popup

Report - ProtonVPN.exe

Gen1 Gen2 UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 DLL JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.05.14 17:32 Machine s1_win7_x6403
Filename ProtonVPN.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
12.4
ZERO API file : malware
VT API (file) 44 detected (AIDetectMalware, Inject4, Jaik, Vahx, malicious, ZexaF, qHY@aW3B1Zdi, Attribute, HighConfidence, high confidence, Kryptik, HSNW, score, PWSX, Bujl, AGEN, RACCOONSTEALER, YXDEMZ, Outbreak, Redline, Raccoon, Detected, GenericRXVX, ai score=83, unsafe, GdSda, 9acJnicLi4S, Static AI, Suspicious PE, susgen, ESSM, confidence, 100%)
md5 d8560a7c131d8313f0f95e49e1aa0b73
sha256 7e59452c10d407a0ec3a91d67ef93acdd56b8070f57904fc26656883f12d07d0
ssdeep 6144:Kqlq7ttfNq5vdvlomq+kc5SAOHFLSq4hZ/b+W6tKM5E5pe:K0q7ttfo5vvSLmq4b+WLpe
imphash e63b73c706e10ce7898e28c3d495b696
impfuzzy 24:LD9PdcpVWZYtMS14GhlJBl3ELoEOovbO3gv9FZ8GMA+EZHu93:HcpVeYtMS14GnpSc3y9FZS
  Network IP location

Signature (27cnts)

Level Description
danger File has been identified by 44 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process regsvcs.exe
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (22cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://165.232.118.86/
whois
Unknown 165.232.118.86 clean
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
whois
Unknown 165.232.118.86 clean
http://165.232.118.86/498c5e808a95e0c9bc9684b0df2e9aaa
whois
Unknown 165.232.118.86
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
whois
Unknown 165.232.118.86 clean
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
whois
Unknown 165.232.118.86
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
whois
Unknown 165.232.118.86 clean
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
whois
Unknown 165.232.118.86 clean
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
whois
Unknown 165.232.118.86 clean
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
whois
Unknown 165.232.118.86 clean
165.232.118.86
whois
Unknown 165.232.118.86 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean

Suricata ids

ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information
ET HUNTING Possible Generic Stealer Sending a Screenshot

PE API

IAT(Import Address Table) Library

USER32.dll
 0x427140 DdeQueryNextServer
KERNEL32.dll
 0x427000 GetProcAddress
 0x427004 CreateFileW
 0x427008 GetModuleHandleA
 0x42700c FreeConsole
 0x427010 QueryProcessCycleTime
 0x427014 SetCommConfig
 0x427018 MultiByteToWideChar
 0x42701c GetStringTypeW
 0x427020 WideCharToMultiByte
 0x427024 EnterCriticalSection
 0x427028 LeaveCriticalSection
 0x42702c InitializeCriticalSectionEx
 0x427030 DeleteCriticalSection
 0x427034 EncodePointer
 0x427038 DecodePointer
 0x42703c LCMapStringEx
 0x427040 GetCPInfo
 0x427044 UnhandledExceptionFilter
 0x427048 SetUnhandledExceptionFilter
 0x42704c GetCurrentProcess
 0x427050 TerminateProcess
 0x427054 IsProcessorFeaturePresent
 0x427058 QueryPerformanceCounter
 0x42705c GetCurrentProcessId
 0x427060 GetCurrentThreadId
 0x427064 GetSystemTimeAsFileTime
 0x427068 InitializeSListHead
 0x42706c IsDebuggerPresent
 0x427070 GetStartupInfoW
 0x427074 GetModuleHandleW
 0x427078 HeapSize
 0x42707c RaiseException
 0x427080 RtlUnwind
 0x427084 GetLastError
 0x427088 SetLastError
 0x42708c InitializeCriticalSectionAndSpinCount
 0x427090 TlsAlloc
 0x427094 TlsGetValue
 0x427098 TlsSetValue
 0x42709c TlsFree
 0x4270a0 FreeLibrary
 0x4270a4 WriteConsoleW
 0x4270a8 LoadLibraryExW
 0x4270ac GetStdHandle
 0x4270b0 WriteFile
 0x4270b4 GetModuleFileNameW
 0x4270b8 ExitProcess
 0x4270bc GetModuleHandleExW
 0x4270c0 GetCommandLineA
 0x4270c4 GetCommandLineW
 0x4270c8 HeapAlloc
 0x4270cc HeapFree
 0x4270d0 GetFileType
 0x4270d4 CompareStringW
 0x4270d8 LCMapStringW
 0x4270dc GetLocaleInfoW
 0x4270e0 IsValidLocale
 0x4270e4 GetUserDefaultLCID
 0x4270e8 EnumSystemLocalesW
 0x4270ec GetFileSizeEx
 0x4270f0 SetFilePointerEx
 0x4270f4 CloseHandle
 0x4270f8 FlushFileBuffers
 0x4270fc GetConsoleOutputCP
 0x427100 GetConsoleMode
 0x427104 ReadFile
 0x427108 HeapReAlloc
 0x42710c FindClose
 0x427110 FindFirstFileExW
 0x427114 FindNextFileW
 0x427118 IsValidCodePage
 0x42711c GetACP
 0x427120 GetOEMCP
 0x427124 GetEnvironmentStringsW
 0x427128 FreeEnvironmentStringsW
 0x42712c SetEnvironmentVariableW
 0x427130 SetStdHandle
 0x427134 GetProcessHeap
 0x427138 ReadConsoleW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure