popup

Report - zip_pass1234.7z

Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.11 17:01 Machine s1_win7_x6402
Filename zip_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
5.6
ZERO API file : malware
VT API (file)
md5 902a9838f4e815e995103aa9d5ec3108
sha256 b6f35175f1725d5f53530e9429ca62193cc5ec602f7d3b16e350cbf66e9642f9
ssdeep 196608:Xbglwh8WSTVNwG12zpRiFEGCg4kgWdjRvDa4VQs5IuNJUxEgZFvhUuY:EamWOVL10RI9Cg4k1RraQdNUx5vhUuY
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (51cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://171.22.28.226/download/Services.exe
whois
DE CMCS 171.22.28.226 37064 malware
http://176.113.115.84:8080/4.php
whois
RU OOO Network of data-centers Selectel 176.113.115.84 34795 mailcious
http://194.169.175.232/autorun.exe
whois
Unknown 194.169.175.232 36817 malware
http://94.142.138.113/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.113 36152 mailcious
http://77.91.68.249/navi/kur90.exe
whois
RU Foton Telecom CJSC 77.91.68.249 37069 malware
http://171.22.28.212/carryspend.exe
whois
DE CMCS 171.22.28.212 37179 malware
http://94.142.138.113/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.113 28877 mailcious
https://schematize.pw/setup294.exe
whois
US CLOUDFLARENET 172.67.152.98 37138 malware
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 malware
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxhiYr7j1_0fqQ6mBVVKqaCGfPpqwAg3i-
whois
RU VKontakte Ltd 95.142.206.2 clean
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_maTffLw-7sBSGpkSUaD6LX6hWcw-l4GHW
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUMaj83_ObjaFQepb-ppl7lDqLmoMojbx2
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5md_y5SVg89O6jgA5qLQfQ-z1AuQowoyj
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2Tov5hzqfyAbrB3AF-XrwOdI8NwGE1hBbA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQE7JndCjMFugsVh7HxIoogAaG3UIsWGdB
whois
RU VKontakte Ltd 95.142.206.0 clean
https://api.myip.com/
whois
US CLOUDFLARENET 172.67.75.163 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5x8k_bC5GVV3LMEZpaq9hbJJpwEd5EZC7
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
whois
RU VKontakte Ltd 87.240.132.72 mailcious
schematize.pw
whois
US CLOUDFLARENET 104.21.32.142 malware
api.myip.com
whois
US CLOUDFLARENET 104.26.8.59 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 mailcious
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 mailcious
onualituyrs.org
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
vk.com
whois
RU VKontakte Ltd 87.240.137.164 mailcious
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
77.91.68.249
whois
RU Foton Telecom CJSC 77.91.68.249 malware
172.67.152.98
whois
US CLOUDFLARENET 172.67.152.98 malware
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 mailcious
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 mailcious
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
171.22.28.226
whois
DE CMCS 171.22.28.226 malware
194.169.175.232
whois
Unknown 194.169.175.232 malware
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
208.67.104.60
whois
Unknown 208.67.104.60 mailcious
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
171.22.28.212
whois
DE CMCS 171.22.28.212 malware

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET HUNTING Suspicious services.exe in URI
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure