popup

Report - File.7z

MPRESS PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.05.24 18:43 Machine s1_win7_x6402
Filename File.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
4.2
ZERO API file : clean
VT API (file) 3 detected (GenInflated, Psmw, ai score=63)
md5 6eaee08cad156f12d3c3fbe4329c5d81
sha256 e3481f41543f3753f9f2cbbfe5dc965c1dbd139fb289a18f2ced44d03ba1d01a
ssdeep 98304:nbZICm+xi27IAnvsHkgUhCvmf7nHX0c2wFb/KQIbf/52eFtzMIXokcA1g:i+xeAvsHxU/HX/qbf/5xGxMg
imphash
impfuzzy
  Network IP location

Signature (11cnts)

Level Description
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice File has been identified by 3 AntiVirus engines on VirusTotal as malicious
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (12cnts)

Level Name Description Collection
watch MPRESS_Zero MPRESS packed file binaries (upload)
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (18cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 32662 mailcious
http://208.67.104.60/api/tracemap.php
whois
Unknown 208.67.104.60 28876 mailcious
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.214.67 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.4.15 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.5.15 clean
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.17.214.67 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
104.17.215.67
whois
US CLOUDFLARENET 104.17.215.67 clean
85.208.136.10
whois
DE CMCS 85.208.136.10 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
208.67.104.60
whois
Unknown 208.67.104.60 mailcious
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67 clean

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure