popup

Report - foto172.exe

Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE OS Processor Check CAB DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.26 09:55 Machine s1_win7_x6403
Filename foto172.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
15.6
ZERO API file : clean
VT API (file)
md5 94b7834a3b8954758c8004a572f0e024
sha256 4139c3013c576e0e2d84cecb5befffee93a43b3359c192428889fd470442be86
ssdeep 12288:aK03zXWfPfpmpJ/JeH2pV5/ek60FLqVSr:aK0i3fpwMWpV5/wLVw
imphash 89591827d8fa86937981d5b74d9dafb9
impfuzzy 24:tNDoWjNJ3MjOovJcftDG/J3IDQFQ8RyvDkRT4mlrjMcIB1A:5MCGcftIm3DgcmRCK
  Network IP location

Signature (36cnts)

Level Description
danger Disables Windows Security features
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process rugen.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info CAB_file_format CAB archive file binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.68.63/doma/net/Plugins/cred64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34362 malware
http://77.91.68.63/doma/net/Plugins/clip64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34363 malware
http://77.91.68.63/doma/net/index.php
whois
RU Foton Telecom CJSC 77.91.68.63 34361 mailcious
77.91.68.63
whois
RU Foton Telecom CJSC 77.91.68.63 malware
83.97.73.131
whois
DE Limitless Mobile GmbH 83.97.73.131 malware

Suricata ids

ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40e008 CreateThread
 0x40e00c lstrlenW
 0x40e010 VirtualProtect
 0x40e014 GetProcAddress
 0x40e018 LoadLibraryA
 0x40e01c VirtualAlloc
 0x40e020 WaitForSingleObject
 0x40e024 CreateMutexW
 0x40e028 GetConsoleWindow
 0x40e02c GetModuleHandleA
 0x40e030 GetLastError
 0x40e034 Sleep
 0x40e038 RtlUnwind
 0x40e03c RaiseException
 0x40e040 GetCommandLineA
 0x40e044 EnterCriticalSection
 0x40e048 LeaveCriticalSection
 0x40e04c TerminateProcess
 0x40e050 GetCurrentProcess
 0x40e054 UnhandledExceptionFilter
 0x40e058 SetUnhandledExceptionFilter
 0x40e05c IsDebuggerPresent
 0x40e060 HeapFree
 0x40e064 GetModuleHandleW
 0x40e068 TlsGetValue
 0x40e06c TlsAlloc
 0x40e070 TlsSetValue
 0x40e074 TlsFree
 0x40e078 InterlockedIncrement
 0x40e07c SetLastError
 0x40e080 GetCurrentThreadId
 0x40e084 InterlockedDecrement
 0x40e088 HeapAlloc
 0x40e08c ExitProcess
 0x40e090 WriteFile
 0x40e094 GetStdHandle
 0x40e098 GetModuleFileNameA
 0x40e09c FreeEnvironmentStringsA
 0x40e0a0 GetEnvironmentStrings
 0x40e0a4 FreeEnvironmentStringsW
 0x40e0a8 WideCharToMultiByte
 0x40e0ac GetEnvironmentStringsW
 0x40e0b0 SetHandleCount
 0x40e0b4 GetFileType
 0x40e0b8 GetStartupInfoA
 0x40e0bc DeleteCriticalSection
 0x40e0c0 HeapCreate
 0x40e0c4 VirtualFree
 0x40e0c8 QueryPerformanceCounter
 0x40e0cc GetTickCount
 0x40e0d0 GetCurrentProcessId
 0x40e0d4 GetSystemTimeAsFileTime
 0x40e0d8 GetCPInfo
 0x40e0dc GetACP
 0x40e0e0 GetOEMCP
 0x40e0e4 IsValidCodePage
 0x40e0e8 HeapReAlloc
 0x40e0ec HeapSize
 0x40e0f0 InitializeCriticalSectionAndSpinCount
 0x40e0f4 GetConsoleCP
 0x40e0f8 GetConsoleMode
 0x40e0fc FlushFileBuffers
 0x40e100 LCMapStringA
 0x40e104 MultiByteToWideChar
 0x40e108 LCMapStringW
 0x40e10c GetStringTypeA
 0x40e110 GetStringTypeW
 0x40e114 GetLocaleInfoA
 0x40e118 SetFilePointer
 0x40e11c CloseHandle
 0x40e120 WriteConsoleA
 0x40e124 GetConsoleOutputCP
 0x40e128 WriteConsoleW
 0x40e12c SetStdHandle
 0x40e130 CreateFileA
USER32.dll
 0x40e138 ShowWindow
GDI32.dll
 0x40e000 SetSystemPaletteUse

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure