popup

Report - foto175.exe

Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 .NET EXE DLL CAB
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.03 10:50 Machine s1_win7_x6401
Filename foto175.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
16.8
ZERO API file : mailcious
VT API (file) 38 detected (AIDetectMalware, Jaik, unsafe, Save, Kryptik, ZexaF, Gq2@ai@ehNii, Attribute, HighConfidence, malicious, high confidence, HTVT, score, Injurer, PWSX, Tgil, ZPACK, Gen4, Artemis, high, Static AI, Malicious PE, Sabsik, Detected, ai score=86, Genetic, Generic@AI, RDML, hs2l2zzB0WQcMiY4A7742w, confidence, 100%)
md5 af5bf582ca4bbeed9781ae86775f0db6
sha256 67bc6828f66eebadb97edb5eeb824f4c71b03e10c6067a651a491b19f34367f6
ssdeep 12288:tnaGoQ2PBs3vqcSKfkSkujY1kcXTnTymGMSiilOwK:tnaGsAyGkSBTMnenMSiiMt
imphash a4a6d285c99bdb73e593491b15a4c14c
impfuzzy 24:9jlNDodgMjOovnG/J3IStsQFQ8RyvDkRT4QfalWKv:bMCdzts3DgcQfaIKv
  Network IP location

Signature (38cnts)

Level Description
danger Disables Windows Security features
danger File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process rugen.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (17cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info CAB_file_format CAB archive file binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.68.63/doma/net/Plugins/cred64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34362 malware
http://77.91.68.63/doma/net/Plugins/clip64.dll
whois
RU Foton Telecom CJSC 77.91.68.63 34363 malware
http://77.91.68.63/doma/net/index.php
whois
RU Foton Telecom CJSC 77.91.68.63 34361 mailcious
77.91.124.49
whois
RU Foton Telecom CJSC 77.91.124.49 mailcious
77.91.68.63
whois
RU Foton Telecom CJSC 77.91.68.63 malware

Suricata ids

ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x411000 Sleep
 0x411004 WaitForSingleObject
 0x411008 CreateThread
 0x41100c lstrlenW
 0x411010 VirtualProtect
 0x411014 GetProcAddress
 0x411018 LoadLibraryA
 0x41101c VirtualAlloc
 0x411020 GetLastError
 0x411024 CreateMutexW
 0x411028 FreeConsole
 0x41102c GetModuleHandleA
 0x411030 CloseHandle
 0x411034 RtlUnwind
 0x411038 RaiseException
 0x41103c GetCommandLineA
 0x411040 HeapFree
 0x411044 GetModuleHandleW
 0x411048 TlsGetValue
 0x41104c TlsAlloc
 0x411050 TlsSetValue
 0x411054 TlsFree
 0x411058 InterlockedIncrement
 0x41105c SetLastError
 0x411060 GetCurrentThreadId
 0x411064 InterlockedDecrement
 0x411068 HeapAlloc
 0x41106c TerminateProcess
 0x411070 GetCurrentProcess
 0x411074 UnhandledExceptionFilter
 0x411078 SetUnhandledExceptionFilter
 0x41107c IsDebuggerPresent
 0x411080 ExitProcess
 0x411084 WriteFile
 0x411088 GetStdHandle
 0x41108c GetModuleFileNameA
 0x411090 FreeEnvironmentStringsA
 0x411094 GetEnvironmentStrings
 0x411098 FreeEnvironmentStringsW
 0x41109c WideCharToMultiByte
 0x4110a0 GetEnvironmentStringsW
 0x4110a4 SetHandleCount
 0x4110a8 GetFileType
 0x4110ac GetStartupInfoA
 0x4110b0 DeleteCriticalSection
 0x4110b4 HeapCreate
 0x4110b8 VirtualFree
 0x4110bc QueryPerformanceCounter
 0x4110c0 GetTickCount
 0x4110c4 GetCurrentProcessId
 0x4110c8 GetSystemTimeAsFileTime
 0x4110cc GetCPInfo
 0x4110d0 GetACP
 0x4110d4 GetOEMCP
 0x4110d8 IsValidCodePage
 0x4110dc LeaveCriticalSection
 0x4110e0 EnterCriticalSection
 0x4110e4 HeapReAlloc
 0x4110e8 HeapSize
 0x4110ec InitializeCriticalSectionAndSpinCount
 0x4110f0 LCMapStringA
 0x4110f4 MultiByteToWideChar
 0x4110f8 LCMapStringW
 0x4110fc GetStringTypeA
 0x411100 GetStringTypeW
 0x411104 GetLocaleInfoA
USER32.dll
 0x41110c SetClipboardViewer

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure