popup

Report - Date2023.exe

Gen1 UPX Malicious Packer Malicious Library AntiDebug AntiVM OS Processor Check PE32 PE File DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.27 10:51 Machine s1_win7_x6402
Filename Date2023.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
15.6
ZERO API file : clean
VT API (file) 29 detected (AIDetectNet, Lazy, malicious, confidence, Attribute, HighConfidence, high confidence, GenKryptik, GIAB, score, Trickster, PWSX, Artemis, Static AI, Suspicious PE, Vidar, Detected, ai score=80, Generic@AI, RDML, kcqdX4gt23bEYQQ5+CkU, ZexaF, av3@a4h7B4nO)
md5 f7fd4791be2e2624b7fbb1d91ab2f539
sha256 be82beca4c46e17fb1d4e7f23cf028f61b0d6e64d39146f31f1e7072ecf95fbe
ssdeep 6144:7GZnGSyQWFr8FG6d68UeCVMlVTgjwAaTJVM0ASpk4hHsbPZ0kuydk3CKxh4:aXy7YKxeCVgxJA0ASp2tA
imphash 330deb4fd4ea20960296eba72e2808ab
impfuzzy 24:cnDWVxn8vTLvWTzPtNbbDfJC4uamvAihABzAZhBSJL/ocAya+BbQLSQMu5FF:j8vTLv0zPtN1nYMF4+BMLSQMA
  Network IP location

Signature (35cnts)

Level Description
warning File has been identified by 29 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to detect Cuckoo Sandbox through the presence of a file
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Detects VirtualBox using WNetGetProviderName trick
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (22cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://78.47.226.24/
whois
DE Hetzner Online GmbH 78.47.226.24 28063 mailcious
http://78.47.226.24/edit.zip
whois
DE Hetzner Online GmbH 78.47.226.24 28062 mailcious
https://steamcommunity.com/profiles/76561199486572327
whois
US Akamai International B.V. 184.26.243.205 28064 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
184.26.243.205
whois
US Akamai International B.V. 184.26.243.205 clean
78.47.226.24
whois
DE Hetzner Online GmbH 78.47.226.24 mailcious

Suricata ids

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x403000 VirtualAlloc
 0x403004 VirtualFree
 0x403008 GetModuleHandleW
 0x40300c GetProcAddress
 0x403010 LoadResource
 0x403014 SizeofResource
 0x403018 FindResourceW
 0x40301c LoadLibraryA
 0x403020 GetConsoleWindow
 0x403024 GetSystemTimeAsFileTime
 0x403028 GetCurrentThreadId
 0x40302c GetCurrentProcessId
 0x403030 QueryPerformanceCounter
 0x403034 TerminateProcess
 0x403038 GetCurrentProcess
 0x40303c GetStartupInfoW
 0x403040 SetUnhandledExceptionFilter
 0x403044 UnhandledExceptionFilter
 0x403048 IsDebuggerPresent
 0x40304c IsProcessorFeaturePresent
 0x403050 InitializeSListHead
USER32.dll
 0x403058 ShowWindow
ucrtbase.dll
 0x4030ec _CxxThrowException
 0x4030f0 __std_exception_destroy
 0x4030f4 __std_exception_copy
 0x4030f8 memset
 0x4030fc memmove
 0x403100 memcpy
 0x403104 __current_exception_context
 0x403108 __current_exception
 0x40310c _except_handler4_common
api-ms-win-crt-runtime-l1-1-0.dll
 0x403084 _crt_atexit
 0x403088 _cexit
 0x40308c _set_app_type
 0x403090 _register_onexit_function
 0x403094 _configure_wide_argv
 0x403098 _initialize_wide_environment
 0x40309c _get_wide_winmain_command_line
 0x4030a0 _initterm
 0x4030a4 _initterm_e
 0x4030a8 exit
 0x4030ac _exit
 0x4030b0 _initialize_onexit_table
 0x4030b4 _seh_filter_exe
 0x4030b8 _register_thread_local_exe_atexit_callback
 0x4030bc _invalid_parameter_noinfo_noreturn
 0x4030c0 _c_exit
 0x4030c4 terminate
 0x4030c8 _controlfp_s
api-ms-win-crt-utility-l1-1-0.dll
 0x4030e4 rand
api-ms-win-crt-string-l1-1-0.dll
 0x4030dc strlen
api-ms-win-crt-heap-l1-1-0.dll
 0x403060 _set_new_mode
 0x403064 free
 0x403068 _callnewh
 0x40306c malloc
api-ms-win-crt-math-l1-1-0.dll
 0x40307c __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
 0x4030d0 __p__commode
 0x4030d4 _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
 0x403074 _configthreadlocale

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure