Report - foto175.exe

Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer OS Processor Check PE File PE32 DLL .NET EXE CAB
ScreenShot
Created 2023.07.10 18:20 Machine s1_win7_x6401
Filename foto175.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
7
Behavior Score
16.0
ZERO API file : malware
VT API (file)
md5 2415dbdd83d587bd33b25678273cb84a
sha256 589598f28559e972e9cfe2b17798a77c91d90dfc4c6abcbec2ce2f84cd972216
ssdeep 12288:K0U2Oz47NdoGV45u3SeBz/0qgoG0//f1x:B047voGVjpgGf1
imphash d16fc9171842127d5f2d9438e5ae0377
impfuzzy 24:dojMVDo0S1jtubJnc+pl39/CyoEOovbO3URZHu93vB3GMM:jS1jtulc+ppQyc3vBi
  Network IP location

Signature (38cnts)

Level Description
danger Disables Windows Security features
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process danke.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (17cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info CAB_file_format CAB archive file binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.68.3/home/love/index.php RU Foton Telecom CJSC 77.91.68.3 clean
http://77.91.68.3/home/love/Plugins/cred64.dll RU Foton Telecom CJSC 77.91.68.3 clean
http://77.91.68.3/home/love/Plugins/clip64.dll RU Foton Telecom CJSC 77.91.68.3 malware
77.91.68.3 RU Foton Telecom CJSC 77.91.68.3 malware
77.91.68.48 RU Foton Telecom CJSC 77.91.68.48 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x410000 GetLastError
 0x410004 WaitForSingleObject
 0x410008 CreateMutexW
 0x41000c Sleep
 0x410010 CreateThread
 0x410014 VirtualAlloc
 0x410018 VirtualProtect
 0x41001c GetModuleHandleA
 0x410020 GetProcAddress
 0x410024 LoadLibraryA
 0x410028 lstrlenW
 0x41002c FreeConsole
 0x410030 WriteConsoleW
 0x410034 QueryPerformanceCounter
 0x410038 GetCurrentProcessId
 0x41003c GetCurrentThreadId
 0x410040 GetSystemTimeAsFileTime
 0x410044 InitializeSListHead
 0x410048 IsDebuggerPresent
 0x41004c UnhandledExceptionFilter
 0x410050 SetUnhandledExceptionFilter
 0x410054 GetStartupInfoW
 0x410058 IsProcessorFeaturePresent
 0x41005c GetModuleHandleW
 0x410060 GetCurrentProcess
 0x410064 TerminateProcess
 0x410068 RtlUnwind
 0x41006c SetLastError
 0x410070 EnterCriticalSection
 0x410074 LeaveCriticalSection
 0x410078 DeleteCriticalSection
 0x41007c InitializeCriticalSectionAndSpinCount
 0x410080 TlsAlloc
 0x410084 TlsGetValue
 0x410088 TlsSetValue
 0x41008c TlsFree
 0x410090 FreeLibrary
 0x410094 LoadLibraryExW
 0x410098 EncodePointer
 0x41009c RaiseException
 0x4100a0 GetStdHandle
 0x4100a4 WriteFile
 0x4100a8 GetModuleFileNameW
 0x4100ac ExitProcess
 0x4100b0 GetModuleHandleExW
 0x4100b4 GetCommandLineA
 0x4100b8 GetCommandLineW
 0x4100bc HeapAlloc
 0x4100c0 HeapFree
 0x4100c4 FindClose
 0x4100c8 FindFirstFileExW
 0x4100cc FindNextFileW
 0x4100d0 IsValidCodePage
 0x4100d4 GetACP
 0x4100d8 GetOEMCP
 0x4100dc GetCPInfo
 0x4100e0 MultiByteToWideChar
 0x4100e4 WideCharToMultiByte
 0x4100e8 GetEnvironmentStringsW
 0x4100ec FreeEnvironmentStringsW
 0x4100f0 SetEnvironmentVariableW
 0x4100f4 SetStdHandle
 0x4100f8 GetFileType
 0x4100fc GetStringTypeW
 0x410100 CompareStringW
 0x410104 LCMapStringW
 0x410108 GetProcessHeap
 0x41010c HeapSize
 0x410110 HeapReAlloc
 0x410114 FlushFileBuffers
 0x410118 GetConsoleOutputCP
 0x41011c GetConsoleMode
 0x410120 SetFilePointerEx
 0x410124 CreateFileW
 0x410128 CloseHandle
 0x41012c DecodePointer

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure