Report - fotod45.exe

Gen1 Emotet SmokeLoader UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer OS Processor Check PE File PE32 DLL CAB .NET EXE
ScreenShot
Created 2023.07.10 18:16 Machine s1_win7_x6401
Filename fotod45.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
7
Behavior Score
17.0
ZERO API file : clean
VT API (file)
md5 09cea48e485e3b4f35e25db8aef6926c
sha256 00cec0fd19876dbb3af9f25554fa6f4d32514e2e1ef310127f9a0188747e2b4b
ssdeep 12288:gk8xHz47KQQOcfbqbCdA0BVKLbilxR5m:IT47KQQljkCL3K4R
imphash d16fc9171842127d5f2d9438e5ae0377
impfuzzy 24:dojMVDo0S1jtubJnc+pl39/CyoEOovbO3URZHu93vB3GMM:jS1jtulc+ppQyc3vBi
  Network IP location

Signature (39cnts)

Level Description
danger Disables Windows Security features
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Avast Antivirus through the presence of a library
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process danke.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (18cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger win_smokeloader_auto Detects win.smokeloader. binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info CAB_file_format CAB archive file binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.124.31/smo/du.exe RU Foton Telecom CJSC 77.91.124.31 malware
http://77.91.68.3/home/love/Plugins/clip64.dll RU Foton Telecom CJSC 77.91.68.3 malware
http://77.91.124.31/new/fotod45.exe RU Foton Telecom CJSC 77.91.124.31 clean
http://77.91.68.3/home/love/index.php RU Foton Telecom CJSC 77.91.68.3 clean
http://77.91.124.31/new/foto175.exe RU Foton Telecom CJSC 77.91.124.31 clean
http://77.91.68.3/home/love/Plugins/cred64.dll RU Foton Telecom CJSC 77.91.68.3 clean
77.91.124.31 RU Foton Telecom CJSC 77.91.124.31 mailcious
77.91.68.48 RU Foton Telecom CJSC 77.91.68.48 clean
77.91.68.3 RU Foton Telecom CJSC 77.91.68.3 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x410000 GetLastError
 0x410004 WaitForSingleObject
 0x410008 CreateMutexW
 0x41000c Sleep
 0x410010 CreateThread
 0x410014 VirtualAlloc
 0x410018 VirtualProtect
 0x41001c GetModuleHandleA
 0x410020 GetProcAddress
 0x410024 LoadLibraryA
 0x410028 lstrlenW
 0x41002c FreeConsole
 0x410030 WriteConsoleW
 0x410034 QueryPerformanceCounter
 0x410038 GetCurrentProcessId
 0x41003c GetCurrentThreadId
 0x410040 GetSystemTimeAsFileTime
 0x410044 InitializeSListHead
 0x410048 IsDebuggerPresent
 0x41004c UnhandledExceptionFilter
 0x410050 SetUnhandledExceptionFilter
 0x410054 GetStartupInfoW
 0x410058 IsProcessorFeaturePresent
 0x41005c GetModuleHandleW
 0x410060 GetCurrentProcess
 0x410064 TerminateProcess
 0x410068 RtlUnwind
 0x41006c SetLastError
 0x410070 EnterCriticalSection
 0x410074 LeaveCriticalSection
 0x410078 DeleteCriticalSection
 0x41007c InitializeCriticalSectionAndSpinCount
 0x410080 TlsAlloc
 0x410084 TlsGetValue
 0x410088 TlsSetValue
 0x41008c TlsFree
 0x410090 FreeLibrary
 0x410094 LoadLibraryExW
 0x410098 EncodePointer
 0x41009c RaiseException
 0x4100a0 GetStdHandle
 0x4100a4 WriteFile
 0x4100a8 GetModuleFileNameW
 0x4100ac ExitProcess
 0x4100b0 GetModuleHandleExW
 0x4100b4 GetCommandLineA
 0x4100b8 GetCommandLineW
 0x4100bc HeapAlloc
 0x4100c0 HeapFree
 0x4100c4 FindClose
 0x4100c8 FindFirstFileExW
 0x4100cc FindNextFileW
 0x4100d0 IsValidCodePage
 0x4100d4 GetACP
 0x4100d8 GetOEMCP
 0x4100dc GetCPInfo
 0x4100e0 MultiByteToWideChar
 0x4100e4 WideCharToMultiByte
 0x4100e8 GetEnvironmentStringsW
 0x4100ec FreeEnvironmentStringsW
 0x4100f0 SetEnvironmentVariableW
 0x4100f4 SetStdHandle
 0x4100f8 GetFileType
 0x4100fc GetStringTypeW
 0x410100 CompareStringW
 0x410104 LCMapStringW
 0x410108 GetProcessHeap
 0x41010c HeapSize
 0x410110 HeapReAlloc
 0x410114 FlushFileBuffers
 0x410118 GetConsoleOutputCP
 0x41011c GetConsoleMode
 0x410120 SetFilePointerEx
 0x410124 CreateFileW
 0x410128 CloseHandle
 0x41012c DecodePointer

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure