popup

Report - Setup.exe

Generic Malware Malicious Library UPX Malicious Packer .NET framework(MSIL) Antivirus Anti_VM PE File PE32 OS Processor Check ZIP Format BMP Format CHM Format DLL .NET EXE PE64 MSOffice File JPEG Format Word 2007 file format(docx)
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.11 18:08 Machine s1_win7_x6403
Filename Setup.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
12.0
ZERO API file : malware
VT API (file) 29 detected (AIDetectMalware, malicious, high confidence, yCW@aKAYGQfi, AdwareImali, confidence, Attribute, HighConfidence, score, Static AI, Suspicious PE, ai score=88, Wacapew, unsafe, Generic@AI, RDML, ta5QK8JxBhTR1KA33molAg, susgen)
md5 aac23ff6c2cc93769600e060ab7cfca9
sha256 ddeda215cd74d0d7516cd2862d6ef39d1329e5d06dc59f4b38f95a36b1c69bcd
ssdeep 6144:BldGJUaHy3IL1kBu+11KhwAORVGBapZ1LQumfF5Iuxr1T:Bly7HAILqv1Khw3Re11T
imphash 4ae233e271f9593b3373c8d875c9b855
impfuzzy 24:dDj4rrzSucHVrc+WcJBlivDXOjCtWS1rMU9rotHOovbOTv1jMMZxZuKmkM1zHlwE:dYPic+H+XtWS1rMUZd3z9ZaK2CpHt8J
  Network IP location

Signature (27cnts)

Level Description
warning File has been identified by 29 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Created a service where a service was also not started
watch Deletes a large number of files from the system indicative of ransomware
watch Detects Avast Antivirus through the presence of a library
watch Detects Virtual Machines through their custom firmware
watch Harvests credentials from local email clients
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process setup.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (24cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info bmp_file_format bmp file format binaries (download)
info chm_file_format chm file format binaries (download)
info docx Word 2007 file format detection binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info zip_file_format ZIP file format binaries (download)

Network (19cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.225.75.8/stryzon/cleanse.exe
whois
DE Mayak Smart Services Ltd. 185.225.75.8 clean
http://185.225.75.8/stryzon/build.exe
whois
DE Mayak Smart Services Ltd. 185.225.75.8 clean
http://api.ipify.org/
whois
US WEBNX 104.237.62.212 clean
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO
whois
DE Mayak Smart Services Ltd. 185.225.75.8 clean
http://185.225.75.8/stryzon/typhon.exe
whois
DE Mayak Smart Services Ltd. 185.225.75.8 clean
http://ip-api.com/line/?fields=hosting
whois
US TUT-AS 208.95.112.1 clean
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2J1aWxkLmV4ZQ==
whois
DE Mayak Smart Services Ltd. 185.225.75.8 clean
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL3R5cGhvbi5leGU=
whois
DE Mayak Smart Services Ltd. 185.225.75.8 clean
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2NsZWFuc2UuZXhl
whois
DE Mayak Smart Services Ltd. 185.225.75.8 clean
https://ipapi.co/175.208.134.152/json
whois
US CLOUDFLARENET 104.26.9.44 clean
api.telegram.org
whois
GB Telegram Messenger Inc 149.154.167.220 clean
api.ipify.org
whois
US WEBNX 104.237.62.212 clean
ipapi.co
whois
US CLOUDFLARENET 104.26.9.44 clean
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
104.26.9.44
whois
US CLOUDFLARENET 104.26.9.44 mailcious
149.154.167.220
whois
GB Telegram Messenger Inc 149.154.167.220 clean
64.185.227.156
whois
US WEBNX 64.185.227.156 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
185.225.75.8
whois
DE Mayak Smart Services Ltd. 185.225.75.8 malware

Suricata ids

ET POLICY External IP Lookup ip-api.com
ET 3CORESec Poor Reputation IP group 16
ET POLICY curl User-Agent Outbound
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
ET POLICY External IP Lookup api.ipify.org
ET POLICY Cryptocurrency Miner Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x42e024 GetLastError
 0x42e028 CloseHandle
 0x42e02c CopyFileW
 0x42e030 GetComputerNameA
 0x42e034 CheckRemoteDebuggerPresent
 0x42e038 Sleep
 0x42e03c MultiByteToWideChar
 0x42e040 OpenProcess
 0x42e044 GetModuleHandleA
 0x42e048 CreateMutexW
 0x42e04c GetModuleFileNameW
 0x42e050 GetCurrentProcess
 0x42e054 HeapSize
 0x42e058 CreateFileW
 0x42e05c ReadConsoleW
 0x42e060 WriteConsoleW
 0x42e064 SetStdHandle
 0x42e068 SetEnvironmentVariableA
 0x42e06c FreeEnvironmentStringsW
 0x42e070 GetEnvironmentStringsW
 0x42e074 GetOEMCP
 0x42e078 IsValidCodePage
 0x42e07c FindNextFileA
 0x42e080 FindFirstFileExA
 0x42e084 FindClose
 0x42e088 GetModuleFileNameA
 0x42e08c CreateDirectoryW
 0x42e090 GetProcessHeap
 0x42e094 WideCharToMultiByte
 0x42e098 EnterCriticalSection
 0x42e09c LeaveCriticalSection
 0x42e0a0 DeleteCriticalSection
 0x42e0a4 EncodePointer
 0x42e0a8 DecodePointer
 0x42e0ac SetLastError
 0x42e0b0 InitializeCriticalSectionAndSpinCount
 0x42e0b4 CreateEventW
 0x42e0b8 TlsAlloc
 0x42e0bc TlsGetValue
 0x42e0c0 TlsSetValue
 0x42e0c4 TlsFree
 0x42e0c8 GetSystemTimeAsFileTime
 0x42e0cc GetModuleHandleW
 0x42e0d0 GetProcAddress
 0x42e0d4 CompareStringW
 0x42e0d8 LCMapStringW
 0x42e0dc GetLocaleInfoW
 0x42e0e0 GetStringTypeW
 0x42e0e4 GetCPInfo
 0x42e0e8 SetEvent
 0x42e0ec ResetEvent
 0x42e0f0 WaitForSingleObjectEx
 0x42e0f4 UnhandledExceptionFilter
 0x42e0f8 SetUnhandledExceptionFilter
 0x42e0fc TerminateProcess
 0x42e100 IsProcessorFeaturePresent
 0x42e104 IsDebuggerPresent
 0x42e108 GetStartupInfoW
 0x42e10c QueryPerformanceCounter
 0x42e110 GetCurrentProcessId
 0x42e114 GetCurrentThreadId
 0x42e118 InitializeSListHead
 0x42e11c RtlUnwind
 0x42e120 RaiseException
 0x42e124 FreeLibrary
 0x42e128 LoadLibraryExW
 0x42e12c ExitProcess
 0x42e130 GetModuleHandleExW
 0x42e134 HeapAlloc
 0x42e138 HeapReAlloc
 0x42e13c HeapFree
 0x42e140 GetStdHandle
 0x42e144 WriteFile
 0x42e148 GetCommandLineA
 0x42e14c GetCommandLineW
 0x42e150 GetACP
 0x42e154 GetFileType
 0x42e158 FlushFileBuffers
 0x42e15c GetConsoleCP
 0x42e160 GetConsoleMode
 0x42e164 IsValidLocale
 0x42e168 GetUserDefaultLCID
 0x42e16c EnumSystemLocalesW
 0x42e170 ReadFile
 0x42e174 SetFilePointerEx
 0x42e178 SetEndOfFile
ADVAPI32.dll
 0x42e000 RegSetValueExW
 0x42e004 RegCreateKeyExW
 0x42e008 RegCloseKey
 0x42e00c RegQueryValueExA
 0x42e010 GetUserNameA
 0x42e014 RegOpenKeyExA
SHELL32.dll
 0x42e1a0 ShellExecuteA
ole32.dll
 0x42e1c0 CoCreateInstance
 0x42e1c4 CoUninitialize
 0x42e1c8 CoInitializeSecurity
 0x42e1cc CoInitializeEx
 0x42e1d0 CoSetProxyBlanket
OLEAUT32.dll
 0x42e180 VariantClear
 0x42e184 SysAllocString
 0x42e188 SysFreeString
 0x42e18c VariantInit
WININET.dll
 0x42e1a8 InternetReadFile
 0x42e1ac InternetOpenUrlA
 0x42e1b0 InternetCloseHandle
 0x42e1b4 InternetOpenW
 0x42e1b8 InternetOpenA
CRYPT32.dll
 0x42e01c CryptBinaryToStringA
PSAPI.DLL
 0x42e194 EnumProcesses
 0x42e198 GetModuleBaseNameA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure