popup

Report - Pass_1234_Setup.rar

PWS[m] KeyLogger Escalate priviledges AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.23 15:26 Machine s1_win7_x6402
Filename Pass_1234_Setup.rar
Type RAR archive data, flags: EncryptedBlockHeader
AI Score Not founds Behavior Score
3.8
ZERO API file : clean
VT API (file)
md5 37262ca3a1d563877f4324ee75b6facb
sha256 14e911936266e9a1ef7d9368301a8d2cfcd1ed5d7876a01dac4f3f369f320797
ssdeep 196608:XWFSNRJkE2vO9wEW1P22lDIiVBsMuX4yWNHva5tg8V1WykHvx7WZ645gEg:X7NQp29wEiRDiMw4yWNHvetg8V1WykPp
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/26556a0c2e4bbf69b06c173ce1681609
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/8e0966e25decf295f67dfe9904e292d5
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
whois
DE 23media GmbH 185.181.10.208 clean
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
whois
DE 23media GmbH 185.181.10.208 clean
185.181.10.208
whois
DE 23media GmbH 185.181.10.208 malware

Suricata ids

ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information

Similarity measure (PE file only) - Checking for service failure