popup

Report - build.exe

Gen1 Generic Malware UPX Malicious Library Malicious Packer Anti_VM OS Processor Check PE File PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.25 07:35 Machine s1_win7_x6403
Filename build.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
10.0
ZERO API file : malware
VT API (file) 26 detected (AIDetectMalware, Malicious, score, Save, Eldorado, Attribute, HighConfidence, high confidence, CoinMiner, Generic ML PUA, Sabsik, Detected, Artemis, BScope, TrojanPSW, unsafe, Genetic, Generic@AI, RDML, S9LEQLzzhPII99vMx2zUag, Static AI, Suspicious PE, susgen, ZexaF, WqW@a8ALK, confidence, 100%)
md5 108d02f1be013a326af3975ed37bb623
sha256 45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90
ssdeep 24576:IRu16WYdRNDl0Et8uEXE6dl5H92r5HAMNY:oVNDl0Et8uEXE6ds1HAM
imphash 7d594973434539b63f110ff65422442a
impfuzzy 24:KDoAm4a/7+Z4kNdZ+fcWblvMEOovIt1J3xnlyvcjMA8HOT4z4wxJTuEOq1EQn:5yZFdZ+fcUMbnt31KUcz/ZwQ
  Network IP location

Signature (22cnts)

Level Description
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Network activity contains more than one unique useragent
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Executes one or more WMI queries
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (15cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://195.201.45.115/pack.zip
whois
DE Hetzner Online GmbH 195.201.45.115 clean
http://195.201.45.115/92a88df03396851ac71df913c3f7e8b5
whois
DE Hetzner Online GmbH 195.201.45.115 clean
http://195.201.45.115/
whois
DE Hetzner Online GmbH 195.201.45.115 clean
https://steamcommunity.com/profiles/76561199529242058
whois
US Akamai International B.V. 104.76.78.101 clean
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
195.201.45.115
whois
DE Hetzner Online GmbH 195.201.45.115 clean
104.76.78.101
whois
US Akamai International B.V. 104.76.78.101 mailcious

Suricata ids

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x449000 Sleep
 0x449004 GetSystemInfo
 0x449008 LocalAlloc
 0x44900c lstrcatA
 0x449010 GetProcAddress
 0x449014 LoadLibraryA
 0x449018 VirtualProtect
 0x44901c GetCurrentProcess
 0x449020 GetLogicalProcessorInformationEx
 0x449024 FindNextFileW
 0x449028 FindFirstFileW
 0x44902c CloseHandle
 0x449030 Process32Next
 0x449034 Process32First
 0x449038 CreateToolhelp32Snapshot
 0x44903c GetProcessHeap
 0x449040 TerminateProcess
 0x449044 ExitProcess
 0x449048 SetEndOfFile
 0x44904c CreateFileW
 0x449050 CreateFileA
 0x449054 SetStdHandle
 0x449058 WriteConsoleW
 0x44905c LoadLibraryW
 0x449060 GetStringTypeW
 0x449064 IsValidLocale
 0x449068 EnumSystemLocalesA
 0x44906c GetLocaleInfoA
 0x449070 GetUserDefaultLCID
 0x449074 InterlockedIncrement
 0x449078 InterlockedDecrement
 0x44907c WideCharToMultiByte
 0x449080 InterlockedExchange
 0x449084 InitializeCriticalSection
 0x449088 DeleteCriticalSection
 0x44908c EnterCriticalSection
 0x449090 LeaveCriticalSection
 0x449094 EncodePointer
 0x449098 DecodePointer
 0x44909c MultiByteToWideChar
 0x4490a0 GetLastError
 0x4490a4 HeapFree
 0x4490a8 HeapAlloc
 0x4490ac RtlUnwind
 0x4490b0 RaiseException
 0x4490b4 HeapReAlloc
 0x4490b8 GetSystemTimeAsFileTime
 0x4490bc GetCommandLineA
 0x4490c0 HeapSetInformation
 0x4490c4 GetStartupInfoW
 0x4490c8 LCMapStringW
 0x4490cc GetCPInfo
 0x4490d0 IsProcessorFeaturePresent
 0x4490d4 UnhandledExceptionFilter
 0x4490d8 SetUnhandledExceptionFilter
 0x4490dc IsDebuggerPresent
 0x4490e0 HeapCreate
 0x4490e4 GetModuleHandleW
 0x4490e8 WriteFile
 0x4490ec GetStdHandle
 0x4490f0 GetModuleFileNameW
 0x4490f4 TlsAlloc
 0x4490f8 TlsGetValue
 0x4490fc TlsSetValue
 0x449100 TlsFree
 0x449104 SetLastError
 0x449108 GetCurrentThreadId
 0x44910c GetACP
 0x449110 GetOEMCP
 0x449114 IsValidCodePage
 0x449118 HeapSize
 0x44911c SetHandleCount
 0x449120 InitializeCriticalSectionAndSpinCount
 0x449124 GetFileType
 0x449128 GetConsoleCP
 0x44912c GetConsoleMode
 0x449130 ReadFile
 0x449134 SetFilePointer
 0x449138 FlushFileBuffers
 0x44913c GetModuleFileNameA
 0x449140 FreeEnvironmentStringsW
 0x449144 GetEnvironmentStringsW
 0x449148 QueryPerformanceCounter
 0x44914c GetTickCount
 0x449150 GetCurrentProcessId
 0x449154 GetLocaleInfoW
ole32.dll
 0x449170 CoCreateInstance
 0x449174 CoInitializeSecurity
 0x449178 CoInitializeEx
 0x44917c CoSetProxyBlanket
OLEAUT32.dll
 0x44915c VariantInit
 0x449160 SysAllocString
 0x449164 SysFreeString
 0x449168 VariantClear

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure