popup

Report - buildz.exe

Loki_b Loki_m Gen1 Suspicious_Script_Bin Generic Malware Malicious Library UPX Malicious Packer DGA Socket DNS PWS[m] Http API Internet API ScreenShot Code injection AntiDebug AntiVM PE32 PE File OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.21 18:02 Machine s1_win7_x6403
Filename buildz.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
19.2
ZERO API file : malware
VT API (file) 35 detected (AIDetect, malware1, malicious, high confidence, Babar, Stop, unsafe, Save, confidence, 100%, Kryptik, Eldorado, Attribute, HighConfidence, RansomX, Lockbit, high, score, Static AI, Malicious PE, Detected, ai score=81, Sabsik, R572924, Buzus, MachineLearning, Anomalous, Generic@AI, RDML, bErCcEhhxqsr9l, TKXQXXg, susgen)
md5 2649cbcef1838339d91cd7ff59ef3208
sha256 90c47829618b19477a16b38958940a62f9bd15378af79cf8d901d500e7bf873f
ssdeep 12288:Jx8cIUH99BUG06tM3Q90x9megGZvT56syEMsc8QSVFgl51p:JvBrpM3Q9sTgyIE09xlz
imphash d94218f415b3162693a81fce6a20ce58
impfuzzy 24:2Cu19y8bdDcDmTBX10Kbzvd2ibLOov7k3J3ttmMcfplOFQ8RyvpRT4BsQ8tK0Q3:/ayGBX1Hb69tt/cfp/bcBn8tK0Q3
  Network IP location

Signature (42cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process buildz.exe
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (31cnts)

Level Name Description Collection
danger Win32_PWS_Loki_Zero Win32 PWS Loki memory
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Suspicious_Obfuscation_Script_2 Suspicious obfuscation script (e.g. executable files) binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (16cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://116.203.7.73/install.zip
whois
DE Hetzner Online GmbH 116.203.7.73 clean
http://zexeq.com/files/1/build3.exe
whois
RO Telekom Romania Communication S.A 109.98.58.98 27913 malware
http://colisumy.com/dl/build2.exe
whois
HU Telenor Hungary plc 84.224.34.240 malware
http://zexeq.com/raud/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
whois
RO Telekom Romania Communication S.A 109.98.58.98 clean
http://116.203.7.73/
whois
DE Hetzner Online GmbH 116.203.7.73 clean
https://steamcommunity.com/profiles/76561199497218285
whois
US Akamai International B.V. 184.26.243.205 clean
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Akamai International B.V. 23.198.103.114 mailcious
api.2ip.ua
whois
CA ACP 162.0.217.254 clean
colisumy.com
whois
KR SK Broadband Co Ltd 175.126.109.15 malware
zexeq.com
whois
BG Videosat 21 Vek OOD 95.158.162.200 malware
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
95.158.162.200
whois
BG Videosat 21 Vek OOD 95.158.162.200 mailcious
184.26.243.205
whois
US Akamai International B.V. 184.26.243.205 clean
162.0.217.254
whois
CA ACP 162.0.217.254 clean
116.203.7.73
whois
DE Hetzner Online GmbH 116.203.7.73 clean

Suricata ids

ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO TLS Handshake Failure
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Dotted Quad Host ZIP Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40100c ScrollConsoleScreenBufferW
 0x401010 AddConsoleAliasW
 0x401014 UnlockFile
 0x401018 GetLogicalDrives
 0x40101c GetModuleHandleW
 0x401020 GetConsoleTitleA
 0x401024 EnumTimeFormatsA
 0x401028 EnumTimeFormatsW
 0x40102c EnumResourceTypesA
 0x401030 FindResourceExA
 0x401034 GlobalAlloc
 0x401038 LoadLibraryW
 0x40103c GetStringTypeExW
 0x401040 GetFileAttributesA
 0x401044 FindNextVolumeW
 0x401048 EnumSystemLocalesA
 0x40104c GlobalUnfix
 0x401050 GetProfileIntA
 0x401054 GetLastError
 0x401058 GetProcAddress
 0x40105c VirtualAlloc
 0x401060 WriteProfileSectionA
 0x401064 CreateMemoryResourceNotification
 0x401068 _hwrite
 0x40106c SetThreadPriorityBoost
 0x401070 LoadLibraryA
 0x401074 WriteConsoleA
 0x401078 BeginUpdateResourceA
 0x40107c WaitForMultipleObjects
 0x401080 CreateMailslotA
 0x401084 VirtualProtect
 0x401088 OpenEventW
 0x40108c GetCPInfoExA
 0x401090 GetWindowsDirectoryW
 0x401094 AddConsoleAliasA
 0x401098 EnumCalendarInfoExA
 0x40109c TlsFree
 0x4010a0 RtlUnwind
 0x4010a4 FindFirstChangeNotificationW
 0x4010a8 HeapSize
 0x4010ac CreateFileA
 0x4010b0 MultiByteToWideChar
 0x4010b4 Sleep
 0x4010b8 ExitProcess
 0x4010bc GetCommandLineA
 0x4010c0 GetStartupInfoA
 0x4010c4 GetCPInfo
 0x4010c8 InterlockedIncrement
 0x4010cc InterlockedDecrement
 0x4010d0 GetACP
 0x4010d4 GetOEMCP
 0x4010d8 IsValidCodePage
 0x4010dc TlsGetValue
 0x4010e0 TlsAlloc
 0x4010e4 TlsSetValue
 0x4010e8 SetLastError
 0x4010ec GetCurrentThreadId
 0x4010f0 TerminateProcess
 0x4010f4 GetCurrentProcess
 0x4010f8 UnhandledExceptionFilter
 0x4010fc SetUnhandledExceptionFilter
 0x401100 IsDebuggerPresent
 0x401104 HeapAlloc
 0x401108 HeapFree
 0x40110c WriteFile
 0x401110 GetStdHandle
 0x401114 GetModuleFileNameA
 0x401118 DeleteCriticalSection
 0x40111c LeaveCriticalSection
 0x401120 EnterCriticalSection
 0x401124 InitializeCriticalSectionAndSpinCount
 0x401128 FreeEnvironmentStringsA
 0x40112c GetEnvironmentStrings
 0x401130 FreeEnvironmentStringsW
 0x401134 WideCharToMultiByte
 0x401138 GetEnvironmentStringsW
 0x40113c SetHandleCount
 0x401140 GetFileType
 0x401144 HeapCreate
 0x401148 VirtualFree
 0x40114c QueryPerformanceCounter
 0x401150 GetTickCount
 0x401154 GetCurrentProcessId
 0x401158 GetSystemTimeAsFileTime
 0x40115c LCMapStringA
 0x401160 LCMapStringW
 0x401164 GetStringTypeA
 0x401168 GetStringTypeW
 0x40116c GetLocaleInfoA
 0x401170 HeapReAlloc
USER32.dll
 0x401178 GetWindowLongA
 0x40117c SetCaretPos
 0x401180 RegisterClassA
 0x401184 CharLowerBuffW
GDI32.dll
 0x401000 GetCharWidthW
 0x401004 GetCharABCWidthsI

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure