popup

Report - File_pass1234.7z

UPX Malicious Library Escalate priviledges PWS KeyLogger AntiDebug AntiVM PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.06 11:13 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
7.4
ZERO API
VT API (file)
md5 6f19b6cd920a34b60b5a59f2f20746b6
sha256 eb89fc5021a461189e3368657a5c38ce19af7b8a26b84447d9804cb300c94a52
ssdeep 98304:nm0nnUSH+ElYCNCXsGmu8j7HzKRcmpIiYeedZovBesWv2bTx1SPt:nmWnUSZYCpGkXMcsIiYPiJS2v6F
imphash
impfuzzy
  Network IP location

Signature (15cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (15cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE64 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (63cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://208.67.104.60/api/firegate.php
whois
Unknown 208.67.104.60 34253
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660
http://zzz.fhauiehgha.com/m/okka25.exe
whois
US HK Kwaifong Group Limited 156.236.72.121 34705
http://aa.imgjeoogbb.com/check/safe
whois
HK HK Kwaifong Group Limited 154.221.26.108 34652
http://176.113.115.84:8080/4.php
whois
RU OOO Network of data-centers Selectel 176.113.115.84 34795
http://95.214.25.233:3002/
whois
DE CMCS 95.214.25.233 34794
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.16
http://77.91.124.31/gallery/photo270.exe
whois
RU Foton Telecom CJSC 77.91.124.31 34796
http://45.66.230.164/g.exe
whois
DE CMCS 45.66.230.164 34813
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.214.67
http://208.67.104.60/api/tracemap.php
whois
Unknown 208.67.104.60 28876
http://us.imgjeoigaa.com/sts/imagc.jpg
whois
HK HK Kwaifong Group Limited 103.100.211.218 33482
http://aa.imgjeoogbb.com/check/?sid=350540&key=0a18d2181acd6532bf70a66142dc16a0
whois
HK HK Kwaifong Group Limited 154.221.26.108 34651
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 32662
https://camoverde.pw/setup294.exe
whois
US CLOUDFLARENET 104.21.0.171
https://vk.com/doc808950829_663788437?hash=2eEvnU5tvv0tTTXDhEX8q9Boubn9undHCOt73KTUqzD&dl=EJ05zUitXuxdQoIcYUJ5Zj5KPM6Kzzrdpz0VhUeNkOo&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.137.164
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.137.164
https://vk.com/doc808950829_663371568?hash=nCbeQhSdektZCklmCq7XtG48Ee60nv8DORi9fErSJWH&dl=TYjpYtrURbaoeiox6ukI3zcdJlSPMzTTZwoXzpHEm48&api=1&no_preview=1#rise_test
whois
RU VKontakte Ltd 87.240.137.164
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.4.15
https://vk.com/doc808950829_663648937?hash=eKai4FYeayZCAEjqzlxZ2gWz79KxiwUMuktQ4fZ6rr0&dl=8PltKcE2IQ6oZHvv1IHsdh8qZWM237x2z5umRu20Q5L&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164
https://sun6-21.userapi.com/c909618/u808950829/docs/d15/55b2d56c0cdb/WWW1.bmp?extra=LNvJInvcwbEIMsFVEEAn-sruvZLSPLsZ0csa6zoRoJnFOzu5bL_VsP_UlvV0osoFJLByZOzMVdl5mGWRHSDUkmAfxnPZJCC2Na2s-5d633NzeLL8eitoPbDh5O2gUxZAiv2_WD6GGb9_ekgfaA
whois
RU VKontakte Ltd 95.142.206.1
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.4.15
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.137.164
https://sun6-21.userapi.com/c909618/u808950829/docs/d11/868beb0af33d/3kqwpj3h.bmp?extra=JyCyDG6PFHazUQR0xfP2b1kHp8syIWsC-VEvsQPMUXF14_5CBCtyBObjKu16HaFrJpcXz6RdM4NUQUA7AT7sFQPaNk-kP6fjCJHI-6ei6gbMpdGkitmEut9L_e3922pXGgK44PdThWMcmjfhJg
whois
RU VKontakte Ltd 95.142.206.1
https://vk.com/doc808950829_663496587?hash=9HBIzrbBWHKqUnGhHt30dMcZIm1RpmRRZBzZ89JCfGw&dl=JRIT3v6zzNFrou8UYI02dSfdibpUzCLo9YvFXREFvCT&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147
camoverde.pw
whois
US CLOUDFLARENET 172.67.128.35
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1
zzz.fhauiehgha.com
whois
US HK Kwaifong Group Limited 156.236.72.121
ipinfo.io
whois
US GOOGLE 34.117.59.81
aa.imgjeoogbb.com
whois
HK HK Kwaifong Group Limited 154.221.26.108
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163
www.maxmind.com
whois
US CLOUDFLARENET 104.17.214.67
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15
vk.com
whois
RU VKontakte Ltd 87.240.132.72
us.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 103.100.211.218
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93
146.59.161.7
whois
Unknown 146.59.161.7
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147
208.67.104.60
whois
Unknown 208.67.104.60
45.12.253.74
whois
DE CMCS 45.12.253.74
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163
154.221.26.108
whois
HK HK Kwaifong Group Limited 154.221.26.108
194.26.135.162
whois
Unknown 194.26.135.162
85.208.136.10
whois
DE CMCS 85.208.136.10
157.254.164.98
whois
Unknown 157.254.164.98
34.117.59.81
whois
US GOOGLE 34.117.59.81
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84
104.21.0.171
whois
US CLOUDFLARENET 104.21.0.171
45.66.230.164
whois
DE CMCS 45.66.230.164
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67
95.214.25.233
whois
DE CMCS 95.214.25.233
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15
163.123.143.4
whois
Unknown 163.123.143.4
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27
77.91.124.31
whois
RU Foton Telecom CJSC 77.91.124.31
103.100.211.218
whois
HK HK Kwaifong Group Limited 103.100.211.218

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response

Similarity measure (PE file only) - Checking for service failure