popup

Report - File_pass1234.7z

PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.05.12 10:02 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
5.8
ZERO API file : malware
VT API (file)
md5 f12cefd0ab30a148d0d24f8b2db51554
sha256 8f9ac4f621de20155d829c616885025b1914fe0ca8a32d0288a5cda2ef12b17b
ssdeep 98304:iLiFTXLZXYoaAFXUVHMMAKMshsyL83zQJstVM1qL9Ae1rQba:iW57tFapldphsyQ3M+tlHF8a
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (47cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
http://85.208.136.10/api/firegate.php
whois
DE CMCS 85.208.136.10 clean
http://ji.uiasehgjj.com/m/ppls25.exe
whois
US CLOUDFLARENET 172.67.135.176 malware
http://209.250.254.249:3002/
whois
NL AS-CHOOPA 209.250.254.249 clean
http://109.206.243.208/1.exe
whois
Unknown 109.206.243.208 malware
http://5.181.80.133/api/tracemap.php
whois
BG Telehouse EAD 5.181.80.133 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.215.67 clean
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 clean
https://vk.com/doc797927207_660207612?hash=FSzZrKgaoQ4kHJpBkwwrcecQ1khON4e6uLnZZ4noFRc&dl=G44TOOJSG4ZDANY:1683818285:xjgWZ6U0zK8yMG56wSqaiurXm91s5Hva9jN75V78dpc&api=1&no_preview=1#L1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-20.userapi.com/c237331/u797927207/docs/d32/3b1562a610ff/AppLaunch.bmp?extra=JaJH0yubp6SiGMgQe6iQVtfr1GI70sFVas0bPqPOE1JgQPjQJeqc1JgcP7Vq06u_i8BJolccNfQmB4JVHlrkyw76zX1E9nDnBtN_Yc3_Z9h2uiwH-vfs0GCPy9mOftnGajBWUN9EdZ3VblhQOQ
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc797927207_659790319?hash=Yh4Zq10yI5sCv0Hozhs9Au2WzOHbviNeMCJ7fr1FFhg&dl=G44TOOJSG4ZDANY:1683130808:PeAzMOcy5CuRuNl362YRUH2t3JWVdZZHlGFYTsqzuwo&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-21.userapi.com/c235131/u797927207/docs/d5/08764869d62d/asca1ex.bmp?extra=vqNkGdJUx9Ty6qIhbKHtHm-uvSM7pFAB70mGC-hwXtKeLLhMapHhAdWQp5Mhx3VaUG7ygp_A9SH2P8-3DGJUQZuEyrxPDUB1vgU0Ra1SDEQ6-E0IS8eW7sWYLJoVk2tVh62ovw_1x8tWIpf3-Q
whois
RU VKontakte Ltd 95.142.206.1 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.5.15 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc797927207_660158521?hash=CHoeq50dJohH7piMcIhWPTP8SZy13EEVPQr7nouPkeP&dl=G44TOOJSG4ZDANY:1683737741:EB7omsUVCkf03zctqWFhwJvAFNZLeHtx8gkUGk2PVDg&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-20.userapi.com/c237231/u797927207/docs/d22/96329d1f2388/OriginalBuild.bmp?extra=wOQ0KkKvahESe2lcf4Z08mPMWxbrBrypeJGVgVKu4T7N-NXXMnRZCHlfbPtzIoPsAhYWS42eeMFfkSuWfqJygSWjaYYlF8BLVc6w7A0kxdFKuCDAlMThzV6x3QG-8rMtL4D6kL2rwHFhWIT1-Q
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc797927207_660166827?hash=S9d1LRpKkBqqaTTkzFYojvcJ3L3a8zzgjeJXmhRuRB8&dl=G44TOOJSG4ZDANY:1683746472:NUGgowD5mgwGUbp3JvSIkoB9wFYDzijcgoJB26mzagH&api=1&no_preview=1#orig5
whois
RU VKontakte Ltd 87.240.132.78 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
ji.uiasehgjj.com
whois
US CLOUDFLARENET 104.21.7.34 malware
www.maxmind.com
whois
US CLOUDFLARENET 104.17.214.67 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 clean
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
vk.com
whois
RU VKontakte Ltd 87.240.129.133 clean
109.206.243.208
whois
Unknown 109.206.243.208 malware
45.12.253.74
whois
DE CMCS 45.12.253.74 malware
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 clean
172.67.135.176
whois
US CLOUDFLARENET 172.67.135.176 malware
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 clean
87.240.132.78
whois
RU VKontakte Ltd 87.240.132.78 clean
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
5.181.80.133
whois
BG Telehouse EAD 5.181.80.133 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
85.208.136.10
whois
DE CMCS 85.208.136.10 clean
94.131.106.196
whois
UA Netassist Limited 94.131.106.196 mailcious
176.113.115.239
whois
RU OOO Network of data-centers Selectel 176.113.115.239 malware
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67 clean
209.250.254.249
whois
NL AS-CHOOPA 209.250.254.249 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP

Similarity measure (PE file only) - Checking for service failure