popup

Report - File_pass1234.7z

Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.04 11:12 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
7.0
ZERO API file : malware
VT API (file)
md5 4483d5690270b7692a1aef79acf05ef7
sha256 5aacc47ebbe6063a8a4f26bcbbd180a4b83fbd90bf6464914be2cc2212a1c1e8
ssdeep 196608:qfegvKHmsuB0yo2X7xZDwwTZWMmZ9+HXQgc1+875wUvzogE:EzvKYiyo2LT82HXQX1+6SU0J
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (88cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://zzz.fhauiehgha.com/m/okka25.exe
whois
US HK Kwaifong Group Limited 156.236.72.121 34705 mailcious
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://176.113.115.84:8080/4.php
whois
RU OOO Network of data-centers Selectel 176.113.115.84 34795 mailcious
http://85.208.136.10/api/firegate.php
whois
DE CMCS 85.208.136.10 32663 mailcious
http://95.214.25.233:3002/
whois
DE CMCS 95.214.25.233 34794 mailcious
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.214.67 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.43.165.105 clean
http://77.91.124.31/gallery/photo270.exe
whois
RU Foton Telecom CJSC 77.91.124.31 34796 mailcious
http://45.66.230.164/g.exe
whois
DE CMCS 45.66.230.164 34813 malware
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 32662 mailcious
http://77.91.68.63/doma/net/index.php
whois
RU Foton Telecom CJSC 77.91.68.63 34361 mailcious
http://work.a-poster.info:25000/http://work.a-poster.info:25000/
whois
NL Scalaxy B.V. 37.1.217.172 clean
http://www.google.com/
whois
US GOOGLE 142.250.207.100 clean
http://77.91.68.157/new/foto175.exe
whois
RU Foton Telecom CJSC 77.91.68.157 34808 mailcious
https://sun6-21.userapi.com/c237331/u808950829/docs/d48/d1d91a4b21f4/crypted.bmp?extra=D_BWRC57Taws3-Fgtz0Gxn3f2opCiSMWtqiuFxYQA0aksgwVh6YjjIPNW5MpGk6yKGdNg8ZTX6CvpZzfgkwz7tiur4dQ3bAKw7tDCF4jRNZWimRJ_LVkrc_IZPmptHVkvrJVfSKHI0ooAQ2gRw
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc808950829_663757713?hash=MV1SXyDS4uzEVWhEqhhdzBKaHhSpB1pMWajJ3kWBQV8&dl=e0Oyc6MBznNTvzhob66JHCdZRBEsNzCGWPgvdgUA1Ww&api=1&no_preview=1#cryp
whois
RU VKontakte Ltd 87.240.132.72 clean
https://traffic-to.site/294/setup294.exe
whois
US CLOUDFLARENET 172.67.171.62 34662 malware
https://sun6-21.userapi.com/c909618/u808950829/docs/d11/42869e7f9cc3/3kqwpj3h.bmp?extra=iu5bVjMFNIqUemb79KZZ24CeL5cMX_YUphspjbrsKQ0QUE_HJGYYUnXWE5KNEfFj7ZsXJieTmQRDLqmGmAGJaPTY6e85eIHkBVaoNrbdjuIl31OOfC0u5WF-jtr_iluF_uWpnxURNYekfLRxxw
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-20.userapi.com/c909228/u808950829/docs/d39/44e1f5793080/PMmp.bmp?extra=Z1r9oittoDfhiJ4OcYscFihyLdo44Yji7Xs_I3mUIZWuCfOWtNcTOccvpUtUCzvyju5K8UH8Puj8jHq26H3oPHzUvwyZJ89D69QVwWsj-HDqatEErOgxwiRb6RiYTuRfRhpAie_4w1WtpXYgeQ
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc808950829_663371568?hash=nCbeQhSdektZCklmCq7XtG48Ee60nv8DORi9fErSJWH&dl=TYjpYtrURbaoeiox6ukI3zcdJlSPMzTTZwoXzpHEm48&api=1&no_preview=1#rise_test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc808950829_663416193?hash=TwgmTA3pMX5XUbfBEPazmzdRVPdFw9t8BbYBqJvidU8&dl=H6DzAmaBeDTytHVbTKfRExM88kxUqIpLizX7g2YgUEL&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.5.15 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc808950829_663648937?hash=eKai4FYeayZCAEjqzlxZ2gWz79KxiwUMuktQ4fZ6rr0&dl=8PltKcE2IQ6oZHvv1IHsdh8qZWM237x2z5umRu20Q5L&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc808950829_663496587?hash=9HBIzrbBWHKqUnGhHt30dMcZIm1RpmRRZBzZ89JCfGw&dl=JRIT3v6zzNFrou8UYI02dSfdibpUzCLo9YvFXREFvCT&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 172.67.75.166 clean
work.a-poster.info
whois
NL Scalaxy B.V. 37.1.217.172 mailcious
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
fastpool.xyz
whois
BG Vivacom 213.91.128.133 mailcious
www.google.com
whois
US GOOGLE 142.250.207.100 clean
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
zzz.fhauiehgha.com
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
traffic-to.site
whois
US CLOUDFLARENET 172.67.171.62 malware
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
www.maxmind.com
whois
US CLOUDFLARENET 104.17.215.67 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
vanaheim.cn
whois
Unknown 8.211.5.234 clean
vk.com
whois
RU VKontakte Ltd 93.186.225.194 mailcious
z.nnnaajjjgc.com
whois
US HK Kwaifong Group Limited 156.236.72.121 malware
77.91.68.157
whois
RU Foton Telecom CJSC 77.91.68.157 malware
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
146.59.161.7
whois
Unknown 146.59.161.7 mailcious
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
62.122.184.92
whois
Unknown 62.122.184.92 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
80.66.75.254
whois
RU Alexander Valerevich Mokhonko 80.66.75.254 clean
77.91.124.49
whois
RU Foton Telecom CJSC 77.91.124.49 mailcious
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
80.66.75.4
whois
RU Alexander Valerevich Mokhonko 80.66.75.4 clean
194.26.135.162
whois
Unknown 194.26.135.162 mailcious
85.208.136.10
whois
DE CMCS 85.208.136.10 mailcious
157.254.164.98
whois
Unknown 157.254.164.98 mailcious
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84 mailcious
185.157.120.11
whois
Unknown 185.157.120.11 mailcious
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
176.113.115.135
whois
RU OOO Network of data-centers Selectel 176.113.115.135 clean
77.91.68.63
whois
RU Foton Telecom CJSC 77.91.68.63 malware
176.113.115.136
whois
RU OOO Network of data-centers Selectel 176.113.115.136 clean
45.12.253.74
whois
DE CMCS 45.12.253.74 malware
45.66.230.164
whois
DE CMCS 45.66.230.164 malware
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67 clean
95.214.25.233
whois
DE CMCS 95.214.25.233 mailcious
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
37.1.217.172
whois
NL Scalaxy B.V. 37.1.217.172 clean
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
8.211.5.234
whois
Unknown 8.211.5.234 clean
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
45.143.201.238
whois
Unknown 45.143.201.238 clean
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
77.91.124.31
whois
RU Foton Telecom CJSC 77.91.124.31 mailcious
216.58.200.228
whois
US GOOGLE 216.58.200.228 clean
172.67.171.62
whois
US CLOUDFLARENET 172.67.171.62 clean
213.91.128.133
whois
BG Vivacom 213.91.128.133 mailcious

Suricata ids

ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY Cryptocurrency Miner Checkin
ET DROP Dshield Block Listed Source group 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Similarity measure (PE file only) - Checking for service failure