popup

Report - postmon.exe

Generic Malware UPX Malicious Library Malicious Packer Antivirus OS Processor Check PE File PE32 PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.28 17:40 Machine s1_win7_x6403
Filename postmon.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
10.0
ZERO API file : malware
VT API (file) 57 detected (AIDetectMalware, Convagent, malicious, high confidence, DownLoader45, GenericKD, GenericRXAK, Coins, Save, confidence, 100%, TrojanPSW, ZexaF, EC0@aOVrhZmi, ABRisk, EDDT, Attribute, HighConfidence, score, SelfDel, CrypterX, Gencirc, HPDefender, jqeti, LGOOGLOADER, YXDFLZ, high, Static AI, Suspicious PE, Sabsik, Redline, Detected, R586385, BScope, ai score=100, unsafe, Chgt, Bq2aQZTefJR, tZbGYgdGgG8, susgen, PossibleThreat)
md5 8bdd901591eb90456ad781e3c79bb4ad
sha256 0862c633fcfd3a8e2e1a27e862845e98edc229ab892f3b6dde5184a3217f861f
ssdeep 6144:smeQ8DZA76JirPX2xy1AOC5N6EsVHCJxXyIHIvSw0rKZgs93ACdLYfRkZlWRm:srQii7gG3EsVxsIvHggRYJkom
imphash 59205d17118cd7f4c84a50e8810865e6
impfuzzy 48:+BKkUBHve4mc+ULtoS1xGoZZG53u/ZRdK+:+A5verc+ULtoS1xGojfZRdK+
  Network IP location

Signature (26cnts)

Level Description
danger File has been identified by 57 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice The binary likely contains encrypted or compressed data indicative of a packer
notice URL downloaded by powershell script
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Powershell script has download & invoke calls
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info Uses Windows APIs to generate a cryptographic key

Rules (16cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PowerShell PowerShell script scripts
info PowershellDI Extract Download/Invoke calls from powershell script scripts

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://elturky.net/ERP/public/js/cc4.exe
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://38.180.1.27/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=HnTgSX1R
whois
US COGENT-174 38.180.1.27 34768 mailcious
http://elturky.net/ERP/public/js/cc5.exe
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://elturky.net/ERP/public/js/cc3.php
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://elturky.net/ERP/public/js/debug2.ps1
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://elturky.net/ERP/public/js/cc3.exe
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://elturky.net/ERP/public/js/dd_64.exe
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://elturky.net/ERP/public/js/cc2.php
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://elturky.net/ERP/public/js/cc1.php
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
http://elturky.net/ERP/public/js/cc2.exe
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 clean
elturky.net
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 malware
68.178.227.97
whois
US AS-26496-GO-DADDY-COM-LLC 68.178.227.97 malware
38.180.1.27
whois
US COGENT-174 38.180.1.27 mailcious

Suricata ids

ET INFO PS1 Powershell File Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

PE API

IAT(Import Address Table) Library

WININET.dll
 0x42318c InternetReadFile
 0x423190 InternetCloseHandle
 0x423194 InternetCrackUrlW
 0x423198 InternetOpenW
 0x42319c InternetOpenUrlW
 0x4231a0 InternetQueryDataAvailable
SHLWAPI.dll
 0x423170 StrStrW
 0x423174 wnsprintfW
KERNEL32.dll
 0x42301c GetCommandLineW
 0x423020 GetCommandLineA
 0x423024 GetOEMCP
 0x423028 WriteFile
 0x42302c GetModuleFileNameW
 0x423030 GetEnvironmentVariableW
 0x423034 lstrlenA
 0x423038 CreateFileW
 0x42303c GetFileAttributesW
 0x423040 GetSystemWow64DirectoryW
 0x423044 GetLastError
 0x423048 LoadLibraryA
 0x42304c lstrcatW
 0x423050 lstrcpyA
 0x423054 GetEnvironmentStringsW
 0x423058 CloseHandle
 0x42305c ExitProcess
 0x423060 GetModuleHandleW
 0x423064 lstrcpyW
 0x423068 GetTempFileNameW
 0x42306c HeapFree
 0x423070 HeapReAlloc
 0x423074 HeapAlloc
 0x423078 GetProcessHeap
 0x42307c WideCharToMultiByte
 0x423080 GetACP
 0x423084 IsValidCodePage
 0x423088 FindNextFileW
 0x42308c FindFirstFileExW
 0x423090 FreeEnvironmentStringsW
 0x423094 SetStdHandle
 0x423098 HeapSize
 0x42309c TlsSetValue
 0x4230a0 EnterCriticalSection
 0x4230a4 LeaveCriticalSection
 0x4230a8 DeleteCriticalSection
 0x4230ac EncodePointer
 0x4230b0 DecodePointer
 0x4230b4 MultiByteToWideChar
 0x4230b8 SetLastError
 0x4230bc InitializeCriticalSectionAndSpinCount
 0x4230c0 CreateEventW
 0x4230c4 TlsAlloc
 0x4230c8 TlsGetValue
 0x4230cc WriteConsoleW
 0x4230d0 TlsFree
 0x4230d4 GetSystemTimeAsFileTime
 0x4230d8 GetProcAddress
 0x4230dc LCMapStringW
 0x4230e0 GetLocaleInfoW
 0x4230e4 GetStringTypeW
 0x4230e8 GetCPInfo
 0x4230ec SetEvent
 0x4230f0 ResetEvent
 0x4230f4 WaitForSingleObjectEx
 0x4230f8 UnhandledExceptionFilter
 0x4230fc SetUnhandledExceptionFilter
 0x423100 GetCurrentProcess
 0x423104 TerminateProcess
 0x423108 IsProcessorFeaturePresent
 0x42310c IsDebuggerPresent
 0x423110 GetStartupInfoW
 0x423114 QueryPerformanceCounter
 0x423118 GetCurrentProcessId
 0x42311c GetCurrentThreadId
 0x423120 InitializeSListHead
 0x423124 RaiseException
 0x423128 RtlUnwind
 0x42312c FreeLibrary
 0x423130 LoadLibraryExW
 0x423134 GetModuleHandleExW
 0x423138 GetStdHandle
 0x42313c ReadFile
 0x423140 GetConsoleMode
 0x423144 ReadConsoleW
 0x423148 IsValidLocale
 0x42314c GetUserDefaultLCID
 0x423150 EnumSystemLocalesW
 0x423154 GetFileType
 0x423158 FlushFileBuffers
 0x42315c GetConsoleOutputCP
 0x423160 GetFileSizeEx
 0x423164 SetFilePointerEx
 0x423168 FindClose
USER32.dll
 0x42317c wsprintfW
 0x423180 MessageBoxA
 0x423184 wsprintfA
ADVAPI32.dll
 0x423000 GetSidSubAuthorityCount
 0x423004 GetSidSubAuthority
 0x423008 RegSetValueExW
 0x42300c RegOpenKeyExW
 0x423010 RegCreateKeyW
 0x423014 RegCloseKey

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure