popup

Report - File_pass1234.7z

PWS Escalate priviledges KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.21 13:11 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
6.2
ZERO API file : clean
VT API (file)
md5 925bad98f5262b9221631e9a52312aa1
sha256 64944cfc4d51be400430539e20c309a26a840d6d39021e04e8b3e7f040c21af8
ssdeep 98304:edMcHX9s/ObDdyTl94LYacEeZTGkt5riUcLOcE:e2cHX2WHdDpeZyGCE
imphash
impfuzzy
  Network IP location

Signature (13cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (113cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://208.67.104.60/api/firegate.php
whois
Unknown 208.67.104.60 34253 mailcious
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://208.67.104.60/api/tracemap.php
whois
Unknown 208.67.104.60 28876 mailcious
http://as.imgjeoigaa.com/check/?sid=544580&key=00dad2550544c1c3a8f7c677d0d0b7cf
whois
HK HK Kwaifong Group Limited 39.109.117.57 34487 mailcious
http://185.159.129.168/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys
whois
RU IT Outsourcing LLC 185.159.129.168 34348 mailcious
http://as.imgjeoigaa.com/check/?sid=544558&key=c1e610015ceed346861ca8b729609bda
whois
HK HK Kwaifong Group Limited 39.109.117.57 34487 mailcious
http://www.microsoft.com/
whois
US AKAMAI-AS 23.36.221.62 clean
http://as.imgjeoigaa.com/check/safe
whois
HK HK Kwaifong Group Limited 39.109.117.57 33483 mailcious
http://77.91.68.63/DSC01491/fotod85.exe
whois
RU Foton Telecom CJSC 77.91.68.63 34450 malware
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://icanhazip.com/
whois
US CLOUDFLARENET 104.18.114.97 clean
http://83.97.73.131/gallery/photo221.exe
whois
DE Limitless Mobile GmbH 83.97.73.131 34350 malware
http://ji.jahhaega2qq.com/m/p0aw25.exe
whois
US CLOUDFLARENET 172.67.182.87 33779 malware
http://45.9.74.80/undoo.exe
whois
Unknown 45.9.74.80 34507 malware
http://194.169.175.132:3002/
whois
Unknown 194.169.175.132 malware
http://77.91.68.63/doma/net/index.php
whois
RU Foton Telecom CJSC 77.91.68.63 34361 mailcious
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311 mailcious
http://45.9.74.80/0bjdn2Z/index.php
whois
Unknown 45.9.74.80 26790 mailcious
http://us.imgjeoigaa.com/sts/imagc.jpg
whois
HK HK Kwaifong Group Limited 154.221.19.146 33482 mailcious
http://45.9.74.6/2.exe
whois
Unknown 45.9.74.6 34108 malware
http://ip-api.com/json/?fields=query,status,countryCode,city,timezone
whois
US TUT-AS 208.95.112.1 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.19 clean
http://77.91.68.63/DSC01491/foto166.exe
whois
RU Foton Telecom CJSC 77.91.68.63 34449 malware
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.215.67 clean
http://filetops.com/11.exe
whois
MD Alexhost Srl 176.123.0.55 malware
https://sun6-20.userapi.com/c237131/u808950829/docs/d4/e13b25e09d25/cosmicc.bmp?extra=stXLh9yeLHGN9SlVsloDPGw2IgEhBNDxgWN1G2zeGn8qlgrZSRAH1v89a0ZDL7oELI93bxwBwRnW_ivqaxb3FRZiw4Xqq202jQeAhhWSHBci5Zdkb-0YOkk07JgxzAMRpaPdeRM2Q93iMMgW-Q
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc228185173_661755100?hash=DqFpTzZAFcL1uykcukFWUZYHQqF9dETJFT41KF97TWw&dl=OW4FFnitxAElY7BvTyC2XM9E3mNKnhNVijdNbdZORkz&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://vk.com/doc228185173_661830509?hash=z77Tp2Bt5jc8CbHfC9pdvdFVpeHj77HUzJtS6jx8WZ8&dl=1eqxtSfgbXKz7M994WFagxxb8DLoZQgtZJXs62syX8T&api=1&no_preview=1#rise_test
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://transfer.sh/get/O32aLx3zxk/123.exe
whois
DE Hetzner Online GmbH 144.76.136.153 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.4.15 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://sun6-21.userapi.com/c237131/u228185173/docs/d35/4140efbf0ed7/RisePro_0_1_mA7L5kJnTfFOiuHxQYaS.bmp?extra=re6rpnFOKJwF0t8F4lretXsoNaq02d_nb05Kq5nbPJBLKO0KilKF9RN8oCExTx0GeSBpQXc_53AvQYpPEE-29fALGTrBrIzneHMEI1cZjQL6tMPwa4wU185BgFu0-VuGPrPF2CZIhQknkhG
whois
RU VKontakte Ltd 95.142.206.1 clean
https://transfer.sh/get/Ob9VLCSTEK/n0cjd0kc.exe
whois
DE Hetzner Online GmbH 144.76.136.153 clean
https://redstarnetwork.com/c53cfff621a84792162f70e790980e38.exe
whois
US CLOUDFLARENET 104.21.41.126 clean
https://sun6-23.userapi.com/c909418/u228185173/docs/d27/da1f2eaf2b5d/WWW1.bmp?extra=8J1b5OCdk00xDQ04yGXv7N1CNSCMv3zNpE207zxgONfJmcjxiMjX8zRAs2CAkQVcOL3tzbiJWX2tA3ol7rulMaErNXRaHgTSYMOM4sXxWFokNQNs91oo1kxDokhHctckG42HpXCAlIUHMH1U1w
whois
RU VKontakte Ltd 95.142.206.3 clean
https://sun6-23.userapi.com/c909518/u228185173/docs/d38/ea548909888f/PMmp.bmp?extra=LXFxB-ISKpM7xEmmJzm8A0AHpbBGvwJhkryzYodAYd3pZDyv6H2Y0krbCQxfr0dI8Y9eNqFwd226iLcSF8pMoRwBAWN9OIRQlnLvB3d9AJRz73Ft6_ua2DMvIVM3Y5cp8s2d6iPEMI_BtQrgVA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc808950829_663078972?hash=j2CZ6bZTOFKujwLvTjSsQqTNOS1zHcabZQcoDzREbF4&dl=hcBEKXMw1SIZkcrNZfPnHmTG7tHeo2Ckl7z4I9qFrMc&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://vk.com/doc228185173_661675966?hash=WIZmJ4srelm3loy6LntaCgIGY3LmupjV3W4uezZEqWo&dl=zhVczqBPZOQpqnKDUVkAVPrl9zZlS025dfZ0dmo13KT&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
api.mylnikov.org
whois
US CLOUDFLARENET 104.21.44.66 clean
as.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 39.109.117.57 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
filetops.com
whois
MD Alexhost Srl 176.123.0.55 malware
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
www.nsctpl.com
whois
US LIQUIDWEB 50.28.78.111 clean
www.microsoft.com
whois
US Akamai International B.V. 104.76.29.199 clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
redstarnetwork.com
whois
US CLOUDFLARENET 172.67.147.58 clean
api.telegram.org
whois
GB Telegram Messenger Inc 149.154.167.220 clean
luxuryhosts.net
whois
US CLOUDFLARENET 172.67.186.52 clean
us.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 154.221.19.146 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
transfer.sh
whois
DE Hetzner Online GmbH 144.76.136.153 malware
www.google.com
whois
US GOOGLE 142.250.207.100 clean
api.myip.com
whois
US CLOUDFLARENET 104.26.9.59 clean
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
ji.jahhaega2qq.com
whois
US CLOUDFLARENET 172.67.182.87 malware
www.maxmind.com
whois
US CLOUDFLARENET 104.17.214.67 clean
vk.com
whois
RU VKontakte Ltd 87.240.129.133 mailcious
icanhazip.com
whois
US CLOUDFLARENET 104.18.114.97 clean
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
104.17.215.67
whois
US CLOUDFLARENET 104.17.215.67 clean
83.97.73.128
whois
DE Limitless Mobile GmbH 83.97.73.128 malware
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
176.123.0.55
whois
MD Alexhost Srl 176.123.0.55 malware
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
208.67.104.60
whois
Unknown 208.67.104.60 mailcious
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
104.21.44.66
whois
US CLOUDFLARENET 104.21.44.66 clean
135.125.27.228
whois
US AVAYA 135.125.27.228 clean
45.9.74.80
whois
Unknown 45.9.74.80 malware
185.159.129.168
whois
RU IT Outsourcing LLC 185.159.129.168 mailcious
104.75.19.18
whois
US Akamai International B.V. 104.75.19.18 clean
157.254.164.98
whois
Unknown 157.254.164.98 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
194.169.175.132
whois
Unknown 194.169.175.132 malware
77.91.68.63
whois
RU Foton Telecom CJSC 77.91.68.63 malware
45.12.253.74
whois
DE CMCS 45.12.253.74 malware
104.18.114.97
whois
US CLOUDFLARENET 104.18.114.97 clean
144.76.136.153
whois
DE Hetzner Online GmbH 144.76.136.153 mailcious
154.221.19.146
whois
HK HK Kwaifong Group Limited 154.221.19.146 mailcious
185.81.68.115
whois
FI KLN-Optimum Group Ltd 185.81.68.115 mailcious
83.97.73.131
whois
DE Limitless Mobile GmbH 83.97.73.131 malware
50.28.78.111
whois
US LIQUIDWEB 50.28.78.111 clean
172.67.186.52
whois
US CLOUDFLARENET 172.67.186.52 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
23.67.53.18
whois
US Akamai International B.V. 23.67.53.18 clean
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
149.154.167.220
whois
GB Telegram Messenger Inc 149.154.167.220 clean
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious
45.9.74.6
whois
Unknown 45.9.74.6 malware
104.21.18.146
whois
US CLOUDFLARENET 104.21.18.146 clean
39.109.117.57
whois
HK HK Kwaifong Group Limited 39.109.117.57 mailcious
104.21.41.126
whois
US CLOUDFLARENET 104.21.41.126 clean

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
ET MALWARE JS/Nemucod.M.gen downloading EXE payload
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO TLS Handshake Failure
ET INFO Packed Executable Download
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO EXE - Served Attached HTTP
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Amadey Bot Activity (POST)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY External IP Lookup ip-api.com
ET POLICY Microsoft user-agent automated process response to automated request

Similarity measure (PE file only) - Checking for service failure