popup

Report - foto172.exe

Gen1 Emotet SmokeLoader Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE32 PE File CAB OS Processor Check .NET EXE DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.27 07:35 Machine s1_win7_x6403
Filename foto172.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
16.2
ZERO API file : mailcious
VT API (file)
md5 e609d62d8d48da3d205b632cd2fc52e8
sha256 c475ad88a8be90ba3e04a8918cc1a9380252e0781744e5c6412751dda1adc032
ssdeep 6144:fdHpZSe0q6Zwh24HVvsrln+y1gDhN41TkLIsOk28joWyoW2sH98COzY8POERnLqn:z4e03zPiDhN475Dd8PNL1/xmdAqnwzk
imphash a3a98f4b8bad628ffa25a9afc0275971
impfuzzy 24:9jlNDod/aMjOovJcftDG/J3IDQFQ8RyvDkRT4mlrjMcIBM:5MCGcftIm3DgcmRCM
  Network IP location

Signature (37cnts)

Level Description
danger Disables Windows Security features
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Avast Antivirus through the presence of a library
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process rugen.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (16cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger win_smokeloader_auto Detects win.smokeloader. binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info CAB_file_format CAB archive file binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.68.63/doma/net/Plugins/cred64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34362 malware
http://83.97.73.129/smoke/fotod95.exe
whois
DE Limitless Mobile GmbH 83.97.73.129 mailcious
http://83.97.73.129/smoke/foto172.exe
whois
DE Limitless Mobile GmbH 83.97.73.129 mailcious
http://77.91.68.63/doma/net/index.php
whois
RU Foton Telecom CJSC 77.91.68.63 34361 mailcious
http://77.91.68.63/doma/net/Plugins/clip64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34363 malware
http://83.97.73.129/test1/mu.exe
whois
DE Limitless Mobile GmbH 83.97.73.129 malware
83.97.73.129
whois
DE Limitless Mobile GmbH 83.97.73.129 mailcious
77.91.68.63
whois
RU Foton Telecom CJSC 77.91.68.63 malware
83.97.73.131
whois
DE Limitless Mobile GmbH 83.97.73.131 malware

Suricata ids

ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40e000 Sleep
 0x40e004 WaitForSingleObject
 0x40e008 CreateThread
 0x40e00c lstrlenW
 0x40e010 VirtualProtect
 0x40e014 GetProcAddress
 0x40e018 LoadLibraryA
 0x40e01c VirtualAlloc
 0x40e020 GetLastError
 0x40e024 CreateMutexW
 0x40e028 GetConsoleWindow
 0x40e02c GetModuleHandleA
 0x40e030 RtlUnwind
 0x40e034 RaiseException
 0x40e038 GetCommandLineA
 0x40e03c EnterCriticalSection
 0x40e040 LeaveCriticalSection
 0x40e044 TerminateProcess
 0x40e048 GetCurrentProcess
 0x40e04c UnhandledExceptionFilter
 0x40e050 SetUnhandledExceptionFilter
 0x40e054 IsDebuggerPresent
 0x40e058 HeapFree
 0x40e05c GetModuleHandleW
 0x40e060 TlsGetValue
 0x40e064 TlsAlloc
 0x40e068 TlsSetValue
 0x40e06c TlsFree
 0x40e070 InterlockedIncrement
 0x40e074 SetLastError
 0x40e078 GetCurrentThreadId
 0x40e07c InterlockedDecrement
 0x40e080 HeapAlloc
 0x40e084 ExitProcess
 0x40e088 WriteFile
 0x40e08c GetStdHandle
 0x40e090 GetModuleFileNameA
 0x40e094 FreeEnvironmentStringsA
 0x40e098 GetEnvironmentStrings
 0x40e09c FreeEnvironmentStringsW
 0x40e0a0 WideCharToMultiByte
 0x40e0a4 GetEnvironmentStringsW
 0x40e0a8 SetHandleCount
 0x40e0ac GetFileType
 0x40e0b0 GetStartupInfoA
 0x40e0b4 DeleteCriticalSection
 0x40e0b8 HeapCreate
 0x40e0bc VirtualFree
 0x40e0c0 QueryPerformanceCounter
 0x40e0c4 GetTickCount
 0x40e0c8 GetCurrentProcessId
 0x40e0cc GetSystemTimeAsFileTime
 0x40e0d0 GetCPInfo
 0x40e0d4 GetACP
 0x40e0d8 GetOEMCP
 0x40e0dc IsValidCodePage
 0x40e0e0 HeapReAlloc
 0x40e0e4 HeapSize
 0x40e0e8 InitializeCriticalSectionAndSpinCount
 0x40e0ec GetConsoleCP
 0x40e0f0 GetConsoleMode
 0x40e0f4 FlushFileBuffers
 0x40e0f8 LCMapStringA
 0x40e0fc MultiByteToWideChar
 0x40e100 LCMapStringW
 0x40e104 GetStringTypeA
 0x40e108 GetStringTypeW
 0x40e10c GetLocaleInfoA
 0x40e110 SetFilePointer
 0x40e114 CloseHandle
 0x40e118 WriteConsoleA
 0x40e11c GetConsoleOutputCP
 0x40e120 WriteConsoleW
 0x40e124 SetStdHandle
 0x40e128 CreateFileA
USER32.dll
 0x40e130 ShowWindow

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure