popup

Report - File_pass1234.7z

Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.08.01 08:43 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
7.0
ZERO API file : clean
VT API (file)
md5 becbf77d1e0b6a61d8203096792e76a4
sha256 643535723ce1ed83444117a87b0d6a846817fea857f3e1d3fc94c4525ceeec06
ssdeep 196608:2mPagHgxB/KjuZOGVefANQ8kNvb6oYBQ74oN0l4:BPagAxB/1ZZVeY5kb6oYi0l4
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (108cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://208.67.104.60/api/firegate.php
whois
Unknown 208.67.104.60 34253 mailcious
http://95.214.25.207:3002/file.exe
whois
DE CMCS 95.214.25.207 35494 malware
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://zzz.fhauiehgha.com/m/okka25.exe
whois
US HK Kwaifong Group Limited 156.236.72.121 34705 mailcious
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://176.113.115.84:8080/4.php
whois
RU OOO Network of data-centers Selectel 176.113.115.84 34795 mailcious
http://aa.imgjeoogbb.com/check/?sid=181850&key=8240077a9356286e413223063c28ca19
whois
HK HK Kwaifong Group Limited 154.221.26.108 34651 mailcious
http://78.47.122.222/acea55252b775eee1be2febeda0c0d49
whois
DE Hetzner Online GmbH 78.47.122.222 35555 mailcious
http://78.47.122.222/pack.zip
whois
DE Hetzner Online GmbH 78.47.122.222 35556 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
http://77.91.68.61/rock/index.php
whois
RU Foton Telecom CJSC 77.91.68.61 35495 mailcious
http://www.google.com/
whois
US GOOGLE 142.250.76.132 clean
http://208.67.104.60/api/tracemap.php
whois
Unknown 208.67.104.60 28876 mailcious
http://us.imgjeoigaa.com/sts/imagc.jpg
whois
HK HK Kwaifong Group Limited 103.100.211.218 33482 mailcious
http://aa.imgjeoogbb.com/check/safe
whois
HK HK Kwaifong Group Limited 154.221.26.108 34652 mailcious
http://77.91.124.231/info/photo443.exe
whois
RU Foton Telecom CJSC 77.91.124.231 malware
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.215.67 clean
https://hooligapps.site/setup294.exe
whois
US CLOUDFLARENET 104.21.6.229 35386 mailcious
https://steamcommunity.com/profiles/76561199529242058
whois
US AKAMAI-AS 23.34.107.26 35413 mailcious
https://vk.com/doc801981293_667028020?hash=zNXj4WrlTyEKRUBB0vxsLD8HwE7hYL7JgYi8vgPFINH&dl=UHDS7B9XXtrml8Ov9nEnY8cZe5Q3T6Z0UJqbZWjTksT&api=1&no_preview=1#scjeen
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc801981293_667066083?hash=m6Sjui2f4HpWtz9GQYumUhPuRTfIRk3Z6g4OA7TOD4L&dl=QdPsOGLXyKwtXjXJewQAbmRgAgTggz12uJxZZc3F10c&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc801981293_667237000?hash=wJ5uCBdRHZzUjQjWqgBH48skmucYHiYj2GRiSACkdpw&dl=0FKa00zk0GBCzSFOZ7oP1FKOpaxYtVDdsq7vQUc0Gm4&api=1&no_preview=1#s
whois
RU VKontakte Ltd 87.240.132.72 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 172.67.75.166 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc801981293_667139817?hash=fnY3s9xTCH8TvBuyjrszXkHvJq23CHHvk5PULwK4ZqD&dl=CAUx7IkjdyeFKrDihPvqPbyjkgiOxZZb3jve3rrp8vL&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-21.userapi.com/c909418/u801981293/docs/d19/cab0d9fd22fb/test.bmp?extra=S1lBZ2ara_uwvkUiCQO2CpDy8V8CT-DUsMDJDq5c-j9MzsI9R-MnJavBC7JjKow1RrS6V5Gt1xq0ExvtLgwopOUcyKFLyvxY2XmRgoY0ZkqV7tnvNQ-VvJNUjMmHJ0J8jIPVt2kRBM2Az8yPjA
whois
RU VKontakte Ltd 95.142.206.1 clean
https://sun6-23.userapi.com/c909618/u801981293/docs/d44/475e3b19467d/s.bmp?extra=CXhY0FYqAixfAe5gJo7Du2h3NIxPT1pwd6-OGYvPBrGUFvJMhPwurTncp5qAumXPeaEsjP-9apm2cztbCqwM3BtYwSrG2usVk_yUD9MqnSphi6K9Aq2Kc23k8YWxnMAVObcde_7Phogwv24YQg
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc801981293_667089680?hash=rVIr38BrzIinBtaaqLw8bfBo4PPqpdnYNI24AEk2s4c&dl=J840u5Bv36XIVNgrl2q6ZZe4BL6Dzqm1CKoCTOCZiz4&api=1&no_preview=1#rise_test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc801981293_666878057?hash=1cohXPp9aLK2Xz7H2hezj89drs50PYuLRBoirKPj3B8&dl=vMZbPrQFZIXfQgzBVvuUmx7NUXxKHs9ZVFMOgU7roi0&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-22.userapi.com/c909628/u801981293/docs/d19/0473ba2c3397/PMmp.bmp?extra=WrUP7rtQyA__XGT96VkpbA09fH6-o78MtrcF3sMNML4tfmPd86znTXohoj2oY2iq7cXqb1ogncL3vqMNV51fvJBKLzDGTPGMaC4OONg8jXxXAsBqDQAvLjke5w40Iev0XWVFSDfyPSjjzQYtIg
whois
RU VKontakte Ltd 95.142.206.2 clean
https://sun6-20.userapi.com/c909218/u801981293/docs/d32/1c8ef9b2fc28/new.bmp?extra=If9Lo5F5-e1eTZGduxSFLbQb0TVGFPXkyZWdMeMv2g26HJlc5QbDck071WaX_YgB9o1UpVtPqxy4QD-RrF0Q12P3DrQDvvKj93TpO8rTUDzPo40OWhmmYf1PD6BDnURtppPdCg-zVajpOAa3yw
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-20.userapi.com/c909328/u801981293/docs/d24/084544a6c731/oip0uc82pz.bmp?extra=7iBeThmhh6DgxxYaPSgYpUe2xaYhvy6ZK-0HMLVHTGLGhFsWaOMYzD4oPREABqJmmPxnl2RS147cj8tiTALRAueLEt6VQbMoYwkK8FAFUhT-iPqHGu8D_3g2StFRnl2plAP3lJhvQaXWy0u0kA
whois
RU VKontakte Ltd 95.142.206.0 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
dialeta.com.br
whois
US UNIFIEDLAYER-AS-1 192.185.223.202 clean
hotelcasarafaelita.com
whois
US UNIFIEDLAYER-AS-1 162.241.203.245 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
vanaheim.cn
whois
Unknown 45.145.4.170 clean
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
fastpool.xyz
whois
BG Vivacom 213.91.128.133 mailcious
hooligapps.site
whois
US CLOUDFLARENET 172.67.135.110 mailcious
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
aa.imgjeoogbb.com
whois
HK HK Kwaifong Group Limited 154.221.26.108 mailcious
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
us.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 103.100.211.218 mailcious
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
zzz.fhauiehgha.com
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
www.google.com
whois
US GOOGLE 142.250.76.132 clean
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.17.215.67 clean
vk.com
whois
RU VKontakte Ltd 87.240.129.133 mailcious
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
142.250.204.36
whois
US GOOGLE 142.250.204.36 clean
51.89.201.49
whois
FR OVH SAS 51.89.201.49 mailcious
154.221.26.108
whois
HK HK Kwaifong Group Limited 154.221.26.108 mailcious
23.34.107.26
whois
US AKAMAI-AS 23.34.107.26 clean
77.91.124.156
whois
RU Foton Telecom CJSC 77.91.124.156 mailcious
104.17.215.67
whois
US CLOUDFLARENET 104.17.215.67 clean
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
162.241.203.245
whois
US UNIFIEDLAYER-AS-1 162.241.203.245 clean
62.122.184.92
whois
Unknown 62.122.184.92 mailcious
45.145.4.170
whois
Unknown 45.145.4.170 clean
78.47.122.222
whois
DE Hetzner Online GmbH 78.47.122.222 mailcious
208.67.104.60
whois
Unknown 208.67.104.60 mailcious
95.214.25.207
whois
DE CMCS 95.214.25.207 malware
176.123.9.85
whois
MD Alexhost Srl 176.123.9.85 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
80.66.75.4
whois
RU Alexander Valerevich Mokhonko 80.66.75.4 mailcious
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
80.66.75.77
whois
RU Alexander Valerevich Mokhonko 80.66.75.77 clean
192.185.223.202
whois
US UNIFIEDLAYER-AS-1 192.185.223.202 mailcious
157.254.164.98
whois
Unknown 157.254.164.98 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84 mailcious
176.113.115.85
whois
RU OOO Network of data-centers Selectel 176.113.115.85 mailcious
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
176.113.115.135
whois
RU OOO Network of data-centers Selectel 176.113.115.135 mailcious
176.113.115.136
whois
RU OOO Network of data-centers Selectel 176.113.115.136 mailcious
45.143.201.238
whois
Unknown 45.143.201.238 mailcious
45.12.253.74
whois
DE CMCS 45.12.253.74 malware
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious
77.91.124.231
whois
RU Foton Telecom CJSC 77.91.124.231 malware
77.91.68.61
whois
RU Foton Telecom CJSC 77.91.68.61 malware
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.21.6.229
whois
US CLOUDFLARENET 104.21.6.229 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 clean
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious
103.100.211.218
whois
HK HK Kwaifong Group Limited 103.100.211.218 malware
213.91.128.133
whois
BG Vivacom 213.91.128.133 mailcious

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (External IP)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET INFO Dotted Quad Host ZIP Request
ET POLICY Cryptocurrency Miner Checkin

Similarity measure (PE file only) - Checking for service failure