popup

Report - zip1_09.7z

PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.11 15:46 Machine s1_win7_x6402
Filename zip1_09.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
8.0
ZERO API file : malware
VT API (file)
md5 cc7af56986cf3d93d33a92bd4a2962f1
sha256 86b8a2eae14557ea665017a7eabd63022aa907f4dace3e18911922c0edafb62a
ssdeep 196608:ACWste93k4cAQwbIDiM4lHVJ3+4DZVMscLt7GFH6DdJ:CuAzyIVJO49VMscVbJ
imphash
impfuzzy
  Network IP location

Signature (16cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Performs a TXT record DNS lookup potentially for command and control or covert channel
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (122cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://94.142.138.131/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.131 32650 mailcious
http://194.169.175.232/autorun.exe
whois
Unknown 194.169.175.232 36817 malware
http://colisumy.com/dl/build2.exe
whois
AR Telecom Argentina S.A. 181.170.86.159 31026 malware
http://45.9.74.80/super.exe
whois
Unknown 45.9.74.80 36063 malware
http://171.22.28.226/download/Services.exe
whois
DE CMCS 171.22.28.226 37064 malware
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://176.113.115.84:8080/4.php
whois
RU OOO Network of data-centers Selectel 176.113.115.84 34795 mailcious
http://171.22.28.226/download/WWW14_64.exe
whois
DE CMCS 171.22.28.226 36907 malware
http://94.142.138.131/api/firecom.php
whois
RU Ihor Hosting LLC 94.142.138.131 36179 mailcious
http://172.86.98.101/xs12pro/Vdthrdd.pdf
whois
CA QUICKPACKET 172.86.98.101 37111 mailcious
http://45.9.74.80/zinda.exe
whois
Unknown 45.9.74.80 37063 malware
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311 mailcious
http://zexeq.com/files/1/build3.exe
whois
KR LG DACOM Corporation 211.168.53.110 27913 malware
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.145.235 clean
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
KR LG DACOM Corporation 211.119.84.111 27911 mailcious
http://77.91.68.249/navi/kur90.exe
whois
RU Foton Telecom CJSC 77.91.68.249 37069 malware
http://171.22.28.212/carryspend.exe
whois
DE CMCS 171.22.28.212 malware
http://www.google.com/
whois
US GOOGLE 142.250.76.132 clean
http://bytecloudasa.website/api
whois
US CLOUDFLARENET 104.21.61.162 clean
https://vk.com/doc52355237_666782820?hash=ArroX66l9eYl49eAHc8hpGG9y4ueo0YcyAXCK6pwb68&dl=kNiFdjjHEiGZauYFHzX4HcInvoKLFcTYwmBCbWjJoNw&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://schematize.pw/setup294.exe
whois
US CLOUDFLARENET 172.67.152.98 37138 malware
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQH75ndCjMFugsVh7Hldwu1lHUjEssXTAV
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxiior7j1_0fqQ6mBVUqbACDeY8atU2Czs
whois
RU VKontakte Ltd 95.142.206.2 clean
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://db-ip.com/
whois
US CLOUDFLARENET 172.67.75.166 clean
https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_mZTvfLw-7sBSGpkSUZ2zaDqxVcAGn4TCN
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 malware
https://dzen.ru/?yredirect=true
whois
RU Invest Mobile LLC 62.217.160.2 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 104.21.65.24 clean
https://sun6-20.userapi.com/c909618/u52355237/docs/d14/c31569dfbdeb/tmvwr.bmp?extra=yxC_ij_BEaCeg17_3RBMDQ1BNAZNk2h_OM7eSsW8UFjriQQEuPjhkmx7r0l5RwikTTTaRs8JC_WeZ6J1ia9pemH-qujCGGdFQ4qt1HjhdnUs91Pu9zHKbqwz31PEAhQxeOFJQPN_beZxT45a
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5y8U_bC5GVV3LMEZpPK42aJxtw0YqR8a7
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2TrvJhzqfyAbrB3AF-DLwMdohQlTY21hLG
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://sso.passport.yandex.ru/push?uuid=b09af16e-2e62-4304-9cf5-7f2d1c90ff55&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
whois
RU YANDEX LLC 213.180.204.24 clean
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUPaT83_ObjaFQepb-p8krkTffz9kq27hz
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5ldPy5SVg89O6jgA587BEQuCjUOJ_mYqg
whois
RU VKontakte Ltd 95.142.206.0 clean
watson.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 104.208.16.93 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
vanaheim.cn
whois
RU IQHost Ltd 193.106.174.220 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 mailcious
yandex.ru
whois
RU YANDEX LLC 5.255.255.70 clean
dzen.ru
whois
RU Invest Mobile LLC 62.217.160.2 clean
schematize.pw
whois
US CLOUDFLARENET 104.21.32.142 malware
api.2ip.ua
whois
US CLOUDFLARENET 172.67.139.220 clean
steamcommunity.com
whois
US Akamai International B.V. 104.75.41.21 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
twitter.com
whois
US TWITTER 104.244.42.1 clean
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
sso.passport.yandex.ru
whois
RU YANDEX LLC 213.180.204.24 clean
bytecloudasa.website
whois
US CLOUDFLARENET 172.67.212.39 clean
69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su
whois
BG ITL LLC 185.82.216.48 clean
onualituyrs.org
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
zexeq.com
whois
BA BH Telecom d.d. Sarajevo 109.175.29.39 malware
colisumy.com
whois
SA Saudi Telecom Company JSC 2.88.121.8 malware
www.google.com
whois
US GOOGLE 142.250.76.132 clean
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 mailcious
www.maxmind.com
whois
US CLOUDFLARENET 104.18.145.235 clean
vk.com
whois
RU VKontakte Ltd 87.240.129.133 mailcious
api.myip.com
whois
US CLOUDFLARENET 104.26.9.59 clean
104.21.61.162
whois
US CLOUDFLARENET 104.21.61.162 clean
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
193.106.174.220
whois
RU IQHost Ltd 193.106.174.220 clean
104.18.146.235
whois
US CLOUDFLARENET 104.18.146.235 clean
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
185.225.75.171
whois
DE Mayak Smart Services Ltd. 185.225.75.171 clean
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
62.122.184.92
whois
Unknown 62.122.184.92 mailcious
172.86.98.101
whois
CA QUICKPACKET 172.86.98.101 mailcious
62.217.160.2
whois
RU Invest Mobile LLC 62.217.160.2 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
104.21.65.24
whois
US CLOUDFLARENET 104.21.65.24 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
80.66.75.4
whois
RU Alexander Valerevich Mokhonko 80.66.75.4 mailcious
51.255.152.132
whois
FR OVH SAS 51.255.152.132 mailcious
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
142.250.204.100
whois
US GOOGLE 142.250.204.100 clean
171.22.28.226
whois
DE CMCS 171.22.28.226 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
77.91.68.249
whois
RU Foton Telecom CJSC 77.91.68.249 malware
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84 mailcious
176.113.115.85
whois
RU OOO Network of data-centers Selectel 176.113.115.85 mailcious
77.88.55.60
whois
RU YANDEX LLC 77.88.55.60 clean
104.244.42.65
whois
US TWITTER 104.244.42.65 suspicious
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
193.42.32.118
whois
Unknown 193.42.32.118 mailcious
176.113.115.135
whois
RU OOO Network of data-centers Selectel 176.113.115.135 mailcious
176.113.115.136
whois
RU OOO Network of data-centers Selectel 176.113.115.136 mailcious
45.143.201.238
whois
Unknown 45.143.201.238 mailcious
45.9.74.80
whois
Unknown 45.9.74.80 malware
194.169.175.232
whois
Unknown 194.169.175.232 malware
176.123.9.142
whois
MD Alexhost Srl 176.123.9.142 mailcious
104.208.16.93
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 104.208.16.93 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
172.67.152.98
whois
US CLOUDFLARENET 172.67.152.98 malware
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
2.88.121.8
whois
SA Saudi Telecom Company JSC 2.88.121.8 clean
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 mailcious
211.119.84.111
whois
KR LG DACOM Corporation 211.119.84.111 malware
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 mailcious
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious
213.180.204.24
whois
RU YANDEX LLC 213.180.204.24 clean
62.122.184.58
whois
Unknown 62.122.184.58 mailcious
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
104.76.78.101
whois
US Akamai International B.V. 104.76.78.101 mailcious
171.22.28.212
whois
DE CMCS 171.22.28.212 malware

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Packed Executable Download
ET INFO Dotted Quad Host PDF Request
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In

Similarity measure (PE file only) - Checking for service failure