE File OS Processor Check DLL PE64 JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.22 17:32 Machine s1_win7_x6401
Filename power.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
10
 Behavior Score
11.2
ZERO API file : malware
VT API (file) 45 detected (AIDetectNet, ShortLoader, malicious, high confidence, MSILZilla, MsilFC, S22017452, score, Mokes, confidence, 100%, ZemsilF, in0@a8Cibil, Kryptik, Eldorado, Malcode, gdn33, DropperX, Udkl, MulDropNET, R002C0DCL23, moderate, ILAgent, Outbreak, AGEN, Detected, ai score=82, unsafe, AntiVM, CLASSIC, Static AI, Malicious PE, GenKryptik, FFMZ, GdSda)
md5 ba218b60cb97c3532b8b9c796d954622
sha256 8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b
ssdeep 24576:+DqJfHKurNTbvYkwdBd9BO3Oz1ITm+2Hd:+DIHKurdbvYDz5+2Hd
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (26cnts)

Level Description
danger File has been identified by 45 AntiVirus engines on VirusTotal as malicious
warning Uses WMI to create a new process
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process nbveek.exe
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (19cnts)

Level Name Description Collection
danger Ave_Maria_Zero Remote Access Trojan that is also called WARZONE RAT binaries (download)
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info Is_DotNET_EXE (no description) binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.73.134.27/8bmdh3Slb2/index.php
whois
KZ Fibre Optix LLC 77.73.134.27 26125 mailcious
http://77.73.134.27/8bmdh3Slb2/index.php?scr=1
whois
KZ Fibre Optix LLC 77.73.134.27 26125 mailcious
http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll
whois
KZ Fibre Optix LLC 77.73.134.27 26128 malware
http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll
whois
KZ Fibre Optix LLC 77.73.134.27 26126 malware
https://j.ffbbjjkk.com/logo.png
whois
US CLOUDFLARENET 104.21.8.227 28017 mailcious
https://j.ffbbjjkk.com/2701.html
whois
US CLOUDFLARENET 104.21.8.227 27926 mailcious
j.ffbbjjkk.com
whois
US CLOUDFLARENET 172.67.158.22 mailcious
77.73.134.27
whois
KZ Fibre Optix LLC 77.73.134.27 malware
104.21.8.227
whois
US CLOUDFLARENET 104.21.8.227 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure