popup

Report - Instal_pass.7z

PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.04 15:10 Machine s1_win7_x6402
Filename Instal_pass.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
6.0
ZERO API file : malware
VT API (file)
md5 6012442e75bf062ee37a19e3b813b95c
sha256 80f2f0ac76650af791ecdb46abb392a96a6e584a9af4871a8866e85c7c597e99
ssdeep 196608:B1lI3eZ2DyNFj/mjJMn42YnbrSTtXDB0QHlDNAuFsjb:blI3eZ2DyN1OJMRS+TwQ/AuF0b
imphash
impfuzzy
  Network IP location

Signature (13cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (79cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://94.142.138.113/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
http://87.121.221.58/g.exe
whois
Unknown 87.121.221.58 35764 malware
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
http://77.91.68.238/info/fotos894.exe
whois
RU Foton Telecom CJSC 77.91.68.238 malware
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.145.235 clean
http://myfilebest.com/order/set17.exe
whois
US CLOUDFLARENET 172.67.183.191 clean
http://94.142.138.113/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.113 28877 mailcious
https://preconcert.pw/setup294.exe
whois
US CLOUDFLARENET 104.21.84.222 clean
https://vk.com/doc44017378_668841700?hash=B7naXG9fPpueUKaZxzbzFzqgThiLopd9A232GVSoLbD&dl=VDCn0RuU4RRcIuzpA6hHZu4JCvVt7UCUAmWFRORbSKs&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc44017378_668806860?hash=qtzoSGTGfTX0Y89NBaFBYakjoCyaeVOVJQ5aLZ9qe6c&dl=MsOUl0nIy2MxBmzFM55NV4K7DzBdgHfls4LY6OEHerL&api=1&no_preview=1#qq
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.129.133 mailcious
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc44017378_668685574?hash=2Z9kWDMxHv9Bg52ieOFMjjyZlIe2LzZhpXJtbJfi2jD&dl=MckLSTrLnFqxzbDQcQsY8zw8KxvNLWnEyU8AMbhyK6s&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.137.164 clean
https://psv4.userapi.com/c909618/u44017378/docs/d58/3ae907fdfcf3/Synapse.bmp?extra=KUBnABH___ud3k6Iz_4j06dbnFS9VRlNbUwfTgh7gFkqGiY9bpQRB8S2WTllutClgFicO9HQdM2CdICtoMDrTIUve1tpzFA4EraxxEm1T-w5HYMIufQJZJ3ZZuL60ICYmx_il49EiGSxeEtl
whois
RU VKontakte Ltd 87.240.190.76 clean
https://db-ip.com/
whois
US CLOUDFLARENET 172.67.75.166 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.5.15 clean
https://sun6-20.userapi.com/c909228/u44017378/docs/d21/84fb03a45baf/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=0flX9Y0ztZxXjKMYf4MpJJjzvYpZP31BlbRhAJosHEXpLdo8JT_b5DH9Y0PRC9dGByVJGDom6Q85dl7oudoJZHFhYVAOPLcxqHxV4bfTwq2t2ZLBF5atjVwW-KpohUyr8NnU5FS4_f1sEXD4
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-23.userapi.com/c240331/u44017378/docs/d40/ea107227b79a/test2.bmp?extra=T669DDPm8ZLFNZCYmG4ho1hhgwomS77jaE2Yn7VnIXwin8UREXNFw9ArqM4W0cg7xTW45XFbxsmQRIFsVfy1w7UsYsb0Uhx9j2OLuM-0E3RUf8vSZA5CNcinhMJmev2Nv1FGmFs4mSuLTip3
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc44017378_668790441?hash=ZAKf3wtiDekEKOwL5zOUpKlhs3NsBThU4THBbA9UjZ0&dl=tGcv3oqIrQKDSR0z8GXJxfn9P4s1HZm2ci3UQevYE7w&api=1&no_preview=1#test2
whois
RU VKontakte Ltd 87.240.137.164 clean
https://sun6-20.userapi.com/c909618/u44017378/docs/d36/970407f834ab/PL_Client.bmp?extra=aN41sDSFUADrGrdU_RjM1QHebyaC6CfPPnkhN8Sh5X1ARi3KwK86JBBO2RmrPchH2zWsjNJamP2kvNM4ZBw3wVvUHefjC0u7DuaIJJ3n0zlEfuc5TbQudsfFWKgLDw8h18lU6pjBLjcaodL_
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc44017378_668805679?hash=Pq8nRu8IL2bYqDVs2GPjMvpAFMOm04kusdFGQmRlGY0&dl=ns6C3Wug8h8cGKJrvWC9ONCmtSXnbVIqzmpprkB3Voz&api=1&no_preview=1#rise
whois
RU VKontakte Ltd 87.240.137.164 clean
https://sun6-21.userapi.com/c909628/u44017378/docs/d11/ac2bb3ec415d/WWW1.bmp?extra=PdcCi5Du3aPXs6h3g6zfZQ1vp80eYhCaeQWYwshlaKabq3cItIQbRsgtJq0TWtJ44yhs8vYSoCXkcJ9B1aoCxAqw1FzxTuOWr37cbrEr81UIcHuZxy3avmSshVlPZDeDf90bALLE9p_SrNDd
whois
RU VKontakte Ltd 95.142.206.1 clean
https://sun6-21.userapi.com/c909218/u44017378/docs/d35/7d15da7ffef6/qq.bmp?extra=2GxVWJpu25oym3VxYwWNtfWO8cQIKYpcF0VxbVK3BFm6aprr9H7tTHFEku9l_-NfQgcfHxfucUok_MgxivF-HiFfE_IhhOE0f3IqvHMsERCQI19xXhu3k8QfnZs_rFCImiUJW5RjB0c29Ysf
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://sun6-22.userapi.com/c235031/u44017378/docs/d4/1974a6683533/crypted.bmp?extra=XHKJoN80jGNAz1QmohIWSJwLNw1xbuFQMIVe0WiYZj62gT4pGvNZfyg4fHynhr0PlaBSK9k-uRbQkcGieK0oYQcB8CGDXqOb9JLjC38GlvNCMUriI1WLUKlrZb65vZcsrmYy1EOO8igzh7tD
whois
RU VKontakte Ltd 95.142.206.2 clean
https://vk.com/doc44017378_668771908?hash=xTpUd6Irq53Iv3XxYBTLtZCTvA1vPIxYTBJi9GFflYg&dl=r01wYZoWFOYu6Y5AAmkbdHXEnBHxBfvDm7ze3p9Hqz0&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc44017378_668679037?hash=6lxdrm9NUkSryZCfzYZn4zR2sOTXzaKgfQIcVCaPnvX&dl=FLqYTpktPSSWsXhtSyyzRawRyuZZexn7WIKXiXEZBv4&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 clean
preconcert.pw
whois
US CLOUDFLARENET 172.67.197.101 clean
api.2ip.ua
whois
CA ACP 162.0.217.254 clean
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
psv4.userapi.com
whois
RU VKontakte Ltd 87.240.190.76 clean
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
agsnv.com
whois
US Digital Energy Technologies Ltd. 181.214.31.34 malware
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 clean
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
myfilebest.com
whois
US CLOUDFLARENET 172.67.183.191 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.18.145.235 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
vk.com
whois
RU VKontakte Ltd 87.240.132.67 mailcious
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
104.18.145.235
whois
US CLOUDFLARENET 104.18.145.235 clean
181.214.31.34
whois
US Digital Energy Technologies Ltd. 181.214.31.34 malware
77.91.68.238
whois
RU Foton Telecom CJSC 77.91.68.238 malware
87.240.129.133
whois
RU VKontakte Ltd 87.240.129.133 mailcious
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
87.240.190.76
whois
RU VKontakte Ltd 87.240.190.76 clean
87.121.221.58
whois
Unknown 87.121.221.58 malware
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
104.21.56.98
whois
US CLOUDFLARENET 104.21.56.98 clean
162.0.217.254
whois
CA ACP 162.0.217.254 clean
194.26.135.162
whois
Unknown 194.26.135.162 mailcious
87.240.132.67
whois
RU VKontakte Ltd 87.240.132.67 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.21.84.222
whois
US CLOUDFLARENET 104.21.84.222 clean
121.254.136.9
whois
KR LG DACOM Corporation 121.254.136.9 clean
176.123.9.142
whois
MD Alexhost Srl 176.123.9.142 mailcious
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
185.225.73.32
whois
DE Mayak Smart Services Ltd. 185.225.73.32 mailcious
149.202.0.242
whois
FR OVH SAS 149.202.0.242 mailcious
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 clean

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)

Similarity measure (PE file only) - Checking for service failure