popup

Report - Setup_pass1234.zip

PrivateLoader Stealc Amadey ZIP Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.13 17:06 Machine s1_win7_x6402
Filename Setup_pass1234.zip
Type Zip archive data, at least v5.1 to extract
AI Score Not founds Behavior Score
5.0
ZERO API file : malware
VT API (file)
md5 d6333d9f2326da7b78144d52fa20a05c
sha256 33a6ea57e2165198411a5f7a855478a8aef5dd6631ee28b0571292c9d9214763
ssdeep 196608:1PXO7GAkROaWG5XSO7JFns58Qm4UX1QbWQY7dr0:1feaWG9FnsyQmWI0
imphash
impfuzzy
  Network IP location

Signature (8cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method

Rules (1cnts)

Level Name Description Collection
info zip_file_format ZIP file format binaries (upload)

Network (126cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://45.9.74.80/opaa37.exe
whois
Unknown 45.9.74.80 clean
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://87.121.221.58/g.exe
whois
Unknown 87.121.221.58 35764 malware
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
HU Magyar Telekom plc. 188.36.122.174 27911 mailcious
http://worldtopnews.fun/
whois
US CLOUDFLARENET 172.67.133.72 clean
http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe
whois
BG Belcloud LTD 94.156.35.76 36358 malware
http://colisumy.com/dl/build2.exe
whois
MX Uninet S.A. de C.V. 189.186.80.218 31026 malware
http://45.9.74.80/super.exe
whois
Unknown 45.9.74.80 36063 malware
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://5.42.92.211/loghub/master
whois
RU CJSC Kolomna-Sviaz TV 5.42.92.211 36282 mailcious
http://ji.alie3ksgbb.com/m/ela205.exe
whois
US CLOUDFLARENET 172.67.200.102 36360 mailcious
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://zexeq.com/files/1/build3.exe
whois
KR SK Broadband Co Ltd 211.59.14.90 27913 malware
http://116.203.7.16/7b01483643983171e949f923c5bc80e7
whois
DE Hetzner Online GmbH 116.203.7.16 clean
http://45.9.74.80/31839b57a4f11171d6abc8bbc4451ee4.exe
whois
Unknown 45.9.74.80 36201 malware
http://116.203.7.16/
whois
DE Hetzner Online GmbH 116.203.7.16 clean
http://94.142.138.131/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.131 32650 mailcious
http://charlesjones.top/e9c345fc99a4e67e.php
whois
Unknown 51.250.21.16 36283 mailcious
http://77.91.68.238/love/no230.exe
whois
RU Foton Telecom CJSC 77.91.68.238 36359 malware
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311 mailcious
http://45.9.74.80/0bjdn2Z/index.php
whois
Unknown 45.9.74.80 26790 mailcious
http://116.203.7.16/htdocs.zip
whois
DE Hetzner Online GmbH 116.203.7.16 clean
http://171.22.28.208/download/Services.exe
whois
DE CMCS 171.22.28.208 clean
http://worldtopnews.fun/login
whois
US CLOUDFLARENET 172.67.133.72 clean
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LHNMv561Ao9oyPaxqTAOF0Ae.exe&platform=0009&osver=5&isServer=0
whois
US AKAMAI-AS 184.30.187.53 clean
http://176.113.115.84:8080/4.php
whois
RU OOO Network of data-centers Selectel 176.113.115.84 34795 mailcious
http://45.9.74.80/ummaa.exe
whois
Unknown 45.9.74.80 36186 malware
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.27 clean
http://45.9.74.80/toolspub2.exe
whois
Unknown 45.9.74.80 36066 malware
http://worldtopnews.fun/c2conf
whois
US CLOUDFLARENET 104.21.13.218 clean
http://williecampbell.top/calc2.exe
whois
Unknown 51.250.21.16 36362 malware
https://sun6-23.userapi.com/c909328/u44017378/docs/d42/899872c35d72/BottClient.bmp?extra=7B_OrPq1kMJpKpU7Rrq-3WvxeXHPEz4A_JiKNweZAEbH6C3hrq8WC9Y6uww1t8xYlzYqcYdsDkXyICD53rigA_siFPMJTJC5COTUew0WnhO42M6ssRQgNTvC-a6uLFX3tMHI9cyZu49a-5Yt
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc44017378_669100051?hash=Y1d8yh89LcZ0zAOx8obl7JZ7mZWqNSdnCHqxRkQxKbD&dl=IZJ6qPZZJHdKI0zpkVZuoaMzdZItvl7ncz41tGh3PbP&api=1&no_preview=1#rise_cpp
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc44017378_669136690?hash=E5ro6HNAOZHVOgZiTIDkvKctXbILQ0zBBx6f8KGt5e8&dl=qG39A2bhq4t9EZmEY5oWbCHZP2L9kp7Offbq4R5FDD0&api=1&no_preview=1#test2
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
https://sun6-23.userapi.com/c909218/u17799268/docs/d56/c3e409803ba2/deluxe_crypted.bmp?extra=GRXXFXl5hs6qKc2oTNeNbZabyhRErvV9i7w4yu2Mor6fdrgHIzKkCogIMG6LyZkta06QOXjobPsItw5FUV_MCjbxh9Ezbijg7-6iXGOD57ERI0MdAdzyAYqyWSfRh7JIr3kt-a20Yh6GOLqB
whois
RU VKontakte Ltd 95.142.206.3 clean
https://sun6-21.userapi.com/c236331/u44017378/docs/d17/0cb048202b81/test2.bmp?extra=1Z4SkXT15ewB-UA3sFqN7g8-pGRPBmHUxDc7mOUzzckJf0vnNywnckSgPgETcI68TPa1hHTz6venXZc0d25yILYNDtXVUYrb671M_1Q5gngn8dxEey7xbFXNAr9MzoXeWv8HqjRyqYSShMt7
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc44017378_668981261?hash=KtP4jlmfa5n21hEuywQIenzbdeHE6fN4MtKmM0s1LgP&dl=ogaN1GU0x5hbsmXLGfmQBkv0VN664AvXi2xyl1vLRkP&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://steamcommunity.com/profiles/76561199550790047
whois
US AKAMAI-AS 184.50.42.33 clean
https://preconcert.pw/setup294.exe
whois
US CLOUDFLARENET 104.21.84.222 36162 malware
https://sun6-20.userapi.com/c909628/u17799268/docs/d42/394ac12e1f34/asca1ex.bmp?extra=Nn4hYr7tnXNZZ7LDLvbU1rSSLUXCn-M157dB_N2zZbvxIJXU-s2CkT9fJsNnQ-wJKfLwlR45wy_ednBtypvZDvnn-i5cAyOHtd9nGm_2XJBLZcbe78raXMo9Yfh0VU3s7QrB7fG0cfxAPlvA
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc17799268_667301259?hash=mz2nLKvo6dt1uE06v4jRORCgXO1tbK1pSlJhEfMFJco&dl=vkt89M90dzWpJZ9hvFWUTeZuZHqaxeSpP8mP7ffY8Z0&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://api.myip.com/
whois
US CLOUDFLARENET 104.26.8.59 clean
https://sun6-23.userapi.com/c235131/u44017378/docs/d30/967fe3fc2ef3/RisePro_0_6.bmp?extra=fCMNoFyOc7enNdFTnnGhjJ9jovfZ0mMROPwFREaAqWboltaIPZdcP_dIqrizV6yOjKq30uHvRMolq-F_2Hpyxg0TezcFJ8SSm0bMWdfNeg7hd0DvCAOl6OyNPRiOzrjGNYBVqtSlXKW8w2lx
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc17799268_667305233?hash=IwZ8VZSm1R6poDSVmCjMBWvPwtTOZjN00hLIt20AnZP&dl=X47BBpvy39XAmpGvpAPzZxZ3QV8ZssYZktFDfFk2wpg&api=1&no_preview=1#cryp
whois
RU VKontakte Ltd 87.240.132.72 clean
https://sun6-21.userapi.com/c235131/u17799268/docs/d34/20a2f6c4d3f4/d3232adg.bmp?extra=suUcIL34C8tZuA415Q8lnsWylAKtf3SORQHWwTtRCAhor9Xh31vJ6M2BmK67YddRXGwiLAW0jvq_FoA4Id_CzGfizeXTtd7lsFd1NrUnyhtFzoxZ9_XyQPBa1ZY9ol22CvDvWfKJysaOOqpn
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://vk.com/doc44017378_668777192?hash=bErtt2Itw8CZPTouyuXblBKb3pLfVImQzvGWnZ4CyVs&dl=vm2AArvcYQaQAETnMlmPKTg0CoqMAAqRh2fogvAYbWP&api=1&no_preview=1#tmwvr
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://sun6-23.userapi.com/c240331/u44017378/docs/d9/fa52acca0a25/PL_Client.bmp?extra=Gtk0NulK_t0Vg_w76xxYbYgKgQDrBcgCJoJgl3o3wL4Soyf9yXoN4y9JRWHxgfaYJkwVs046jyfvzE55PAyXiea2WR-q86s-1lM-sAnMQ1mOToUwfIvm5gd_Npnk_8d9vqhFfiSPARmxkQGX
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc17799268_667311648?hash=s3oUYZKI5aNSuInKy4BDLkFtjdygeDOMqfkbCpHaJtT&dl=3IzXh7BEz71lxp7j7y0p9JlCZth8IcFgVjQw3D577ks&api=1&no_preview=1#as
whois
RU VKontakte Ltd 87.240.132.72 clean
https://transfer.sh/get/uTWorMyudp/hgjjhlkgkl.exe
whois
DE Hetzner Online GmbH 144.76.136.153 clean
https://vk.com/doc17799268_667281004?hash=xOqcu1ZGarivubW5PP3sEBGynm7PLhU3P4kzSjNpUgz&dl=BDGaIhRFJdbZh0HkjSHVN3oPAh2dusZaaZGmKdcx4h8&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-20.userapi.com/c237331/u17799268/docs/d32/20d06de2d171/crypted.bmp?extra=Ix6P6PHPTaU-Y3IcBr-4XYzVARL6dIIfwVgGD1PgAHnQ8YE8I6mxpzvBb8ZC-5spd3ReZ1Yx-dQbztud3MKZLNEYdKKzb49L34FiqbZHziCi8D6pAzz-wEYZ9qJs6eJrhDDttVXq_XHjBjXh
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc44017378_669048765?hash=4y9BzzNOTmmZPixDuggkZgFx4GZ0QVZg3tNSdZK5BRs&dl=GJoifTjG0klCvDa0fmGosGT2YiTbPX4KW0RXRQc7WGk&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
worldtopnews.fun
whois
US CLOUDFLARENET 172.67.133.72 clean
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
agsnv.com
whois
US Digital Energy Technologies Ltd. 181.214.31.34 malware
vanaheim.cn
whois
RU LLC Mobile Television Systems 185.39.205.39 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
preconcert.pw
whois
US CLOUDFLARENET 172.67.197.101 malware
charlesjones.top
whois
Unknown 51.250.21.16 mailcious
zexeq.com
whois
KR SK Broadband Co Ltd 175.119.10.231 malware
learn.microsoft.com
whois
US Akamai International B.V. 104.75.33.236 clean
api.2ip.ua
whois
CA ACP 162.0.217.254 clean
steamcommunity.com
whois
US AKAMAI-AS 184.50.42.33 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
z.nnnaajjjgc.com
whois
US HK Kwaifong Group Limited 156.236.72.121 malware
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
ji.alie3ksgbb.com
whois
US CLOUDFLARENET 172.67.200.102 mailcious
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
230907161118223.nmr.xrm42.top
whois
BG Belcloud LTD 94.156.35.76 malware
williecampbell.top
whois
Unknown 51.250.21.16 malware
transfer.sh
whois
DE Hetzner Online GmbH 144.76.136.153 malware
colisumy.com
whois
MX Uninet S.A. de C.V. 189.186.80.218 malware
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
vk.com
whois
RU VKontakte Ltd 87.240.132.78 mailcious
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
181.214.31.34
whois
US Digital Energy Technologies Ltd. 181.214.31.34 malware
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
77.91.68.238
whois
RU Foton Telecom CJSC 77.91.68.238 malware
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
184.50.42.33
whois
US AKAMAI-AS 184.50.42.33 clean
104.21.13.218
whois
US CLOUDFLARENET 104.21.13.218 clean
5.42.92.211
whois
RU CJSC Kolomna-Sviaz TV 5.42.92.211 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
45.9.74.80
whois
Unknown 45.9.74.80 malware
185.39.205.39
whois
RU LLC Mobile Television Systems 185.39.205.39 clean
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
51.38.95.107
whois
FR OVH SAS 51.38.95.107 clean
94.156.35.76
whois
BG Belcloud LTD 94.156.35.76 malware
87.240.132.78
whois
RU VKontakte Ltd 87.240.132.78 mailcious
23.67.53.27
whois
US Akamai International B.V. 23.67.53.27 clean
171.22.28.208
whois
DE CMCS 171.22.28.208 clean
162.0.217.254
whois
CA ACP 162.0.217.254 clean
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84 mailcious
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
104.21.90.117
whois
US CLOUDFLARENET 104.21.90.117 malware
51.250.21.16
whois
Unknown 51.250.21.16 malware
104.21.84.222
whois
US CLOUDFLARENET 104.21.84.222 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious
144.76.136.153
whois
DE Hetzner Online GmbH 144.76.136.153 mailcious
185.225.73.32
whois
DE Mayak Smart Services Ltd. 185.225.73.32 mailcious
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
201.124.224.61
whois
MX Uninet S.A. de C.V. 201.124.224.61 clean
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
116.203.7.16
whois
DE Hetzner Online GmbH 116.203.7.16 clean
182.162.106.33
whois
KR LG DACOM Corporation 182.162.106.33 malware
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
184.30.187.53
whois
US AKAMAI-AS 184.30.187.53 clean
31.41.244.27
whois
RU LLC Aeroexpress 31.41.244.27 mailcious
87.121.221.58
whois
Unknown 87.121.221.58 malware
211.181.24.133
whois
KR LG DACOM Corporation 211.181.24.133 clean
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious
104.75.33.236
whois
US Akamai International B.V. 104.75.33.236 clean

Suricata ids

ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE - Served Attached HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE Redline Stealer Activity (Response)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO Packed Executable Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
SURICATA HTTP unable to match response to request

Similarity measure (PE file only) - Checking for service failure