popup

Report - foto3553.exe

RedLine stealer Gen1 Emotet RedLine Infostealer SmokeLoader Amadey Generic Malware UltraVNC Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.06 08:03 Machine s1_win7_x6403
Filename foto3553.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
26.8
ZERO API file : malware
VT API (file)
md5 53ffe4a2e5ff91672c96597ebece2470
sha256 7eb34e73b59921ae4892ecf57f60f033217eac603455914c02158114a6d073e0
ssdeep 49152:jXXYNZaNo9/ywQo/cL9RMQa1oCeE2PQOnb:LXIi/wQvL95uoCj24On
imphash 646167cce332c1c252cdcb1839e0cf48
impfuzzy 48:mPkNSpUOU4iLzNXMuM9a08vTL5wtV6x9KEl4LTrzUp5aSvd59E5o+RXpNuAC8tGg:ikmUZ4iLBXMuMc08vTLhsNeGmdM
  Network IP location

Signature (57cnts)

Level Description
danger The process powershell.exe wrote an executable file to disk which it then attempted to execute
danger Disables Windows Security features
danger Executed a process and injected code into it
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Avast Antivirus through the presence of a library
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch One or more non-whitelisted processes were created
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice An executable file was downloaded by the process explothe.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (41cnts)

Level Name Description Collection
danger MALWARE_Win_VT_RedLine Detects RedLine infostealer binaries (download)
danger RedLine_Stealer_b_Zero RedLine stealer binaries (download)
danger RedLine_Stealer_m_Zero RedLine stealer memory
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
danger Win_Amadey_Zero Amadey bot binaries (download)
danger win_smokeloader_auto Detects win.smokeloader. binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning UltraVNC_Zero UltraVNC binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch ConfuserEx_Zero Confuser .NET binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info CAB_file_format CAB archive file binaries (download)
info CAB_file_format CAB archive file binaries (upload)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (58cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.68.52/fuza/rus.exe
whois
RU Foton Telecom CJSC 77.91.68.52 malware
http://77.91.68.52/fuza/foto3553.exe
whois
RU Foton Telecom CJSC 77.91.68.52 malware
http://77.91.124.1/theme/Plugins/clip64.dll
whois
RU Foton Telecom CJSC 77.91.124.1 malware
http://5.42.92.211/loghub/master
whois
RU CJSC Kolomna-Sviaz TV 5.42.92.211 36282 mailcious
http://77.91.124.1/theme/Plugins/cred64.dll
whois
RU Foton Telecom CJSC 77.91.124.1 mailcious
http://77.91.68.52/fuza/1.ps1
whois
RU Foton Telecom CJSC 77.91.68.52 mailcious
http://77.91.68.52/fuza/nano.exe
whois
RU Foton Telecom CJSC 77.91.68.52 malware
http://77.91.124.1/theme/index.php
whois
RU Foton Telecom CJSC 77.91.124.1 clean
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
whois
US FACEBOOK 157.240.215.35 clean
https://www.facebook.com/favicon.ico
whois
US FACEBOOK 157.240.215.35 clean
https://accounts.google.com/generate_204?qq0oQg
whois
US GOOGLE 142.251.130.13 clean
https://www.facebook.com/login
whois
US FACEBOOK 157.240.215.35 clean
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
whois
US GOOGLE 142.251.130.13 clean
https://accounts.google.com/_/bscframe
whois
US GOOGLE 142.251.130.13 clean
https://accounts.google.com/generate_204?zRkItw
whois
US GOOGLE 142.251.130.13 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLi
whois
US GOOGLE 142.251.130.13 clean
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
whois
US GOOGLE 172.217.24.67 clean
https://fbsbx.com/security/hsts-pixel.gif?c=5
whois
US FACEBOOK 157.240.215.35 clean
https://connect.facebook.net/security/hsts-pixel.gif
whois
US FACEBOOK 157.240.215.14 clean
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv
whois
US GOOGLE 142.251.130.13 clean
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLi
whois
US GOOGLE 142.251.130.13 clean
https://accounts.google.com/
whois
US GOOGLE 142.251.130.13 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg
whois
US GOOGLE 142.251.130.13 clean
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
whois
US FACEBOOK 157.240.215.35 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
whois
US FACEBOOK 157.240.215.14 clean
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLi
whois
US GOOGLE 142.251.130.13 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://accounts.google.com/generate_204?qMW9GQ
whois
US GOOGLE 142.251.130.13 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw
whois
US GOOGLE 142.251.130.13 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
ssl.gstatic.com
whois
US GOOGLE 172.217.25.163 clean
www.facebook.com
whois
US FACEBOOK 157.240.215.35 clean
fbsbx.com
whois
US FACEBOOK 157.240.215.35 clean
www.google.com
whois
US GOOGLE 142.250.206.228 clean
static.xx.fbcdn.net
whois
US FACEBOOK 157.240.215.14 clean
fbcdn.net
whois
US FACEBOOK 157.240.215.35 clean
accounts.google.com
whois
US GOOGLE 172.217.25.173 clean
connect.facebook.net
whois
US FACEBOOK 157.240.215.14 clean
facebook.com
whois
US FACEBOOK 157.240.215.35 clean
142.251.130.4
whois
US GOOGLE 142.251.130.4 clean
142.251.130.13
whois
US GOOGLE 142.251.130.13 clean
157.240.215.14
whois
US FACEBOOK 157.240.215.14 clean
77.91.124.55
whois
RU Foton Telecom CJSC 77.91.124.55 mailcious
77.91.68.52
whois
RU Foton Telecom CJSC 77.91.68.52 mailcious
77.91.124.1
whois
RU Foton Telecom CJSC 77.91.124.1 malware
157.240.215.35
whois
US FACEBOOK 157.240.215.35 clean
5.42.92.211
whois
RU CJSC Kolomna-Sviaz TV 5.42.92.211 mailcious
172.217.24.67
whois
US GOOGLE 172.217.24.67 clean

Suricata ids

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO PS1 Powershell File Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x40a000 GetTokenInformation
 0x40a004 RegDeleteValueA
 0x40a008 RegOpenKeyExA
 0x40a00c RegQueryInfoKeyA
 0x40a010 FreeSid
 0x40a014 OpenProcessToken
 0x40a018 RegSetValueExA
 0x40a01c RegCreateKeyExA
 0x40a020 LookupPrivilegeValueA
 0x40a024 AllocateAndInitializeSid
 0x40a028 RegQueryValueExA
 0x40a02c EqualSid
 0x40a030 RegCloseKey
 0x40a034 AdjustTokenPrivileges
KERNEL32.dll
 0x40a060 _lopen
 0x40a064 _llseek
 0x40a068 CompareStringA
 0x40a06c GetLastError
 0x40a070 GetFileAttributesA
 0x40a074 GetSystemDirectoryA
 0x40a078 LoadLibraryA
 0x40a07c DeleteFileA
 0x40a080 GlobalAlloc
 0x40a084 GlobalFree
 0x40a088 CloseHandle
 0x40a08c WritePrivateProfileStringA
 0x40a090 IsDBCSLeadByte
 0x40a094 GetWindowsDirectoryA
 0x40a098 SetFileAttributesA
 0x40a09c GetProcAddress
 0x40a0a0 GlobalLock
 0x40a0a4 LocalFree
 0x40a0a8 RemoveDirectoryA
 0x40a0ac FreeLibrary
 0x40a0b0 _lclose
 0x40a0b4 CreateDirectoryA
 0x40a0b8 GetPrivateProfileIntA
 0x40a0bc GetPrivateProfileStringA
 0x40a0c0 GlobalUnlock
 0x40a0c4 ReadFile
 0x40a0c8 SizeofResource
 0x40a0cc WriteFile
 0x40a0d0 GetDriveTypeA
 0x40a0d4 lstrcmpA
 0x40a0d8 SetFileTime
 0x40a0dc SetFilePointer
 0x40a0e0 FindResourceA
 0x40a0e4 CreateMutexA
 0x40a0e8 GetVolumeInformationA
 0x40a0ec ExpandEnvironmentStringsA
 0x40a0f0 GetCurrentDirectoryA
 0x40a0f4 FreeResource
 0x40a0f8 GetVersion
 0x40a0fc SetCurrentDirectoryA
 0x40a100 GetTempPathA
 0x40a104 LocalFileTimeToFileTime
 0x40a108 CreateFileA
 0x40a10c SetEvent
 0x40a110 TerminateThread
 0x40a114 GetVersionExA
 0x40a118 LockResource
 0x40a11c GetSystemInfo
 0x40a120 CreateThread
 0x40a124 ResetEvent
 0x40a128 LoadResource
 0x40a12c ExitProcess
 0x40a130 GetModuleHandleW
 0x40a134 CreateProcessA
 0x40a138 FormatMessageA
 0x40a13c GetTempFileNameA
 0x40a140 DosDateTimeToFileTime
 0x40a144 CreateEventA
 0x40a148 GetExitCodeProcess
 0x40a14c FindNextFileA
 0x40a150 LocalAlloc
 0x40a154 GetShortPathNameA
 0x40a158 MulDiv
 0x40a15c GetDiskFreeSpaceA
 0x40a160 EnumResourceLanguagesA
 0x40a164 GetTickCount
 0x40a168 GetSystemTimeAsFileTime
 0x40a16c GetCurrentThreadId
 0x40a170 GetCurrentProcessId
 0x40a174 QueryPerformanceCounter
 0x40a178 TerminateProcess
 0x40a17c SetUnhandledExceptionFilter
 0x40a180 UnhandledExceptionFilter
 0x40a184 GetStartupInfoW
 0x40a188 Sleep
 0x40a18c FindClose
 0x40a190 GetCurrentProcess
 0x40a194 FindFirstFileA
 0x40a198 WaitForSingleObject
 0x40a19c GetModuleFileNameA
 0x40a1a0 LoadLibraryExA
GDI32.dll
 0x40a058 GetDeviceCaps
USER32.dll
 0x40a1a8 SetWindowLongA
 0x40a1ac GetDlgItemTextA
 0x40a1b0 DialogBoxIndirectParamA
 0x40a1b4 ShowWindow
 0x40a1b8 MsgWaitForMultipleObjects
 0x40a1bc SetWindowPos
 0x40a1c0 GetDC
 0x40a1c4 GetWindowRect
 0x40a1c8 DispatchMessageA
 0x40a1cc GetDesktopWindow
 0x40a1d0 CharUpperA
 0x40a1d4 SetDlgItemTextA
 0x40a1d8 ExitWindowsEx
 0x40a1dc MessageBeep
 0x40a1e0 EndDialog
 0x40a1e4 CharPrevA
 0x40a1e8 LoadStringA
 0x40a1ec CharNextA
 0x40a1f0 EnableWindow
 0x40a1f4 ReleaseDC
 0x40a1f8 SetForegroundWindow
 0x40a1fc PeekMessageA
 0x40a200 GetDlgItem
 0x40a204 SendMessageA
 0x40a208 SendDlgItemMessageA
 0x40a20c MessageBoxA
 0x40a210 SetWindowTextA
 0x40a214 GetWindowLongA
 0x40a218 CallWindowProcA
 0x40a21c GetSystemMetrics
msvcrt.dll
 0x40a234 _controlfp
 0x40a238 ?terminate@@YAXXZ
 0x40a23c _acmdln
 0x40a240 _initterm
 0x40a244 __setusermatherr
 0x40a248 _except_handler4_common
 0x40a24c memcpy
 0x40a250 _ismbblead
 0x40a254 __p__fmode
 0x40a258 _cexit
 0x40a25c _exit
 0x40a260 exit
 0x40a264 __set_app_type
 0x40a268 __getmainargs
 0x40a26c _amsg_exit
 0x40a270 __p__commode
 0x40a274 _XcptFilter
 0x40a278 memcpy_s
 0x40a27c _vsnprintf
 0x40a280 memset
COMCTL32.dll
 0x40a03c None
Cabinet.dll
 0x40a044 None
 0x40a048 None
 0x40a04c None
 0x40a050 None
VERSION.dll
 0x40a224 GetFileVersionInfoA
 0x40a228 VerQueryValueA
 0x40a22c GetFileVersionInfoSizeA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure