popup

Report - File_pass1234.7z

Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.26 14:52 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
6.6
ZERO API
VT API (file)
md5 dd48d433b225a68e26ca5b6446f0e5f9
sha256 d4627bbc66102d5e9c18b434de81a139c275ab4810e337e6a1f9f7cdf54a24ea
ssdeep 98304:qMYYHZAjSqzkr6cFiKtSlqoQPNmNQ410Oo9jv:3ZAPcFinVNYj7
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (102cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660
http://aa.imgjeoogbb.com/check/safe
whois
HK HK Kwaifong Group Limited 154.221.26.108 34652
http://87.120.88.198/g.exe
whois
BG NET1 Ltd. 87.120.88.198 35229
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 32662
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783
http://77.91.124.31/anon/an.exe
whois
RU Foton Telecom CJSC 77.91.124.31 35218
http://77.91.124.47/info/photo220.exe
whois
RU Foton Telecom CJSC 77.91.124.47 35384
http://aa.imgjeoogbb.com/check/?sid=470378&key=a6fb0512a805190d888c34454cccd8b3
whois
HK HK Kwaifong Group Limited 154.221.26.108 34651
http://77.91.124.31/new/foto135.exe
whois
RU Foton Telecom CJSC 77.91.124.31 35216
http://195.201.45.115/6edd27566a7696bd52cf86ffe3fbf739
whois
DE Hetzner Online GmbH 195.201.45.115
http://195.201.45.115/085b5e6cac62c7d3e546c8fe976524a2
whois
DE Hetzner Online GmbH 195.201.45.115
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.214.67
http://95.214.25.207:3002/file.exe
whois
DE CMCS 95.214.25.207
http://85.208.136.10/api/firegate.php
whois
DE CMCS 85.208.136.10 32663
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311
http://us.imgjeoigaa.com/sts/imagc.jpg
whois
HK HK Kwaifong Group Limited 103.100.211.218 33482
http://zzz.fhauiehgha.com/m/okka25.exe
whois
US HK Kwaifong Group Limited 156.236.72.121 34705
http://77.91.124.31/new/fotod25.exe
whois
RU Foton Telecom CJSC 77.91.124.31 35217
http://77.91.68.61/rock/index.php
whois
RU Foton Telecom CJSC 77.91.68.61
http://195.201.45.115/pack.zip
whois
DE Hetzner Online GmbH 195.201.45.115 35411
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17
http://195.201.45.115/
whois
DE Hetzner Online GmbH 195.201.45.115 35410
https://hooligapps.site/setup294.exe
whois
US CLOUDFLARENET 104.21.6.229 35386
https://sun6-22.userapi.com/c235131/u801981293/docs/d11/9e2217128eec/siddharthabuddh4_4.bmp?extra=5OcEE1Zjlyn6XGoGBjQ0LBroHhLq6wrCqEbjh6HmaumIinBIncRoHZUxQElN5gsHntrY17rjogp5c1PrQkipGfYvAyLX6BjIwuv-p1BSNm3F0Uj8w5HavJVlyotDFktAAv2iAdTnTdjj3-Zjhw
whois
RU VKontakte Ltd 95.142.206.2
https://vk.com/doc801981293_666823296?hash=IkJXfnuRw7ihxGiXRSyiY2Z66FKnxYargchJZwaWxKw&dl=zHJ4ClZYwxBgGwgirt2pehVBbUfVD7lazG0pZS1wCZ8&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164
https://vk.com/doc801981293_666972760?hash=gfReCWEH49Z6MClofQOdIxXFhpXXeU6d8rpjwmdewz4&dl=bs1IaRz40N3Rp1aZOq5ZzrZkdXiBefdMoio0ZRHy8X0&api=1&no_preview=1#vdr
whois
RU VKontakte Ltd 87.240.137.164
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.137.164
https://sun6-22.userapi.com/c909218/u801981293/docs/d17/9c68faead5a5/PMmp.bmp?extra=UGNLoFDpKKVsUxNc5Hw3mDScjSPNHUjBrdr2lvhcJMPRnoxs4tl6L_QhDLEEluinE9PF1yIpvvK30fHjFpRXai-2aJdXxr52tHyf1QHXev5lDqAeiUWPDwmjVdq8wfVw31EOL_cqzzs-IFxmQw
whois
RU VKontakte Ltd 95.142.206.2
https://vk.com/doc801981293_666986760?hash=EypQ6vpS4yPTswMnb00CPFmQwfBfZDMhAjgFZFCigPT&dl=SKEDcaMZbN1h0P6yDU29Z3X8TntLoXxXj4TKBWAkIJD&api=1&no_preview=1#scjeen
whois
RU VKontakte Ltd 87.240.137.164
https://sun6-21.userapi.com/c237031/u801981293/docs/d45/32252d9b5eef/WWW1.bmp?extra=rXCW6muvJbVacDtMEzr5kBE_VxyhFcf8iXsc4OhJZYw1fgfQ26tKklrQOLwv7hP7JVIAKYvPDh6t5yBky_c0CjDHxso6RCQMl1vnqddvK_LGddlQAXHJbcnrnF-RFOmGswiH1GaeEnoQw0i02A
whois
RU VKontakte Ltd 95.142.206.1
https://sun6-23.userapi.com/c909228/u801981293/docs/d21/6b6982cc9a3c/vdr.bmp?extra=bHMlqwisVxmil6qKbRXVdbLCtE6eW2Lb9fMf5hG2zBTwGhUYhaGsyiakLYMEfRWFQGdcDzeSWOb1THMhVuczyuz2oziEJ8syytvGYOQbWfS-soij5azb0p5kZAOAJ7_YwLI_R6ipPjabcHHlHQ
whois
RU VKontakte Ltd 95.142.206.3
https://sun6-21.userapi.com/c240331/u801981293/docs/d27/d32d502e82e6/vdr_new.bmp?extra=a5EUFb3Gu8qFNOIrrNr6N9sSAoUpVjQBb1wGOubvrA3PVSgXwPcJdg7yMjBh6DwOBk6_bHkVl9IzU01dZMpbjDKbBQWbRaDp1LsydI7GUSo8dW7EVv1_lR2JzJdzK2AmkyJiXnQh7ciezADwnA
whois
RU VKontakte Ltd 95.142.206.1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.4.15
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.5.15
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164
https://sun6-21.userapi.com/c909228/u801981293/docs/d17/40dc64278851/Lylawork_0721.bmp?extra=AJT6kLcPrgHuC3UUkbEzOZYApZ-0CPCfcwrOy8Lj2M72D9bqLHo5-er1hnOWbBNIpcfODIupk7b6jbUdT4IKLPTvsJrde9woBpYM9uPS7B9Yfuod6NTqNyWYmbhyK7pLfpL4RYpElM_nhgeTag
whois
RU VKontakte Ltd 95.142.206.1
https://vk.com/doc801981293_666878057?hash=1cohXPp9aLK2Xz7H2hezj89drs50PYuLRBoirKPj3B8&dl=vMZbPrQFZIXfQgzBVvuUmx7NUXxKHs9ZVFMOgU7roi0&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.137.164
https://vk.com/doc801981293_666823290?hash=C40VUqDqCeh9PmntwYoL5pVZTrUVqPDt6gbkO0YPVBz&dl=5eyzOvvEImXidOsKxS45wfidN1CDlCKKPGBOYBev5Ag&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.137.164
https://steamcommunity.com/profiles/76561199529242058
whois
US AKAMAI-AS 104.88.222.199 35413
https://vk.com/doc801981293_666940494?hash=uSavslZirzWbQ0kzonC9SnoJn3rtqSRcOdEQ260gUB0&dl=R2BfVhkZKvL1zLlYCmFHftW0Q2PwIoh6NzkRg3wkNkc&api=1&no_preview=1#lyla
whois
RU VKontakte Ltd 87.240.137.164
watson.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 104.208.16.93
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15
zzz.fhauiehgha.com
whois
US HK Kwaifong Group Limited 156.236.72.121
t.me
whois
GB Telegram Messenger Inc 149.154.167.99
ipinfo.io
whois
US GOOGLE 34.117.59.81
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3
hooligapps.site
whois
US CLOUDFLARENET 104.21.6.229
steamcommunity.com
whois
US Operbes, S.A. de C.V. 23.206.58.148
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83
aa.imgjeoogbb.com
whois
HK HK Kwaifong Group Limited 154.221.26.108
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1
us.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 103.100.211.218
transfer.sh
whois
DE Hetzner Online GmbH 144.76.136.153
files.catbox.moe
whois
CA ASN852 108.181.20.35
api.myip.com
whois
US CLOUDFLARENET 104.26.9.59
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2
www.maxmind.com
whois
US CLOUDFLARENET 104.17.215.67
vk.com
whois
RU VKontakte Ltd 87.240.129.133
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93
87.120.88.198
whois
BG NET1 Ltd. 87.120.88.198
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93
51.89.201.49
whois
FR OVH SAS 51.89.201.49
154.221.26.108
whois
HK HK Kwaifong Group Limited 154.221.26.108
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147
195.201.45.115
whois
DE Hetzner Online GmbH 195.201.45.115
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15
95.214.25.207
whois
DE CMCS 95.214.25.207
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166
104.88.222.199
whois
US AKAMAI-AS 104.88.222.199
77.91.124.47
whois
RU Foton Telecom CJSC 77.91.124.47
194.26.135.162
whois
Unknown 194.26.135.162
85.208.136.10
whois
DE CMCS 85.208.136.10
157.254.164.98
whois
Unknown 157.254.164.98
34.117.59.81
whois
US GOOGLE 34.117.59.81
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83
108.181.20.35
whois
CA ASN852 108.181.20.35
77.91.124.84
whois
RU Foton Telecom CJSC 77.91.124.84
45.12.253.74
whois
DE CMCS 45.12.253.74
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113
104.208.16.93
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 104.208.16.93
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59
77.91.68.61
whois
RU Foton Telecom CJSC 77.91.68.61
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229
104.21.6.229
whois
US CLOUDFLARENET 104.21.6.229
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3
163.123.143.4
whois
Unknown 163.123.143.4
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27
77.91.124.31
whois
RU Foton Telecom CJSC 77.91.124.31
168.119.252.116
whois
DE Hetzner Online GmbH 168.119.252.116
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2
103.100.211.218
whois
HK HK Kwaifong Group Limited 103.100.211.218
77.91.68.30
whois
RU Foton Telecom CJSC 77.91.68.30

Suricata ids

SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)

Similarity measure (PE file only) - Checking for service failure