popup

Report - system32.exe

Vidar Gen1 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.19 07:55 Machine s1_win7_x6403
Filename system32.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
13.2
ZERO API file : malware
VT API (file) 49 detected (AIDetectMalware, Coins, malicious, high confidence, Zusy, CoinMiner, unsafe, Save, TrojanPSW, confidence, 100%, Attribute, HighConfidence, Vidar, score, PWSX, QQPass, QQRob, Dwnw, YXDJRZ, moderate, Outbreak, Eldorado, Sabsik, Detected, R611531, Artemis, ai score=88, BScope, Genetic, Generic@AI, RDML, kWIqWZuH82n1kHaz4J+w5w, Static AI, Malicious PE, susgen, Raccoon, ZexaF, tqW@a4Ladrc)
md5 d1e40dfbae57e5f3205117f5c9d64a76
sha256 ec7770a2cfa4cbffac72f98538eb541a67b18dc04658a3d6218a7a060ffed38d
ssdeep 6144:QUNdslLON1aPsi5chCRXmI4/LusZbXm+QRALNVJCofhOqUZaBMYUB:QxGwP/OWOxXm+4AdCo+oKxB
imphash 62d315482935db63b6502d6a5f04722d
impfuzzy 24:AVDut4DbCbX+Z4kNdZ+fcWbluGMOovKtZJ3xnlyvcjMZ/HOT4tQwAiwxlTeEkEQn:pXCZFdZ+fcDGTttb1KEceNxNQ
  Network IP location

Signature (28cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Attempts to detect Cuckoo Sandbox through the presence of a file
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects VirtualBox using WNetGetProviderName trick
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Network activity contains more than one unique useragent
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (13cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://5.75.212.77/
whois
DE Hetzner Online GmbH 5.75.212.77 clean
http://5.75.212.77/upgrade.zip
whois
DE Hetzner Online GmbH 5.75.212.77 clean
http://5.75.212.77/f02b730f81476e82205d9d2eb21e0ef8
whois
DE Hetzner Online GmbH 5.75.212.77 clean
https://steamcommunity.com/profiles/76561199563297648
whois
US Akamai International B.V. 104.76.78.101 37362 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Akamai International B.V. 104.75.41.21 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
5.75.212.77
whois
DE Hetzner Online GmbH 5.75.212.77 clean
104.76.78.101
whois
US Akamai International B.V. 104.76.78.101 mailcious

Suricata ids

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x43900c Sleep
 0x439010 FlsAlloc
 0x439014 lstrlenW
 0x439018 LocalAlloc
 0x43901c lstrcatW
 0x439020 HeapAlloc
 0x439024 GetProcessHeap
 0x439028 GetProcAddress
 0x43902c GetCurrentProcess
 0x439030 VirtualProtect
 0x439034 GetLogicalProcessorInformationEx
 0x439038 lstrlenA
 0x43903c CloseHandle
 0x439040 Process32Next
 0x439044 Process32First
 0x439048 CreateToolhelp32Snapshot
 0x43904c FindNextFileW
 0x439050 FindFirstFileW
 0x439054 SetEndOfFile
 0x439058 LoadLibraryA
 0x43905c ExitProcess
 0x439060 CreateFileW
 0x439064 CreateFileA
 0x439068 SetStdHandle
 0x43906c WriteConsoleW
 0x439070 LoadLibraryW
 0x439074 IsValidLocale
 0x439078 EnumSystemLocalesA
 0x43907c GetLocaleInfoA
 0x439080 GetUserDefaultLCID
 0x439084 InterlockedIncrement
 0x439088 InterlockedDecrement
 0x43908c WideCharToMultiByte
 0x439090 InterlockedExchange
 0x439094 InitializeCriticalSection
 0x439098 DeleteCriticalSection
 0x43909c EnterCriticalSection
 0x4390a0 LeaveCriticalSection
 0x4390a4 EncodePointer
 0x4390a8 DecodePointer
 0x4390ac MultiByteToWideChar
 0x4390b0 GetLastError
 0x4390b4 HeapFree
 0x4390b8 RaiseException
 0x4390bc RtlUnwind
 0x4390c0 GetSystemTimeAsFileTime
 0x4390c4 GetCommandLineA
 0x4390c8 HeapSetInformation
 0x4390cc GetStartupInfoW
 0x4390d0 LCMapStringW
 0x4390d4 GetCPInfo
 0x4390d8 IsProcessorFeaturePresent
 0x4390dc TerminateProcess
 0x4390e0 UnhandledExceptionFilter
 0x4390e4 SetUnhandledExceptionFilter
 0x4390e8 IsDebuggerPresent
 0x4390ec GetModuleHandleW
 0x4390f0 WriteFile
 0x4390f4 GetStdHandle
 0x4390f8 GetModuleFileNameW
 0x4390fc HeapCreate
 0x439100 TlsAlloc
 0x439104 TlsGetValue
 0x439108 TlsSetValue
 0x43910c TlsFree
 0x439110 SetLastError
 0x439114 GetCurrentThreadId
 0x439118 GetACP
 0x43911c GetOEMCP
 0x439120 IsValidCodePage
 0x439124 HeapSize
 0x439128 SetHandleCount
 0x43912c InitializeCriticalSectionAndSpinCount
 0x439130 GetFileType
 0x439134 GetConsoleCP
 0x439138 GetConsoleMode
 0x43913c FlushFileBuffers
 0x439140 ReadFile
 0x439144 SetFilePointer
 0x439148 GetModuleFileNameA
 0x43914c FreeEnvironmentStringsW
 0x439150 GetEnvironmentStringsW
 0x439154 QueryPerformanceCounter
 0x439158 GetTickCount
 0x43915c GetCurrentProcessId
 0x439160 GetStringTypeW
 0x439164 GetLocaleInfoW
 0x439168 HeapReAlloc
USER32.dll
 0x43917c ReleaseDC
GDI32.dll
 0x439000 GetDeviceCaps
 0x439004 CreateDCA
ole32.dll
 0x439184 CoCreateInstance
 0x439188 CoInitializeSecurity
 0x43918c CoSetProxyBlanket
 0x439190 CoInitializeEx
OLEAUT32.dll
 0x439170 VariantInit
 0x439174 VariantClear

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure