popup

Report - Install_pass1234.7z

PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.07 13:34 Machine s1_win7_x6402
Filename Install_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
6.2
ZERO API file : malware
VT API (file) 7 detected (GenericKD, Artemis, ai score=88)
md5 21c1b0f8d03d57065b96c639b518886d
sha256 8ce980c43fbee922c595727205b1b0b1c329cc907b99c84d789f81d0ffbf23bc
ssdeep 98304:gklv/OJiH+Dv4GmfPZKc88XDFcSnhHAEiAfYvReaQhkAtCfQ4/HowGNv/:gklvWJiH+r4zPZKcVLiyDaQqAtCf7wwc
imphash
impfuzzy
  Network IP location

Signature (13cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice File has been identified by 7 AntiVirus engines on VirusTotal as malicious
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (63cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://5.42.199.15/7381b0eb2134edfd/msvcp140.dll
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 clean
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://5.42.199.15/7381b0eb2134edfd/sqlite3.dll
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 clean
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://85.208.136.10/api/firegate.php
whois
DE CMCS 85.208.136.10 32663 mailcious
http://5.42.199.15/14387668e1174a87.php
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 34035 mailcious
http://ji.jahhaega2qq.com/m/p0aw25.exe
whois
US CLOUDFLARENET 172.67.182.87 33779 malware
http://5.42.199.15/7381b0eb2134edfd/softokn3.dll
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 clean
http://5.42.199.15/7381b0eb2134edfd/nss3.dll
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 clean
http://5.42.199.15/7381b0eb2134edfd/vcruntime140.dll
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.215.67 clean
http://5.42.199.15/7381b0eb2134edfd/mozglue.dll
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 clean
http://194.169.175.124:3002/
whois
Unknown 194.169.175.124 34039 malware
http://83.97.73.128/gallery/photo430.exe
whois
DE Limitless Mobile GmbH 83.97.73.128 34041 malware
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 32662 mailcious
http://5.42.199.15/7381b0eb2134edfd/freebl3.dll
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 clean
https://vk.com/doc228185173_661153352?hash=xdfz7khDaKTZuZfc6eD4kR51HKXjFRBzEoWcJb9wBhL&dl=Pr7rOMXa0zgLcM5qJA9Lq5jiCwQPKFqjLmym9agLrzz&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.129.133 clean
https://vk.com/doc800513317_661831941?hash=kC1U4OLCAYMUhVtMfoutYSzDrY3EsJWFVrzp6QPGPus&dl=7914u1IpemjZrAZ1e75d2G0XzBQ90WsmERXsgDjYTgL&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.129.133 mailcious
https://sun6-22.userapi.com/c235131/u228185173/docs/d18/dcefed7742fe/stcr.bmp?extra=4cMjfsrflUnXqTTqcGy751WstwtljmtnZqSkHC6RZDy1n2v9t-pL7VgO6HA-9WXpkbUJzdkxTDPBcX-hOAbII9gt79CQLL7ldZtFjYp6g0gjQIpYUrezqnYQwJROQ7WCK9Y4yNSKOrSY61YE8g
whois
RU VKontakte Ltd 95.142.206.2 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.129.133 mailcious
https://vk.com/doc228185173_661170695?hash=0L1uaqPVMU921w2pmJcrwQkDyu94h0wjzS3p0ld9R4D&dl=kstr1dyAL1ZXBFBl1qg66UJerdx2DZWJ9uOQs1kXZ0T&api=1&no_preview=1#str
whois
RU VKontakte Ltd 87.240.129.133 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.5.15 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.5.15 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.129.133 mailcious
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/fa132fba0b7e/buddha.bmp?extra=gRm798kslBaPtRgOAU2D2epFH3ralLJDqzZ37rqKiRAkxV_ocXkFtXAJpSKj_NRdFtLsl280XXYcBIyXTXGXiParMUQ3ahHzvY62RCjMY4tY-vBPNA-1yTJAtku6p8bfbfR3TR-8eYavxErefA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc791620691_664710492?hash=j27Vxz0stfSxJXNlzmz602vSgZ0IXBoi9ZZq9syJVkT&dl=Sw3eQffdQH4eEi2robhrPmVXjMf9ExmZT9V02woFQ2k&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.129.133 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.129.133 mailcious
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/47ed28b3afbb/PMp123a.bmp?extra=1mMgqmSMjVjqw0R3iI2gcBuuz3j4HzJcVCwS6ZNN2RNLYRVBKnzkbEX3B3wTBN6X_tUum6G61hOC4Wim4Ef_V6rIdysx5OFZk3o_ZAxk7zo8YiNEOrmKxi_YMgNjUlPEjLd8VxkUWVxlSLN7Cw
whois
RU VKontakte Ltd 95.142.206.1 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
ji.jahhaega2qq.com
whois
US CLOUDFLARENET 104.21.18.146 malware
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.17.215.67 clean
vk.com
whois
RU VKontakte Ltd 87.240.132.78 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
104.17.215.67
whois
US CLOUDFLARENET 104.17.215.67 clean
83.97.73.128
whois
DE Limitless Mobile GmbH 83.97.73.128 malware
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
87.240.129.133
whois
RU VKontakte Ltd 87.240.129.133 mailcious
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
157.254.164.98
whois
Unknown 157.254.164.98 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
172.67.182.87
whois
US CLOUDFLARENET 172.67.182.87 malware
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
45.12.253.74
whois
DE CMCS 45.12.253.74 malware
5.42.199.15
whois
IQ Midya Telecom for telecommunications-LTD 5.42.199.15 mailcious
194.169.175.124
whois
Unknown 194.169.175.124 malware
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
147.135.231.58
whois
FR OVH SAS 147.135.231.58 clean
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
85.208.136.10
whois
DE CMCS 85.208.136.10 mailcious
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2

Similarity measure (PE file only) - Checking for service failure