popup

Report - docu_o090099.url

AntiDebug AntiVM URL Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.05 08:39 Machine s1_win7_x6401
Filename docu_o090099.url
Type MS Windows 95 Internet shortcut text (URL=), ASCII text, wi
AI Score Not founds Behavior Score
4.0
ZERO API file : clean
VT API (file) 1 detected ()
md5 1a21439ba0c25f3f8378b522b7bfdbe3
sha256 88e67b9da0c3dfb802633bb52f2ac3a972ce340125e4153a396259939eae46de
ssdeep 3:HRAbABGQYm/PXVRSOcvQrNPEn:HRYFVm/P3Gn
imphash
impfuzzy
  Network IP location

Signature (9cnts)

Level Description
watch Communicates with host for which no DNS query was performed
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice File has been identified by one AntiVirus engine on VirusTotal as malicious
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice URLs have been extracted from an Internet shortcut file
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory

Rules (9cnts)

Level Name Description Collection
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info url_file_format Microsoft Windows Internet Shortcut File Format binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://192.3.108.47/0988/sun/update.hta
whois
US AS-COLOCROSSING 192.3.108.47 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.27 clean
uploaddeimagens.com.br
whois
US CLOUDFLARENET 104.21.45.138 malware
23.67.53.27
whois
US Akamai International B.V. 23.67.53.27 clean
104.21.45.138
whois
US CLOUDFLARENET 104.21.45.138 malware
192.3.108.47
whois
US AS-COLOCROSSING 192.3.108.47 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Similarity measure (PE file only) - Checking for service failure