popup

Report - crypted.exe

UPX Malicious Library Malicious Packer OS Processor Check PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.05.19 18:00 Machine s1_win7_x6401
Filename crypted.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
11
 Behavior Score
7.2
ZERO API file : malware
VT API (file) 31 detected (AIDetectMalware, Vrj9, ZexaCO, tyW@ae2292b, Attribute, HighConfidence, malicious, high confidence, score, Stealerc, SpywareX, LUMMASTEALER, YXDERZ, high, Static AI, Suspicious PE, Wacatac, Artemis, unsafe, Generic@AI, RDML, E0JJoVcY3LtI35Qc4Miw, confidence)
md5 cd4121ea74cbd684bdf3a08c0aaf54a4
sha256 4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782
ssdeep 6144:oIh0zAu3vOiefUQH3PDKcL90ICtZRIfNJcqTJt2e83Kvixc9Ai2kNND80:o+0cu3vOiX0qIsZRIfjcqdt2e83KSC5N
imphash f4ad1b5fcf2cae19f0918ba11a4e52c9
impfuzzy 48:UqQCQx3LOn1Gg44rphCbw7O6YHOqyv9DD4rz0F5bMw:PQCQNOn17DrphB7O6YHrO
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 31 AntiVirus engines on VirusTotal as malicious
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Virtual Machines through their custom firmware
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks if process is being debugged by a debugger
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.99.133.246/c2sock
whois
NZ Zappie Host LLC 185.99.133.246 33485 mailcious
185.99.133.246
whois
NZ Zappie Host LLC 185.99.133.246 mailcious

Suricata ids

SURICATA HTTP unable to match response to request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x44bf90 CloseHandle
 0x44bf94 CompareStringW
 0x44bf98 CreateFileW
 0x44bf9c DecodePointer
 0x44bfa0 DeleteCriticalSection
 0x44bfa4 EncodePointer
 0x44bfa8 EnterCriticalSection
 0x44bfac ExitProcess
 0x44bfb0 FindAtomA
 0x44bfb4 FindAtomW
 0x44bfb8 FindClose
 0x44bfbc FindFirstFileExW
 0x44bfc0 FindNextFileW
 0x44bfc4 FindResourceA
 0x44bfc8 FindResourceW
 0x44bfcc FlushFileBuffers
 0x44bfd0 FreeEnvironmentStringsW
 0x44bfd4 FreeLibrary
 0x44bfd8 GetACP
 0x44bfdc GetCPInfo
 0x44bfe0 GetCommandLineA
 0x44bfe4 GetCommandLineW
 0x44bfe8 GetComputerNameA
 0x44bfec GetComputerNameW
 0x44bff0 GetConsoleMode
 0x44bff4 GetConsoleOutputCP
 0x44bff8 GetCurrentDirectoryA
 0x44bffc GetCurrentDirectoryW
 0x44c000 GetCurrentProcess
 0x44c004 GetCurrentProcessId
 0x44c008 GetCurrentThreadId
 0x44c00c GetEnvironmentStringsW
 0x44c010 GetFileSizeEx
 0x44c014 GetFileType
 0x44c018 GetLastError
 0x44c01c GetLocalTime
 0x44c020 GetModuleFileNameW
 0x44c024 GetModuleHandleExW
 0x44c028 GetModuleHandleW
 0x44c02c GetOEMCP
 0x44c030 GetProcAddress
 0x44c034 GetProcessHeap
 0x44c038 GetProcessId
 0x44c03c GetStartupInfoW
 0x44c040 GetStdHandle
 0x44c044 GetStringTypeW
 0x44c048 GetSystemTimeAsFileTime
 0x44c04c GetTickCount64
 0x44c050 GetTimeZoneInformation
 0x44c054 GetUserDefaultLangID
 0x44c058 GetUserDefaultUILanguage
 0x44c05c HeapAlloc
 0x44c060 HeapDestroy
 0x44c064 HeapFree
 0x44c068 HeapReAlloc
 0x44c06c HeapSize
 0x44c070 InitializeCriticalSectionAndSpinCount
 0x44c074 InitializeSListHead
 0x44c078 IsDebuggerPresent
 0x44c07c IsProcessorFeaturePresent
 0x44c080 IsValidCodePage
 0x44c084 LCMapStringW
 0x44c088 LeaveCriticalSection
 0x44c08c LoadLibraryA
 0x44c090 LoadLibraryExW
 0x44c094 LoadLibraryW
 0x44c098 MultiByteToWideChar
 0x44c09c OpenMutexA
 0x44c0a0 OpenMutexW
 0x44c0a4 OutputDebugStringA
 0x44c0a8 OutputDebugStringW
 0x44c0ac QueryPerformanceCounter
 0x44c0b0 RaiseException
 0x44c0b4 ReadConsoleW
 0x44c0b8 ReadFile
 0x44c0bc RtlUnwind
 0x44c0c0 SetEndOfFile
 0x44c0c4 SetEnvironmentVariableW
 0x44c0c8 SetFilePointerEx
 0x44c0cc SetLastError
 0x44c0d0 SetStdHandle
 0x44c0d4 SetUnhandledExceptionFilter
 0x44c0d8 Sleep
 0x44c0dc TerminateProcess
 0x44c0e0 TlsAlloc
 0x44c0e4 TlsFree
 0x44c0e8 TlsGetValue
 0x44c0ec TlsSetValue
 0x44c0f0 UnhandledExceptionFilter
 0x44c0f4 VirtualQuery
 0x44c0f8 WideCharToMultiByte
 0x44c0fc WriteConsoleW
 0x44c100 WriteFile
 0x44c104 lstrcatW
 0x44c108 lstrcmpW
 0x44c10c lstrcmpiW
 0x44c110 lstrlenW
ADVAPI32.dll
 0x44c118 GetUserNameW
 0x44c11c RegCloseKey
 0x44c120 RegEnumKeyExW
 0x44c124 RegOpenKeyExW
 0x44c128 RegQueryValueExW
USER32.dll
 0x44c130 EnumDisplayDevicesA
 0x44c134 FindWindowA
 0x44c138 FindWindowW
 0x44c13c GetActiveWindow
 0x44c140 GetCursorPos
 0x44c144 GetDC
 0x44c148 GetDesktopWindow
 0x44c14c GetForegroundWindow
 0x44c150 GetSystemMetrics
 0x44c154 ReleaseDC
 0x44c158 SystemParametersInfoW
 0x44c15c wsprintfW
GDI32.dll
 0x44c164 BitBlt
 0x44c168 CreateCompatibleBitmap
 0x44c16c CreateCompatibleDC
 0x44c170 CreateDCW
 0x44c174 DeleteDC
 0x44c178 DeleteObject
 0x44c17c GetDIBits
 0x44c180 GetObjectW
 0x44c184 SelectObject

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure