popup

Report - 2.exe

Gen1 UPX Malicious Library Antivirus Malicious Packer OS Processor Check PE File PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.30 09:08 Machine s1_win7_x6403
Filename 2.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
8.2
ZERO API file : malware
VT API (file) 39 detected (AIDetectMalware, GenericKD, Save, ABRisk, FMAG, Attribute, HighConfidence, malicious, high confidence, score, Stealerc, PWSX, STEALC, YXDG2Z, Infected, Static AI, Malicious PE, ai score=81, Sabsik, Vidar, Detected, Artemis, unsafe, Chgt, Generic@AI, RDML, AELJH4wlJUs4KQeE3+HAeA, PossibleThreat, confidence, 100%)
md5 d6067ce0e193dd31df5e3bff2b4b79a0
sha256 69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7
ssdeep 3072:OhnnpVp5eQvI9YzvuBfSePa5f0zMYFZMQdnCmMG4xTlhr:OhnnpVneQiYzcfSey5cgwSQlCmM3
imphash c89bd32d7beced586fcbabe7e651db83
impfuzzy 24:Y+DqmOPC/gHRnlyv95/J3JKjT4RfL13z1:YD6/EK97ocRf5j1
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 39 AntiVirus engines on VirusTotal as malicious
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process 2.exe
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Queries for the computername
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (14cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.254.37.234/61c7c6a1a965cae9/mozglue.dll
whois
DE Neterra Ltd. 185.254.37.234 clean
http://185.254.37.234/61c7c6a1a965cae9/freebl3.dll
whois
DE Neterra Ltd. 185.254.37.234 clean
http://185.254.37.234/61c7c6a1a965cae9/sqlite3.dll
whois
DE Neterra Ltd. 185.254.37.234 clean
http://185.254.37.234/61c7c6a1a965cae9/vcruntime140.dll
whois
DE Neterra Ltd. 185.254.37.234 clean
http://185.254.37.234/61c7c6a1a965cae9/softokn3.dll
whois
DE Neterra Ltd. 185.254.37.234 clean
http://185.254.37.234/a68326a8bd26a679.php
whois
DE Neterra Ltd. 185.254.37.234 clean
http://185.254.37.234/61c7c6a1a965cae9/msvcp140.dll
whois
DE Neterra Ltd. 185.254.37.234 clean
http://185.254.37.234/61c7c6a1a965cae9/nss3.dll
whois
DE Neterra Ltd. 185.254.37.234 clean
185.254.37.234
whois
DE Neterra Ltd. 185.254.37.234 mailcious

Suricata ids

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x42d000 ExitProcess
 0x42d004 GetProcAddress
 0x42d008 VirtualAlloc
 0x42d00c LoadLibraryA
 0x42d010 VirtualProtect
 0x42d014 HeapAlloc
 0x42d018 GetCommandLineW
 0x42d01c HeapSetInformation
 0x42d020 GetStartupInfoW
 0x42d024 GetModuleHandleW
 0x42d028 DecodePointer
 0x42d02c WriteFile
 0x42d030 GetStdHandle
 0x42d034 GetModuleFileNameW
 0x42d038 HeapCreate
 0x42d03c EncodePointer
 0x42d040 RaiseException
 0x42d044 SetUnhandledExceptionFilter
 0x42d048 FreeEnvironmentStringsW
 0x42d04c GetEnvironmentStringsW
 0x42d050 SetHandleCount
 0x42d054 InitializeCriticalSectionAndSpinCount
 0x42d058 GetFileType
 0x42d05c DeleteCriticalSection
 0x42d060 TlsAlloc
 0x42d064 TlsGetValue
 0x42d068 TlsSetValue
 0x42d06c TlsFree
 0x42d070 InterlockedIncrement
 0x42d074 SetLastError
 0x42d078 GetCurrentThreadId
 0x42d07c GetLastError
 0x42d080 InterlockedDecrement
 0x42d084 QueryPerformanceCounter
 0x42d088 GetTickCount
 0x42d08c GetCurrentProcessId
 0x42d090 GetSystemTimeAsFileTime
 0x42d094 LeaveCriticalSection
 0x42d098 EnterCriticalSection
 0x42d09c LoadLibraryW
 0x42d0a0 UnhandledExceptionFilter
 0x42d0a4 IsDebuggerPresent
 0x42d0a8 TerminateProcess
 0x42d0ac GetCurrentProcess
 0x42d0b0 HeapFree
 0x42d0b4 Sleep
 0x42d0b8 HeapSize
 0x42d0bc GetCPInfo
 0x42d0c0 GetACP
 0x42d0c4 GetOEMCP
 0x42d0c8 IsValidCodePage
 0x42d0cc RtlUnwind
 0x42d0d0 WideCharToMultiByte
 0x42d0d4 HeapReAlloc
 0x42d0d8 IsProcessorFeaturePresent
 0x42d0dc LCMapStringW
 0x42d0e0 MultiByteToWideChar
 0x42d0e4 GetStringTypeW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure