popup

Report - photo230.exe

Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer OS Processor Check PE File PE32 CAB DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.03 10:41 Machine s1_win7_x6403
Filename photo230.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
16.4
ZERO API file : mailcious
VT API (file) 36 detected (AIDetectMalware, Jaik, Artemis, Save, Attribute, HighConfidence, malicious, high confidence, Kryptik, HTVT, score, PWSX, Bdhl, ZPACK, Gen4, high, Static AI, Malicious PE, ai score=83, Amadey, Detected, ZexaF, Yq2@aerQhCai, unsafe, Genetic, Generic@AI, RDML, fzQH6x2VyvkdD3cHT6JQPQ, confidence, 100%)
md5 535bee03acddc2ef19f532f8c53db308
sha256 330a61227a6cdf22315cba27ac827f4adb7c1308b6710e9d7461549198abc10f
ssdeep 24576:/I8QkBQE4MosgUv/Pz37r7/Dn5aWSOQW9JV9VBN5hJVhNVdpVhCkws4773TvvvLT:/I8QkBQE4MosgUv/Pz37r7/Dn5aWSOQx
imphash a4a6d285c99bdb73e593491b15a4c14c
impfuzzy 24:9jlNDodgMjOovnG/J3IStsQFQ8RyvDkRT4QfalWKv:bMCdzts3DgcQfaIKv
  Network IP location

Signature (36cnts)

Level Description
danger Disables Windows Security features
danger File has been identified by 36 AntiVirus engines on VirusTotal as malicious
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Avast Antivirus through the presence of a library
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process rugen.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (16cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info CAB_file_format CAB archive file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.68.63/doma/net/Plugins/cred64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34362 malware
http://77.91.68.63/doma/net/Plugins/clip64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34363 malware
http://77.91.68.63/doma/net/index.php
whois
RU Foton Telecom CJSC 77.91.68.63 34361 mailcious
77.91.68.63
whois
RU Foton Telecom CJSC 77.91.68.63 malware
83.97.73.134
whois
DE Limitless Mobile GmbH 83.97.73.134 malware

Suricata ids

ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x410000 Sleep
 0x410004 WaitForSingleObject
 0x410008 CreateThread
 0x41000c lstrlenW
 0x410010 VirtualProtect
 0x410014 GetProcAddress
 0x410018 LoadLibraryA
 0x41001c VirtualAlloc
 0x410020 GetLastError
 0x410024 CreateMutexW
 0x410028 FreeConsole
 0x41002c GetModuleHandleA
 0x410030 CloseHandle
 0x410034 RtlUnwind
 0x410038 RaiseException
 0x41003c GetCommandLineA
 0x410040 HeapFree
 0x410044 GetModuleHandleW
 0x410048 TlsGetValue
 0x41004c TlsAlloc
 0x410050 TlsSetValue
 0x410054 TlsFree
 0x410058 InterlockedIncrement
 0x41005c SetLastError
 0x410060 GetCurrentThreadId
 0x410064 InterlockedDecrement
 0x410068 HeapAlloc
 0x41006c TerminateProcess
 0x410070 GetCurrentProcess
 0x410074 UnhandledExceptionFilter
 0x410078 SetUnhandledExceptionFilter
 0x41007c IsDebuggerPresent
 0x410080 ExitProcess
 0x410084 WriteFile
 0x410088 GetStdHandle
 0x41008c GetModuleFileNameA
 0x410090 FreeEnvironmentStringsA
 0x410094 GetEnvironmentStrings
 0x410098 FreeEnvironmentStringsW
 0x41009c WideCharToMultiByte
 0x4100a0 GetEnvironmentStringsW
 0x4100a4 SetHandleCount
 0x4100a8 GetFileType
 0x4100ac GetStartupInfoA
 0x4100b0 DeleteCriticalSection
 0x4100b4 HeapCreate
 0x4100b8 VirtualFree
 0x4100bc QueryPerformanceCounter
 0x4100c0 GetTickCount
 0x4100c4 GetCurrentProcessId
 0x4100c8 GetSystemTimeAsFileTime
 0x4100cc GetCPInfo
 0x4100d0 GetACP
 0x4100d4 GetOEMCP
 0x4100d8 IsValidCodePage
 0x4100dc LeaveCriticalSection
 0x4100e0 EnterCriticalSection
 0x4100e4 HeapReAlloc
 0x4100e8 HeapSize
 0x4100ec InitializeCriticalSectionAndSpinCount
 0x4100f0 LCMapStringA
 0x4100f4 MultiByteToWideChar
 0x4100f8 LCMapStringW
 0x4100fc GetStringTypeA
 0x410100 GetStringTypeW
 0x410104 GetLocaleInfoA
USER32.dll
 0x41010c SetClipboardViewer

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure