Report - reserva....exe

Gen1 Emotet Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check CAB
ScreenShot
Created 2023.09.22 17:45 Machine s1_win7_x6401
Filename reserva....exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
Behavior Score
6.4
ZERO API file : clean
VT API (file) 34 detected (AIDetectMalware, DownLoader26, Save, malicious, high confidence, score, RRAT, AGEN, moderate, Generic ML PUA, Wacapew, Artemis, unsafe, Static AI, Malicious PE, Autoit, confidence)
md5 3403cb537d8e1e6257068d3189705050
sha256 1e2ae6c3bc1dce5dc5d968f23da8fec92f2625a6014ca18e3989ad9a33f419d5
ssdeep 98304:OtrbTA1XcptoXinXh6B8WXhT7rQUdUi2p2xIqjsdSympntS:wc1XOtnnXRah84h4qpptS
imphash d3bf8a7746a8d1ee8f6e5960c3f69378
impfuzzy 192:utI6w42ctF3OsIDLNSZk8Us+WTEwgPzOQ3D:sI6wHctF5INmkzwgPzOQ3D
  Network IP location

Signature (14cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Connects to a Dynamic DNS Domain
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (21cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info CAB_file_format CAB archive file binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
marcelotatuape.ddns.net BR JARDNET INFORMATICA LTDA - EPP 177.52.82.67 clean
177.52.82.67 BR JARDNET INFORMATICA LTDA - EPP 177.52.82.67 clean

Suricata ids

PE API

IAT(Import Address Table) Library

WSOCK32.dll
 0x482794 __WSAFDIsSet
 0x482798 setsockopt
 0x48279c ntohs
 0x4827a0 recvfrom
 0x4827a4 sendto
 0x4827a8 htons
 0x4827ac select
 0x4827b0 listen
 0x4827b4 WSAStartup
 0x4827b8 ind
 0x4827bc closesocket
 0x4827c0 connect
 0x4827c4 socket
 0x4827c8 send
 0x4827cc WSACleanup
 0x4827d0 ioctlsocket
 0x4827d4 accept
 0x4827d8 WSAGetLastError
 0x4827dc inet_addr
 0x4827e0 gethostbyname
 0x4827e4 gethostname
 0x4827e8 recv
VERSION.dll
 0x482738 VerQueryValueW
 0x48273c GetFileVersionInfoW
 0x482740 GetFileVersionInfoSizeW
WINMM.dll
 0x482784 timeGetTime
 0x482788 waveOutSetVolume
 0x48278c mciSendStringW
COMCTL32.dll
 0x48208c ImageList_Remove
 0x482090 ImageList_SetDragCursorImage
 0x482094 ImageList_BeginDrag
 0x482098 ImageList_DragEnter
 0x48209c ImageList_DragLeave
 0x4820a0 ImageList_EndDrag
 0x4820a4 ImageList_DragMove
 0x4820a8 ImageList_ReplaceIcon
 0x4820ac ImageList_Create
 0x4820b0 InitCommonControlsEx
 0x4820b4 ImageList_Destroy
MPR.dll
 0x4823d8 WNetCancelConnection2W
 0x4823dc WNetGetConnectionW
 0x4823e0 WNetAddConnection2W
 0x4823e4 WNetUseConnectionW
WININET.dll
 0x482748 InternetReadFile
 0x48274c InternetCloseHandle
 0x482750 InternetOpenW
 0x482754 InternetSetOptionW
 0x482758 InternetCrackUrlW
 0x48275c HttpQueryInfoW
 0x482760 InternetConnectW
 0x482764 HttpOpenRequestW
 0x482768 HttpSendRequestW
 0x48276c FtpOpenFileW
 0x482770 FtpGetFileSize
 0x482774 InternetOpenUrlW
 0x482778 InternetQueryOptionW
 0x48277c InternetQueryDataAvailable
PSAPI.DLL
 0x482450 EnumProcesses
 0x482454 GetModuleBaseNameW
 0x482458 GetProcessMemoryInfo
 0x48245c EnumProcessModules
USERENV.dll
 0x482724 CreateEnvironmentBlock
 0x482728 DestroyEnvironmentBlock
 0x48272c UnloadUserProfile
 0x482730 LoadUserProfileW
KERNEL32.dll
 0x482158 HeapAlloc
 0x48215c Sleep
 0x482160 GetCurrentThreadId
 0x482164 RaiseException
 0x482168 MulDiv
 0x48216c GetVersionExW
 0x482170 GetSystemInfo
 0x482174 InterlockedIncrement
 0x482178 InterlockedDecrement
 0x48217c WideCharToMultiByte
 0x482180 lstrcpyW
 0x482184 MultiByteToWideChar
 0x482188 lstrlenW
 0x48218c lstrcmpiW
 0x482190 GetModuleHandleW
 0x482194 QueryPerformanceCounter
 0x482198 VirtualFreeEx
 0x48219c OpenProcess
 0x4821a0 VirtualAllocEx
 0x4821a4 WriteProcessMemory
 0x4821a8 ReadProcessMemory
 0x4821ac CreateFileW
 0x4821b0 SetFilePointerEx
 0x4821b4 ReadFile
 0x4821b8 WriteFile
 0x4821bc FlushFileBuffers
 0x4821c0 TerminateProcess
 0x4821c4 CreateToolhelp32Snapshot
 0x4821c8 Process32FirstW
 0x4821cc Process32NextW
 0x4821d0 SetFileTime
 0x4821d4 GetFileAttributesW
 0x4821d8 FindFirstFileW
 0x4821dc FindClose
 0x4821e0 DeleteFileW
 0x4821e4 FindNextFileW
 0x4821e8 MoveFileW
 0x4821ec CopyFileW
 0x4821f0 CreateDirectoryW
 0x4821f4 RemoveDirectoryW
 0x4821f8 GetProcessHeap
 0x4821fc QueryPerformanceFrequency
 0x482200 FindResourceW
 0x482204 LoadResource
 0x482208 LockResource
 0x48220c SizeofResource
 0x482210 EnumResourceNamesW
 0x482214 OutputDebugStringW
 0x482218 GetLocalTime
 0x48221c CompareStringW
 0x482220 DeleteCriticalSection
 0x482224 EnterCriticalSection
 0x482228 LeaveCriticalSection
 0x48222c InitializeCriticalSectionAndSpinCount
 0x482230 GetStdHandle
 0x482234 CreatePipe
 0x482238 InterlockedExchange
 0x48223c TerminateThread
 0x482240 GetTempPathW
 0x482244 GetTempFileNameW
 0x482248 VirtualFree
 0x48224c FormatMessageW
 0x482250 GetExitCodeProcess
 0x482254 SetErrorMode
 0x482258 GetPrivateProfileStringW
 0x48225c WritePrivateProfileStringW
 0x482260 GetPrivateProfileSectionW
 0x482264 WritePrivateProfileSectionW
 0x482268 GetPrivateProfileSectionNamesW
 0x48226c FileTimeToLocalFileTime
 0x482270 FileTimeToSystemTime
 0x482274 SystemTimeToFileTime
 0x482278 LocalFileTimeToFileTime
 0x48227c GetDriveTypeW
 0x482280 GetDiskFreeSpaceExW
 0x482284 GetDiskFreeSpaceW
 0x482288 GetVolumeInformationW
 0x48228c SetVolumeLabelW
 0x482290 CreateHardLinkW
 0x482294 DeviceIoControl
 0x482298 SetFileAttributesW
 0x48229c GetShortPathNameW
 0x4822a0 CreateEventW
 0x4822a4 SetEvent
 0x4822a8 GetEnvironmentVariableW
 0x4822ac SetEnvironmentVariableW
 0x4822b0 GlobalLock
 0x4822b4 GlobalUnlock
 0x4822b8 GlobalAlloc
 0x4822bc GetFileSize
 0x4822c0 GlobalFree
 0x4822c4 GlobalMemoryStatusEx
 0x4822c8 Beep
 0x4822cc GetSystemDirectoryW
 0x4822d0 GetComputerNameW
 0x4822d4 GetWindowsDirectoryW
 0x4822d8 GetCurrentProcessId
 0x4822dc GetCurrentThread
 0x4822e0 GetProcessIoCounters
 0x4822e4 CreateProcessW
 0x4822e8 SetPriorityClass
 0x4822ec LoadLibraryW
 0x4822f0 VirtualAlloc
 0x4822f4 LoadLibraryExW
 0x4822f8 HeapFree
 0x4822fc WaitForSingleObject
 0x482300 CreateThread
 0x482304 DuplicateHandle
 0x482308 GetLastError
 0x48230c CloseHandle
 0x482310 GetCurrentProcess
 0x482314 GetProcAddress
 0x482318 LoadLibraryA
 0x48231c FreeLibrary
 0x482320 GetModuleFileNameW
 0x482324 GetFullPathNameW
 0x482328 SetCurrentDirectoryW
 0x48232c IsDebuggerPresent
 0x482330 GetCurrentDirectoryW
 0x482334 ExitProcess
 0x482338 ExitThread
 0x48233c GetSystemTimeAsFileTime
 0x482340 ResumeThread
 0x482344 GetTimeFormatW
 0x482348 GetDateFormatW
 0x48234c GetCommandLineW
 0x482350 GetStartupInfoW
 0x482354 IsProcessorFeaturePresent
 0x482358 HeapSize
 0x48235c GetCPInfo
 0x482360 GetACP
 0x482364 GetOEMCP
 0x482368 IsValidCodePage
 0x48236c TlsAlloc
 0x482370 TlsGetValue
 0x482374 TlsSetValue
 0x482378 TlsFree
 0x48237c SetLastError
 0x482380 UnhandledExceptionFilter
 0x482384 SetUnhandledExceptionFilter
 0x482388 GetStringTypeW
 0x48238c HeapCreate
 0x482390 SetHandleCount
 0x482394 GetFileType
 0x482398 SetStdHandle
 0x48239c GetConsoleCP
 0x4823a0 GetConsoleMode
 0x4823a4 LCMapStringW
 0x4823a8 RtlUnwind
 0x4823ac SetFilePointer
 0x4823b0 GetTimeZoneInformation
 0x4823b4 FreeEnvironmentStringsW
 0x4823b8 GetEnvironmentStringsW
 0x4823bc GetTickCount
 0x4823c0 HeapReAlloc
 0x4823c4 WriteConsoleW
 0x4823c8 SetEndOfFile
 0x4823cc SetSystemPowerState
 0x4823d0 SetEnvironmentVariableA
USER32.dll
 0x4824a0 GetCursorInfo
 0x4824a4 RegisterHotKey
 0x4824a8 ClientToScreen
 0x4824ac GetKeyboardLayoutNameW
 0x4824b0 IsCharAlphaW
 0x4824b4 IsCharAlphaNumericW
 0x4824b8 IsCharLowerW
 0x4824bc IsCharUpperW
 0x4824c0 GetMenuStringW
 0x4824c4 GetSubMenu
 0x4824c8 GetCaretPos
 0x4824cc IsZoomed
 0x4824d0 MonitorFromPoint
 0x4824d4 GetMonitorInfoW
 0x4824d8 SetWindowLongW
 0x4824dc SetLayeredWindowAttributes
 0x4824e0 FlashWindow
 0x4824e4 GetClassLongW
 0x4824e8 TranslateAcceleratorW
 0x4824ec IsDialogMessageW
 0x4824f0 GetSysColor
 0x4824f4 InflateRect
 0x4824f8 DrawFocusRect
 0x4824fc DrawTextW
 0x482500 FrameRect
 0x482504 DrawFrameControl
 0x482508 FillRect
 0x48250c PtInRect
 0x482510 DestroyAcceleratorTable
 0x482514 CreateAcceleratorTableW
 0x482518 SetCursor
 0x48251c GetWindowDC
 0x482520 GetSystemMetrics
 0x482524 GetActiveWindow
 0x482528 CharNextW
 0x48252c wsprintfW
 0x482530 RedrawWindow
 0x482534 DrawMenuBar
 0x482538 DestroyMenu
 0x48253c SetMenu
 0x482540 GetWindowTextLengthW
 0x482544 CreateMenu
 0x482548 IsDlgButtonChecked
 0x48254c DefDlgProcW
 0x482550 ReleaseCapture
 0x482554 SetCapture
 0x482558 WindowFromPoint
 0x48255c LoadImageW
 0x482560 CreateIconFromResourceEx
 0x482564 mouse_event
 0x482568 ExitWindowsEx
 0x48256c SetActiveWindow
 0x482570 FindWindowExW
 0x482574 EnumThreadWindows
 0x482578 SetMenuDefaultItem
 0x48257c InsertMenuItemW
 0x482580 IsMenu
 0x482584 TrackPopupMenuEx
 0x482588 GetCursorPos
 0x48258c DeleteMenu
 0x482590 CheckMenuRadioItem
 0x482594 SetWindowPos
 0x482598 GetMenuItemCount
 0x48259c SetMenuItemInfoW
 0x4825a0 GetMenuItemInfoW
 0x4825a4 SetForegroundWindow
 0x4825a8 IsIconic
 0x4825ac FindWindowW
 0x4825b0 SystemParametersInfoW
 0x4825b4 TranslateMessage
 0x4825b8 SendInput
 0x4825bc GetAsyncKeyState
 0x4825c0 SetKeyboardState
 0x4825c4 GetKeyboardState
 0x4825c8 GetKeyState
 0x4825cc VkKeyScanW
 0x4825d0 LoadStringW
 0x4825d4 DialogBoxParamW
 0x4825d8 MessageBeep
 0x4825dc EndDialog
 0x4825e0 SendDlgItemMessageW
 0x4825e4 GetDlgItem
 0x4825e8 SetWindowTextW
 0x4825ec CopyRect
 0x4825f0 ReleaseDC
 0x4825f4 GetDC
 0x4825f8 EndPaint
 0x4825fc BeginPaint
 0x482600 GetClientRect
 0x482604 GetMenu
 0x482608 DestroyWindow
 0x48260c EnumWindows
 0x482610 GetDesktopWindow
 0x482614 IsWindow
 0x482618 IsWindowEnabled
 0x48261c IsWindowVisible
 0x482620 EnableWindow
 0x482624 InvalidateRect
 0x482628 GetWindowLongW
 0x48262c AttachThreadInput
 0x482630 GetFocus
 0x482634 GetWindowTextW
 0x482638 ScreenToClient
 0x48263c SendMessageTimeoutW
 0x482640 EnumChildWindows
 0x482644 CharUpperBuffW
 0x482648 GetClassNameW
 0x48264c GetParent
 0x482650 GetDlgCtrlID
 0x482654 SendMessageW
 0x482658 MapVirtualKeyW
 0x48265c PostMessageW
 0x482660 GetWindowRect
 0x482664 SetUserObjectSecurity
 0x482668 GetUserObjectSecurity
 0x48266c CloseDesktop
 0x482670 CloseWindowStation
 0x482674 OpenDesktopW
 0x482678 SetProcessWindowStation
 0x48267c GetProcessWindowStation
 0x482680 OpenWindowStationW
 0x482684 MessageBoxW
 0x482688 DefWindowProcW
 0x48268c CopyImage
 0x482690 AdjustWindowRectEx
 0x482694 SetRect
 0x482698 SetClipboardData
 0x48269c EmptyClipboard
 0x4826a0 CountClipboardFormats
 0x4826a4 CloseClipboard
 0x4826a8 GetClipboardData
 0x4826ac IsClipboardFormatAvailable
 0x4826b0 OpenClipboard
 0x4826b4 BlockInput
 0x4826b8 GetMessageW
 0x4826bc LockWindowUpdate
 0x4826c0 GetMenuItemID
 0x4826c4 DispatchMessageW
 0x4826c8 MoveWindow
 0x4826cc SetFocus
 0x4826d0 PostQuitMessage
 0x4826d4 KillTimer
 0x4826d8 CreatePopupMenu
 0x4826dc RegisterWindowMessageW
 0x4826e0 SetTimer
 0x4826e4 ShowWindow
 0x4826e8 CreateWindowExW
 0x4826ec RegisterClassExW
 0x4826f0 LoadIconW
 0x4826f4 LoadCursorW
 0x4826f8 GetSysColorBrush
 0x4826fc GetForegroundWindow
 0x482700 MessageBoxA
 0x482704 DestroyIcon
 0x482708 PeekMessageW
 0x48270c UnregisterHotKey
 0x482710 CharLowerBuffW
 0x482714 keybd_event
 0x482718 MonitorFromRect
 0x48271c GetWindowThreadProcessId
GDI32.dll
 0x4820c8 DeleteObject
 0x4820cc AngleArc
 0x4820d0 GetTextExtentPoint32W
 0x4820d4 ExtCreatePen
 0x4820d8 StrokeAndFillPath
 0x4820dc StrokePath
 0x4820e0 EndPath
 0x4820e4 SetPixel
 0x4820e8 CloseFigure
 0x4820ec CreateCompatibleBitmap
 0x4820f0 CreateCompatibleDC
 0x4820f4 SelectObject
 0x4820f8 StretchBlt
 0x4820fc GetDIBits
 0x482100 GetDeviceCaps
 0x482104 MoveToEx
 0x482108 DeleteDC
 0x48210c GetPixel
 0x482110 CreateDCW
 0x482114 Ellipse
 0x482118 PolyDraw
 0x48211c BeginPath
 0x482120 Rectangle
 0x482124 SetViewportOrgEx
 0x482128 GetObjectW
 0x48212c SetBkMode
 0x482130 RoundRect
 0x482134 SetBkColor
 0x482138 CreatePen
 0x48213c CreateSolidBrush
 0x482140 SetTextColor
 0x482144 CreateFontW
 0x482148 GetTextFaceW
 0x48214c GetStockObject
 0x482150 LineTo
COMDLG32.dll
 0x4820bc GetSaveFileNameW
 0x4820c0 GetOpenFileNameW
ADVAPI32.dll
 0x482000 RegEnumValueW
 0x482004 RegDeleteValueW
 0x482008 RegDeleteKeyW
 0x48200c RegEnumKeyExW
 0x482010 RegSetValueExW
 0x482014 RegCreateKeyExW
 0x482018 GetUserNameW
 0x48201c RegConnectRegistryW
 0x482020 CloseServiceHandle
 0x482024 UnlockServiceDatabase
 0x482028 OpenThreadToken
 0x48202c OpenProcessToken
 0x482030 LookupPrivilegeValueW
 0x482034 DuplicateTokenEx
 0x482038 CreateProcessAsUserW
 0x48203c CreateProcessWithLogonW
 0x482040 InitializeSecurityDescriptor
 0x482044 InitializeAcl
 0x482048 GetLengthSid
 0x48204c CopySid
 0x482050 LogonUserW
 0x482054 LockServiceDatabase
 0x482058 GetTokenInformation
 0x48205c GetSecurityDescriptorDacl
 0x482060 GetAclInformation
 0x482064 GetAce
 0x482068 AddAce
 0x48206c SetSecurityDescriptorDacl
 0x482070 RegOpenKeyExW
 0x482074 RegQueryValueExW
 0x482078 AdjustTokenPrivileges
 0x48207c InitiateSystemShutdownExW
 0x482080 OpenSCManagerW
 0x482084 RegCloseKey
SHELL32.dll
 0x482464 DragQueryPoint
 0x482468 ShellExecuteExW
 0x48246c SHGetFolderPathW
 0x482470 DragQueryFileW
 0x482474 SHEmptyRecycleBinW
 0x482478 SHBrowseForFolderW
 0x48247c SHFileOperationW
 0x482480 SHGetPathFromIDListW
 0x482484 SHGetDesktopFolder
 0x482488 SHGetMalloc
 0x48248c ExtractIconExW
 0x482490 Shell_NotifyIconW
 0x482494 ShellExecuteW
 0x482498 DragFinish
ole32.dll
 0x4827f0 OleSetMenuDescriptor
 0x4827f4 MkParseDisplayName
 0x4827f8 OleSetContainedObject
 0x4827fc CLSIDFromString
 0x482800 StringFromGUID2
 0x482804 CoInitialize
 0x482808 CoUninitialize
 0x48280c CoCreateInstance
 0x482810 CreateStreamOnHGlobal
 0x482814 CoTaskMemAlloc
 0x482818 CoTaskMemFree
 0x48281c ProgIDFromCLSID
 0x482820 OleInitialize
 0x482824 CreateBindCtx
 0x482828 CLSIDFromProgID
 0x48282c CoInitializeSecurity
 0x482830 CoCreateInstanceEx
 0x482834 CoSetProxyBlanket
 0x482838 OleUninitialize
 0x48283c IIDFromString
OLEAUT32.dll
 0x4823ec VariantChangeType
 0x4823f0 VariantCopyInd
 0x4823f4 DispCallFunc
 0x4823f8 CreateStdDispatch
 0x4823fc CreateDispTypeInfo
 0x482400 SysFreeString
 0x482404 SafeArrayDestroyDescriptor
 0x482408 SafeArrayDestroyData
 0x48240c SafeArrayUnaccessData
 0x482410 SysStringLen
 0x482414 SafeArrayAllocData
 0x482418 GetActiveObject
 0x48241c QueryPathOfRegTypeLib
 0x482420 SafeArrayAllocDescriptorEx
 0x482424 SafeArrayCreateVector
 0x482428 SysAllocString
 0x48242c VariantCopy
 0x482430 VariantClear
 0x482434 VariantTimeToSystemTime
 0x482438 VarR8FromDec
 0x48243c SafeArrayGetVartype
 0x482440 OleLoadPicture
 0x482444 SafeArrayAccessData
 0x482448 VariantInit

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure