popup

Report - File_pass1234.7z

Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.14 17:27 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
6.6
ZERO API file : malware
VT API (file)
md5 55d5b448bf5e678fc628f7ea9f132a8f
sha256 34ec0e3bfcb34aa6cdb9cbb64b7697e82fa3253dd4105e1c3fb68f74128a982d
ssdeep 98304:lLz9eGhoMWu9sNiMEIFh5HKp0RCxl8RyW9ICklxWGrWc33bOlJXYlbquIsdLamq:d9hxaNfNhNKp0RwlczATCOQYEuIyLTq
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (86cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://content.elite-hacks.ru/test/setStats.php?id=_start
whois
US CLOUDFLARENET 104.21.56.191 clean
http://content.elite-hacks.ru/test/setStats.php?id=_stop
whois
US CLOUDFLARENET 104.21.56.191 clean
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://aa.imgjeoogbb.com/check/?sid=562266&key=6c3f7f1320704c1ed0fe959fab6bbb7f
whois
HK HK Kwaifong Group Limited 154.221.26.108 34651 mailcious
http://aa.imgjeoogbb.com/check/safe
whois
HK HK Kwaifong Group Limited 154.221.26.108 34652 mailcious
http://77.91.124.40/info/photo540.exe
whois
RU Foton Telecom CJSC 77.91.124.40 35119 malware
http://85.208.136.10/api/firegate.php
whois
DE CMCS 85.208.136.10 32663 mailcious
http://95.179.141.133:3002/
whois
NL AS-CHOOPA 95.179.141.133 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US AKAMAI-AS 23.32.56.57 clean
http://45.66.230.164/g.exe
whois
DE CMCS 45.66.230.164 34813 malware
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.214.67 clean
http://us.imgjeoigaa.com/sts/imagc.jpg
whois
HK HK Kwaifong Group Limited 103.100.211.218 33482 mailcious
http://77.91.68.3/home/love/index.php
whois
RU Foton Telecom CJSC 77.91.68.3 35049 mailcious
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 32662 mailcious
http://zzz.fhauiehgha.com/m/okka25.exe
whois
US HK Kwaifong Group Limited 156.236.72.121 34705 mailcious
https://camoverde.pw/setup294.exe
whois
US CLOUDFLARENET 172.67.128.35 34973 malware
https://vk.com/doc808950829_663933421?hash=ioG5QB3qvIws86ott1cKJe6Pb7yplHVFXBwsSvr5HZs&dl=mmMqy1dNgzrQdMHtVCaer8XyZ5fyDV65DqKrscCiZKT&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://vk.com/doc808950829_663788437?hash=2eEvnU5tvv0tTTXDhEX8q9Boubn9undHCOt73KTUqzD&dl=EJ05zUitXuxdQoIcYUJ5Zj5KPM6Kzzrdpz0VhUeNkOo&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.4.15 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://sun6-21.userapi.com/c235131/u808950829/docs/d53/3d058453faef/31bhpef20u5o7.bmp?extra=Sk2iuVbY1H06rVGdYq-mFzpkK_0K54Gg304PtafLqXDLbIVHsUda81wvOQqwPGl5F5ajfnCZvZEvpAw4lsO9Lafy7X84d3kyUdFOsITm9TUbfSVrOYpinKz5ihN_utW0swYRZB_Q_Osd8rEOmg
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc808950829_663974118?hash=dOMWUsvinJ2cpviUzz7vnxpsK8egTpcGetxzR7zZrlH&dl=jOHjRjzy9zAt3pzHP5nbHskFZI2CUKmKC4cOjJyWMzc&api=1&no_preview=1#5
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://sun6-22.userapi.com/c237331/u808950829/docs/d28/ae3bfa00ff0c/PMmp.bmp?extra=J2TWIaPG8nt7VFEEdsoRjaML2uGBOoaWesHpn7S_rEt-8bLY3h8kXOzdKGgyiYkFZ7JQENAekGCG-l1lSB3HmNet-idXGM_O0g3h0VW1MYvH5OuvyNOkFVJKbZ4kwaqz6Fe9_skefq-ZiIhePg
whois
RU VKontakte Ltd 95.142.206.2 clean
https://sun6-23.userapi.com/c240331/u808950829/docs/d25/b34ec3f5108d/5.bmp?extra=lFuRArKUHaROGi5k6FRvAaY3SvE8fmJ3SopiS96x7YJ6ZQ2Wy0azMyoNTaksC1wWJzsMi2bYWTlngyI951fFVKRMueQKDUHhUQZqsO0U-TbobXmLzjcX84L_-YfHFSphcnp155z-sEpMc5huqA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc808950829_664243581?hash=WrzMcu5sQcHQStZvqHgs8NvpTBzI6rH0dAPO5bEZbSw&dl=Ceos7VtAG6OZQeZpZU7obenLsizYQEUV1F7MXPI7iZX&api=1&no_preview=1#rise_test
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://psv4.userapi.com/c909328/u808950829/docs/d27/600eab1b51d3/StealerClient.bmp?extra=xlq-trvJdrtcA1tFaPPMJmS1s2mGKoF5FnF9zt8L_nNVY0MZAD6oDkSrnYia0AJFI5xLlH6KjSP8etm9qtPQpQSD2cdNxi_KwzjuOBY4NiOfYSeioqmtzlRNFcoJz9lre6BVANxgbE_CAop5aA
whois
RU VKontakte Ltd 87.240.137.134 clean
https://vk.com/doc808950829_664207170?hash=kMt7FUJyRMXd3utd25izhIrZbfZfaKJzCnFJqUmY3Sw&dl=uZ3GDnIBuaFj1FCG7xA3gziJZ6Zba8NMATPW6Lqrzb0&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.17.215.67 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
psv4.userapi.com
whois
RU VKontakte Ltd 87.240.190.76 clean
api.db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
zzz.fhauiehgha.com
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
aa.imgjeoogbb.com
whois
HK HK Kwaifong Group Limited 154.221.26.108 mailcious
us.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 103.100.211.218 mailcious
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
camoverde.pw
whois
US CLOUDFLARENET 172.67.128.35 malware
vk.com
whois
RU VKontakte Ltd 87.240.129.133 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
content.elite-hacks.ru
whois
US CLOUDFLARENET 104.21.56.191 malware
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
transfer.sh
whois
DE Hetzner Online GmbH 144.76.136.153 malware
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
154.221.26.108
whois
HK HK Kwaifong Group Limited 154.221.26.108 mailcious
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
176.123.9.85
whois
MD Alexhost Srl 176.123.9.85 mailcious
45.12.253.74
whois
DE CMCS 45.12.253.74 malware
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
95.179.141.133
whois
NL AS-CHOOPA 95.179.141.133 clean
77.91.124.40
whois
RU Foton Telecom CJSC 77.91.124.40 malware
194.26.135.162
whois
Unknown 194.26.135.162 mailcious
85.208.136.10
whois
DE CMCS 85.208.136.10 mailcious
157.254.164.98
whois
Unknown 157.254.164.98 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164 mailcious
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
172.67.128.35
whois
US CLOUDFLARENET 172.67.128.35 clean
104.21.56.191
whois
US CLOUDFLARENET 104.21.56.191 malware
87.240.137.134
whois
RU VKontakte Ltd 87.240.137.134 clean
45.66.230.164
whois
DE CMCS 45.66.230.164 malware
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67 clean
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
147.135.165.22
whois
FR OVH SAS 147.135.165.22 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
77.91.68.48
whois
RU Foton Telecom CJSC 77.91.68.48 mailcious
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
77.91.124.31
whois
RU Foton Telecom CJSC 77.91.124.31 mailcious
77.91.68.3
whois
RU Foton Telecom CJSC 77.91.68.3 malware
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 clean
103.100.211.218
whois
HK HK Kwaifong Group Limited 103.100.211.218 malware

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Observed DNS Query to RisePro Domain (elite-hacks .ru)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET DROP Spamhaus DROP Listed Traffic Inbound group 27

Similarity measure (PE file only) - Checking for service failure