popup

Report - a3e34cb.exe

Themida Packer UPX Malicious Library VMProtect PE File PE32 .NET EXE DLL PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.31 17:41 Machine s1_win7_x6401
Filename a3e34cb.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
16.4
ZERO API file : malware
VT API (file) 27 detected (AIDetectMalware, Artemis, unsafe, Gencbl, V3df, ZexaF, @R2@amG8Msli, Attribute, HighConfidence, malicious, high confidence, score, FileRepMalware, LUMMASTEALER, YXDG5Z, high, Sabsik, Amadey, XMRQ4N, R593962, CLOUD, confidence)
md5 57794b001e1e8c4917aaa864268fec36
sha256 5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862
ssdeep 196608:gbJEeOGZPuknu4TNAzGx2tXuqIg1YJwPj:gbaElhDSus1YJwPj
imphash 65048064a3a0509656c4f5fd51d420f8
impfuzzy 12:7RgRZg9UZGoQtXJxZGb9AJcDfA5kLfP9qZGMZGqAJcDW:7iZwCQtXJHc9NDI5QidNDW
  Network IP location

Signature (37cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch A process attempted to delay the analysis task.
watch Attempts to identify installed AV products by installation directory
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the version of Bios
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Virtual Machines through their custom firmware
watch Detects VMWare through the in instruction feature
watch Installs itself for autorun at Windows startup
watch Looks for the Windows Idle Time to determine the uptime
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process bstyoops.exe
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (14cnts)

Level Name Description Collection
warning themida_packer themida packer binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (download)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://cat.lobret.co.za/sf64r.dll
whois
ZA Gridhost 41.185.8.154 clean
http://lobret.co.za/BRA.exe
whois
ZA Gridhost 41.185.8.154 clean
http://45.9.74.166/b7djSDcPcZ/index.php
whois
Unknown 45.9.74.166
http://45.9.74.141/b7djSDcPcZ/index.php
whois
Unknown 45.9.74.141
lobret.co.za
whois
ZA Gridhost 41.185.8.154
cat.lobret.co.za
whois
ZA Gridhost 41.185.8.154
95.143.190.57
whois
Unknown 95.143.190.57
41.185.8.154
whois
ZA Gridhost 41.185.8.154
5.42.65.67
whois
RU CJSC Kolomna-Sviaz TV 5.42.65.67
45.9.74.141
whois
Unknown 45.9.74.141
45.9.74.166
whois
Unknown 45.9.74.166

Suricata ids

ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Arechclient2 Backdoor CnC Init

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x94c000 GetVersionExW
ADVAPI32.dll
 0x94c008 RegCloseKey
SHELL32.dll
 0x94c010 SHGetFolderPathA
WININET.dll
 0x94c018 HttpOpenRequestA
KERNEL32.dll
 0x94c020 LocalAlloc
 0x94c024 LocalFree
 0x94c028 GetModuleFileNameW
 0x94c02c GetProcessAffinityMask
 0x94c030 SetProcessAffinityMask
 0x94c034 SetThreadAffinityMask
 0x94c038 Sleep
 0x94c03c ExitProcess
 0x94c040 FreeLibrary
 0x94c044 LoadLibraryA
 0x94c048 GetModuleHandleA
 0x94c04c GetProcAddress
USER32.dll
 0x94c054 GetProcessWindowStation
 0x94c058 GetUserObjectInformationW
KERNEL32.dll
 0x94c060 LocalAlloc
 0x94c064 LocalFree
 0x94c068 GetModuleFileNameW
 0x94c06c ExitProcess
 0x94c070 LoadLibraryA
 0x94c074 GetModuleHandleA
 0x94c078 GetProcAddress

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure