popup

Report - WWW14_64.exe

PrivateLoader RedLine Infostealer RedLine stealer Eredel Stealer Extended Generic Malware UPX Malicious Library VMProtect Malicious Packer .NET framework(MSIL) Confuser .NET PWS SMTP AntiDebug AntiVM PE File PE64 DLL PE32 OS Processor Check .NET EX
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.14 19:30 Machine s1_win7_x6403
Filename WWW14_64.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
4
 Behavior Score
18.6
ZERO API file : malware
VT API (file) 11 detected (AIDetectMalware, malicious, high confidence, Attribute, HighConfidence, VMProtect, J suspicious, Sabsik, susgen, confidence)
md5 24fbc8705072bb32a6ac2fc995a66f17
sha256 69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13
ssdeep 196608:1/26U9PTHjFEewj925ecIj3uauDXdeRCpParPWNZPfOvjqOe:1u6AzpE/4QnuDde05ge3PWvjI
imphash ee26deb5354c4489ff0dc7547168b2dc
impfuzzy 6:aZRHmR1A4GVzRgKLbXwNbsOhcB8VyH/JLGMZ/OiBJAEnERGDW:KAR1A4GZRgIwxvM8sZGMZGqAJcDW
  Network IP location

Signature (41cnts)

Level Description
danger Disables Windows Security features
danger Executed a process and injected code into it
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Communicates with host for which no DNS query was performed
watch Drops a binary and executes it
watch File has been identified by 11 AntiVirus engines on VirusTotal as malicious
watch Network activity contains more than one unique useragent
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process www14_64.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Uses Windows APIs to generate a cryptographic key

Rules (30cnts)

Level Name Description Collection
danger MALWARE_Win_VT_RedLine Detects RedLine infostealer binaries (download)
danger RedLine_Stealer_b_Zero RedLine stealer binaries (download)
danger Win_Eredel_Stealer_Extended_IN_Zero Win Eredel Stealer Extended binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch ConfuserEx_Zero Confuser .NET binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_SMTP_dotNet Communications smtp memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (67cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://193.42.32.118/api/firegate.php
whois
Unknown 193.42.32.118 clean
http://45.9.74.80/super.exe
whois
Unknown 45.9.74.80 36063 malware
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://ji.alie3ksgbb.com/m/ela205.exe
whois
US CLOUDFLARENET 104.21.90.117 36360 mailcious
http://marrakechchoralmeeting.ma/cgi-sys/suspendedpage.cgi
whois
DE Hetzner Online GmbH 178.63.45.64 clean
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
KR LG DACOM Corporation 61.111.58.35 clean
http://193.42.32.118/api/tracemap.php
whois
Unknown 193.42.32.118 36180 mailcious
http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe
whois
BG Belcloud LTD 94.156.35.76 36358 malware
http://marrakechchoralmeeting.ma/netTime.exe
whois
DE Hetzner Online GmbH 178.63.45.64 malware
https://preconcert.pw/setup294.exe
whois
US CLOUDFLARENET 172.67.197.101 36162 malware
https://vk.com/doc17799268_667301259?hash=mz2nLKvo6dt1uE06v4jRORCgXO1tbK1pSlJhEfMFJco&dl=vkt89M90dzWpJZ9hvFWUTeZuZHqaxeSpP8mP7ffY8Z0&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://sun6-20.userapi.com/c237031/u44017378/docs/d47/f53dd4d29da4/red.bmp?extra=aPmcskdA3y2ObuY7QHUX6sPMjQu36B4newP0bAW-Ly73hW3EW_bozidYJAqh73X7SUvR1gIX9uc9Cb4NNw95t2w09-_aicB8V3k2Xih1EYLcm7JY06Dr2jP135rFTycmXICkUKS8rcX-rNt7
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-21.userapi.com/c235131/u17799268/docs/d34/0d08248537eb/d3232adg.bmp?extra=MXfyziyjTKDf6ofOrhDCTKpsWkbv10mkMTRRhYIV8JRe3R-EQTQ053o3girAdfhhnn5fc1YH_S_WsBSzGbqRuEfy-bz_PCHnGFFm2ELe6Vs13UB3lsTOyfn7GTx222_mFRvKUYaEAkS6mnss
whois
RU VKontakte Ltd 95.142.206.1 clean
https://verypayment.net/1bc7618fb98d2d4c287a4f9d42a3529b/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 104.21.95.210 clean
https://vk.com/doc17799268_667370292?hash=3zgmNBZUEabUAWsj0zIdTPreX2uOk9XZqB04AKml9Wc&dl=3EXwtWCuOk8m89Hgrb6xTH69yK7gn8gGsiaT4sE12Ls&api=1&no_preview=1#review
whois
RU VKontakte Ltd 87.240.129.133 clean
https://vk.com/doc44017378_668850966?hash=seNAc9XpZGb24lXnAxVAwPiPVaSTe6IiTQaY7IFhggw&dl=A9mazd4TmUx700iSSJAZzZTPnbX30hG5PEtIhQs2FVw&api=1&no_preview=1#utube
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://vk.com/doc17799268_667356691?hash=cUASNycPr9e7ejTeXRHP4JzU43t6UAQvFbVpJRIyYfL&dl=WIcfE7rh128yHk3HTd3LfM84KN7pulppjnAcRmZGByH&api=1&no_preview=1#orig
whois
RU VKontakte Ltd 87.240.132.78 clean
https://api.myip.com/
whois
US CLOUDFLARENET 104.26.8.59 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.129.133 mailcious
https://sun6-23.userapi.com/c909218/u17799268/docs/d51/a01868bc6519/OriginalBuild.bmp?extra=ubUUt1995rM2O1vMl6qK3XtVBz9_ydnjOUtvK8odosQtYQIMBBSkvaNNKqqilClao3gbzVteXVX9L9OFNSV06NdFFhqmBwxMRWCeFMALiLTI8W6Vx3d4vHYiIZ6fNIjaj-fFlB6HwOA5YYkC
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc44017378_669202180?hash=Qj8GmTTzSwexN5MiDhkzSBdsEuAfR50DxI5PmBbRzn8&dl=G49L5cNOoCw8qI3zZagSCyprvu5ngf5V9jZb6GDfmT8&api=1&no_preview=1#redcl
whois
RU VKontakte Ltd 87.240.132.78 clean
https://psv4.userapi.com/c909518/u17799268/docs/d38/272bd98cd010/h27lmi0.bmp?extra=8E5LnE31GAfkun85y6q3JNHdEJ6rb3OS4of8U197zzjPBwzlcBmXiYtqfGEzAOOcBigBbtsjBtCJpKZMK3_lQTtjrrC6bCw4QqmXuSbFcrs-fVc_0h4X8B-FoNEyrA4yLWeFIUw2C7A5wlE2
whois
RU VKontakte Ltd 87.240.137.134 clean
https://psv4.userapi.com/c909228/u17799268/docs/d27/d584128e4c13/setup.bmp?extra=QZMNAMmYW-qEHWSBh6dZ9jyKy_PY0fq3EfQW125lr8gOTPQKKk8D6XHsyvSTOD3T7PxspO6gsaXVUJbHjY4x2FlKcs3MgJmS9q6rOCgsMt-fKwYArNbdvgjxPZr2zE35GnV0uOAIllJpHWOQ
whois
RU VKontakte Ltd 87.240.137.140 clean
https://vk.com/doc17799268_667374166?hash=t73r7TZmjqi4mQ6K8CuchmsQ2lbq7RbjhwFx1c1Azcg&dl=HaU76slkxIDZ6fTldzxVLdSFmSzwAiccfTBkzLQsA4D&api=1&no_preview=1#u9
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc17799268_667370950?hash=kmRsdqMou4vNz1YzodkAQZcJxKjXdXHF3v2Zycf1w2H&dl=i4K7yr2wzDFn7JZ4az5BAF7ZSXsQBGNbt8o8BOvxSaw&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 172.67.214.144 36188 malware
https://sun6-20.userapi.com/c237031/u17799268/docs/d44/9d7023004930/PL_Client.bmp?extra=X1aJqe75cj3wH63JyDtM4ZvEFrLEEDM9Cj69lrcSXLQLpLhAVquotaOP2hnr-i131Cw2CXTQYaZGiXrawiBA3-dvrSYSkiKl6gd5nnzy6xUssRlZdOecvfBwEwrAygIbNtWImtAz1AfD6bvt
whois
RU VKontakte Ltd 95.142.206.0 clean
preconcert.pw
whois
US CLOUDFLARENET 104.21.84.222 malware
ji.alie3ksgbb.com
whois
US CLOUDFLARENET 172.67.200.102 mailcious
psv4.userapi.com
whois
RU VKontakte Ltd 87.240.190.76 clean
marrakechchoralmeeting.ma
whois
DE Hetzner Online GmbH 178.63.45.64 malware
api.myip.com
whois
US CLOUDFLARENET 104.26.9.59 clean
vk.com
whois
RU VKontakte Ltd 93.186.225.194 mailcious
verypayment.net
whois
US CLOUDFLARENET 172.67.148.157 clean
sergejbukotko.com
whois
US CLOUDFLARENET 104.21.59.53 malware
z.nnnaajjjgc.com
whois
US HK Kwaifong Group Limited 156.236.72.121 malware
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
230907161118223.nmr.xrm42.top
whois
BG Belcloud LTD 94.156.35.76 malware
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
172.67.197.101
whois
US CLOUDFLARENET 172.67.197.101 clean
87.240.137.140
whois
RU VKontakte Ltd 87.240.137.140 clean
87.240.129.133
whois
RU VKontakte Ltd 87.240.129.133 mailcious
176.123.9.85
whois
MD Alexhost Srl 176.123.9.85 mailcious
193.42.32.118
whois
Unknown 193.42.32.118 mailcious
45.9.74.80
whois
Unknown 45.9.74.80 malware
172.67.200.102
whois
US CLOUDFLARENET 172.67.200.102 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
172.67.214.144
whois
US CLOUDFLARENET 172.67.214.144 malware
182.162.106.32
whois
KR LG DACOM Corporation 182.162.106.32 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
104.21.95.210
whois
US CLOUDFLARENET 104.21.95.210 clean
87.240.137.134
whois
RU VKontakte Ltd 87.240.137.134 clean
185.225.73.32
whois
DE Mayak Smart Services Ltd. 185.225.73.32 mailcious
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
94.156.35.76
whois
BG Belcloud LTD 94.156.35.76 malware
87.240.132.78
whois
RU VKontakte Ltd 87.240.132.78 mailcious
185.225.74.51
whois
DE Mayak Smart Services Ltd. 185.225.74.51 mailcious
178.63.45.64
whois
DE Hetzner Online GmbH 178.63.45.64 mailcious

Suricata ids

SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO Executable Download from dotted-quad Host
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x14079c000 InitializeCriticalSectionEx
USER32.dll
 0x14079c010 CharNextA
ADVAPI32.dll
 0x14079c020 RegCloseKey
SHELL32.dll
 0x14079c030 ShellExecuteA
ole32.dll
 0x14079c040 CoCreateInstance
KERNEL32.dll
 0x14079c050 GetVersion
USER32.dll
 0x14079c060 CharUpperBuffW
KERNEL32.dll
 0x14079c070 LocalAlloc
 0x14079c078 LocalFree
 0x14079c080 GetModuleFileNameW
 0x14079c088 ExitProcess
 0x14079c090 LoadLibraryA
 0x14079c098 GetModuleHandleA
 0x14079c0a0 GetProcAddress

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure