popup

Report - 123.exe

Emotet Gen1 Generic Malware NSIS Malicious Library UPX Malicious Packer Antivirus Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE File PE64 OS Processor Check PNG Format PE32 DLL MZP Format ZIP Format JPEG Format DllRegisterServer dll BMP
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.30 07:52 Machine s1_win7_x6403
Filename 123.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
3
 Behavior Score
19.4
ZERO API file : clean
VT API (file)
md5 e374462a741bd8b228f22b33bb62f83f
sha256 2dc43cc5e5dba5494a69c25593caa4edec6fbf28bf3ff639c048d7197b253d7c
ssdeep 49152:HuUrhjMFS/3rBobAcuodhhQEn9/zSLTAjRd3XtJc/1E9nSJTl0pox+vxLOzwsGWY:LaCvUJcFw57
imphash 87d0737459c3ebc7de35794db4768b2f
impfuzzy 96:W0WQxv9u2qoffc+CxTjadExsGNX6Y9X1WRW+PsXeQ/yqdLoyyMA:WnQxkIsNKY9FKrsuq8yyMA
  Network IP location

Signature (40cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Deletes a large number of files from the system indicative of ransomware
watch Deletes executed files from disk
watch Detects Avast Antivirus through the presence of a library
watch Detects VirtualBox through the presence of a file
watch Drops 159 unknown file mime types indicative of ransomware writing encrypted files back to disk
watch Drops a binary and executes it
watch Installs itself for autorun at Windows startup
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Tries to unhook Windows functions monitored by Cuckoo
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process installutil.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Resolves a suspicious Top Level Domain (TLD)
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (39cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning NSIS_Installer Null Soft Installer binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info bmp_file_format bmp file format binaries (download)
info CAB_file_format CAB archive file binaries (download)
info chm_file_format chm file format binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info docx Word 2007 file format detection binaries (download)
info icon_file_format icon file format binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info zip_file_format ZIP file format binaries (download)

Network (38cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://85.217.144.143/files/My2.exe
whois
Unknown 85.217.144.143 34643 malware
http://dl2-broomcleaner.online/InstallSetup6.exe
whois
Unknown 37.139.129.88 clean
http://pic.himanfast.com/order/tuc15.exe
whois
US CLOUDFLARENET 172.67.135.47 clean
http://galandskiyher5.com/downloads/toolspub1.exe
whois
DE CMCS 95.214.26.28 37396 malware
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US AKAMAI-AS 23.50.121.137 clean
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
whois
US OPERASOFTWARE 107.167.110.211 clean
https://pastebin.com/raw/E0rY26ni
whois
US CLOUDFLARENET 104.20.68.143 clean
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
whois
US OPERASOFTWARE 107.167.110.211 clean
https://yip.su/RNWPd.exe
whois
US CLOUDFLARENET 172.67.169.89 37623 malware
632432.space
whois
DE CMCS 171.22.28.204 clean
iplogger.com
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
insuport.com
whois
CA COGECO-PEER1 69.90.162.0 clean
gobs2or.top
whois
Unknown clean
foryourbar.org
whois
US CLOUDFLARENET 104.21.22.166 clean
laubenstein.space
whois
Unknown mailcious
dl2-broomcleaner.online
whois
Unknown 37.139.129.88 clean
pastebin.com
whois
US CLOUDFLARENET 172.67.34.170 mailcious
yip.su
whois
US CLOUDFLARENET 104.21.79.77 mailcious
net.geo.opera.com
whois
US OPERASOFTWARE 107.167.110.216 clean
galandskiyher5.com
whois
DE CMCS 95.214.26.28 malware
pic.himanfast.com
whois
US CLOUDFLARENET 104.21.6.189 clean
lycheepanel.info
whois
US CLOUDFLARENET 104.21.32.208 malware
pool.hashvault.pro
whois
SG PhoenixNAP 131.153.76.130 mailcious
104.21.6.189
whois
US CLOUDFLARENET 104.21.6.189 clean
107.167.110.211
whois
US OPERASOFTWARE 107.167.110.211 clean
104.21.22.166
whois
US CLOUDFLARENET 104.21.22.166 mailcious
74.119.239.234
whois
US PUBLIC-DOMAIN-REGISTRY 74.119.239.234 mailcious
37.139.129.88
whois
Unknown 37.139.129.88 mailcious
95.214.26.28
whois
DE CMCS 95.214.26.28 clean
172.67.187.122
whois
US CLOUDFLARENET 172.67.187.122 malware
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
104.20.68.143
whois
US CLOUDFLARENET 104.20.68.143 mailcious
85.217.144.143
whois
Unknown 85.217.144.143 malware
171.22.28.204
whois
DE CMCS 171.22.28.204 clean
121.254.136.9
whois
KR LG DACOM Corporation 121.254.136.9 clean
172.67.169.89
whois
US CLOUDFLARENET 172.67.169.89 clean
69.90.162.0
whois
CA COGECO-PEER1 69.90.162.0 clean
131.153.76.130
whois
SG PhoenixNAP 131.153.76.130 mailcious

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x140250000 RegCloseKey
 0x140250008 RegEnumKeyExW
 0x140250010 RegEnumValueW
 0x140250018 RegOpenKeyExW
 0x140250020 RegQueryValueExW
 0x140250028 OpenProcessToken
 0x140250030 LookupPrivilegeValueW
 0x140250038 AdjustTokenPrivileges
 0x140250040 EventWrite
 0x140250048 EventRegister
 0x140250050 EventEnabled
crypt.dll
 0x140250668 BCryptCloseAlgorithmProvider
 0x140250670 BCryptDestroyKey
 0x140250678 BCryptSetProperty
 0x140250680 BCryptImportKey
 0x140250688 BCryptDecrypt
 0x140250690 BCryptEncrypt
 0x140250698 BCryptOpenAlgorithmProvider
 0x1402506a0 BCryptGenRandom
KERNEL32.dll
 0x140250060 TlsFree
 0x140250068 TlsSetValue
 0x140250070 TlsGetValue
 0x140250078 TlsAlloc
 0x140250080 InitializeCriticalSectionAndSpinCount
 0x140250088 EncodePointer
 0x140250090 RaiseException
 0x140250098 RtlPcToFileHeader
 0x1402500a0 RaiseFailFastException
 0x1402500a8 GetTickCount64
 0x1402500b0 CreateThreadpoolWork
 0x1402500b8 SubmitThreadpoolWork
 0x1402500c0 CloseThreadpoolWork
 0x1402500c8 GetProcAddress
 0x1402500d0 FindNLSStringEx
 0x1402500d8 CompareStringEx
 0x1402500e0 FindStringOrdinal
 0x1402500e8 GetUserPreferredUILanguages
 0x1402500f0 InitializeConditionVariable
 0x1402500f8 WakeConditionVariable
 0x140250100 InitializeCriticalSection
 0x140250108 EnterCriticalSection
 0x140250110 LeaveCriticalSection
 0x140250118 DeleteCriticalSection
 0x140250120 FileTimeToSystemTime
 0x140250128 GetLastError
 0x140250130 GetConsoleOutputCP
 0x140250138 GetCurrentProcess
 0x140250140 GetStdHandle
 0x140250148 GetSystemTime
 0x140250150 LocalAlloc
 0x140250158 LocalFree
 0x140250160 QueryPerformanceCounter
 0x140250168 QueryPerformanceFrequency
 0x140250170 SetLastError
 0x140250178 SystemTimeToFileTime
 0x140250180 TzSpecificLocalTimeToSystemTime
 0x140250188 WideCharToMultiByte
 0x140250190 Sleep
 0x140250198 WaitForMultipleObjectsEx
 0x1402501a0 WaitForSingleObject
 0x1402501a8 GetCurrentThread
 0x1402501b0 LocaleNameToLCID
 0x1402501b8 LCMapStringEx
 0x1402501c0 CompareStringOrdinal
 0x1402501c8 GetLocaleInfoEx
 0x1402501d0 EnumTimeFormatsEx
 0x1402501d8 GetCalendarInfoEx
 0x1402501e0 EnumCalendarInfoExEx
 0x1402501e8 ResolveLocaleName
 0x1402501f0 SleepConditionVariableCS
 0x1402501f8 ExpandEnvironmentStringsW
 0x140250200 FindClose
 0x140250208 FindFirstFileExW
 0x140250210 FreeLibrary
 0x140250218 GetFileAttributesExW
 0x140250220 GetFullPathNameW
 0x140250228 GetLongPathNameW
 0x140250230 GetModuleFileNameW
 0x140250238 GetSystemDirectoryW
 0x140250240 LoadLibraryExW
 0x140250248 SetThreadErrorMode
 0x140250250 GetDynamicTimeZoneInformation
 0x140250258 GetTimeZoneInformation
 0x140250260 WriteFile
 0x140250268 GetCurrentProcessorNumberEx
 0x140250270 CloseHandle
 0x140250278 SetEvent
 0x140250280 ResetEvent
 0x140250288 CreateEventExW
 0x140250290 GetEnvironmentVariableW
 0x140250298 FormatMessageW
 0x1402502a0 CreateThread
 0x1402502a8 ResumeThread
 0x1402502b0 DuplicateHandle
 0x1402502b8 GetThreadPriority
 0x1402502c0 SetThreadPriority
 0x1402502c8 MultiByteToWideChar
 0x1402502d0 GetConsoleMode
 0x1402502d8 GetFileType
 0x1402502e0 WriteConsoleW
 0x1402502e8 VirtualAllocEx
 0x1402502f0 CreateProcessW
 0x1402502f8 GetExitCodeProcess
 0x140250300 TerminateProcess
 0x140250308 OpenProcess
 0x140250310 K32EnumProcesses
 0x140250318 GetProcessId
 0x140250320 FlushProcessWriteBuffers
 0x140250328 GetCurrentThreadId
 0x140250330 WaitForSingleObjectEx
 0x140250338 VirtualQuery
 0x140250340 RtlRestoreContext
 0x140250348 AddVectoredExceptionHandler
 0x140250350 FlsAlloc
 0x140250358 FlsGetValue
 0x140250360 FlsSetValue
 0x140250368 CreateEventW
 0x140250370 SwitchToThread
 0x140250378 SuspendThread
 0x140250380 GetThreadContext
 0x140250388 SetThreadContext
 0x140250390 FlushInstructionCache
 0x140250398 VirtualAlloc
 0x1402503a0 VirtualProtect
 0x1402503a8 VirtualFree
 0x1402503b0 QueryInformationJobObject
 0x1402503b8 GetModuleHandleW
 0x1402503c0 GetModuleHandleExW
 0x1402503c8 GetProcessAffinityMask
 0x1402503d0 InitializeContext
 0x1402503d8 GetEnabledXStateFeatures
 0x1402503e0 SetXStateFeaturesMask
 0x1402503e8 InitializeCriticalSectionEx
 0x1402503f0 GetSystemTimeAsFileTime
 0x1402503f8 DebugBreak
 0x140250400 SleepEx
 0x140250408 GlobalMemoryStatusEx
 0x140250410 GetSystemInfo
 0x140250418 GetLogicalProcessorInformation
 0x140250420 GetLogicalProcessorInformationEx
 0x140250428 GetLargePageMinimum
 0x140250430 VirtualUnlock
 0x140250438 VirtualAllocExNuma
 0x140250440 IsProcessInJob
 0x140250448 GetNumaHighestNodeNumber
 0x140250450 GetProcessGroupAffinity
 0x140250458 K32GetProcessMemoryInfo
 0x140250460 RtlUnwindEx
 0x140250468 IsProcessorFeaturePresent
 0x140250470 SetUnhandledExceptionFilter
 0x140250478 UnhandledExceptionFilter
 0x140250480 IsDebuggerPresent
 0x140250488 RtlVirtualUnwind
 0x140250490 RtlLookupFunctionEntry
 0x140250498 RtlCaptureContext
 0x1402504a0 InitializeSListHead
 0x1402504a8 GetCurrentProcessId
ole32.dll
 0x1402506b0 CoWaitForMultipleHandles
 0x1402506b8 CoCreateGuid
 0x1402506c0 CoGetApartmentType
 0x1402506c8 CoUninitialize
 0x1402506d0 CoInitializeEx
USER32.dll
 0x1402504b8 LoadStringW
api-ms-win-crt-math-l1-1-0.dll
 0x140250508 modf
 0x140250510 __setusermatherr
 0x140250518 pow
 0x140250520 tan
 0x140250528 sqrt
 0x140250530 sin
 0x140250538 ceil
 0x140250540 cos
 0x140250548 floor
api-ms-win-crt-heap-l1-1-0.dll
 0x1402504c8 malloc
 0x1402504d0 _set_new_mode
 0x1402504d8 calloc
 0x1402504e0 _callnewh
 0x1402504e8 free
api-ms-win-crt-string-l1-1-0.dll
 0x140250630 strcpy_s
 0x140250638 wcsncmp
 0x140250640 _wcsicmp
 0x140250648 _stricmp
 0x140250650 strncpy_s
 0x140250658 strcmp
api-ms-win-crt-runtime-l1-1-0.dll
 0x140250558 exit
 0x140250560 _exit
 0x140250568 _initterm
 0x140250570 _initterm_e
 0x140250578 _get_initial_wide_environment
 0x140250580 terminate
 0x140250588 _crt_atexit
 0x140250590 _register_onexit_function
 0x140250598 _initialize_onexit_table
 0x1402505a0 _initialize_wide_environment
 0x1402505a8 _configure_wide_argv
 0x1402505b0 __p___argc
 0x1402505b8 _register_thread_local_exe_atexit_callback
 0x1402505c0 _c_exit
 0x1402505c8 _cexit
 0x1402505d0 __p___wargv
 0x1402505d8 _seh_filter_exe
 0x1402505e0 _set_app_type
 0x1402505e8 abort
api-ms-win-crt-stdio-l1-1-0.dll
 0x1402505f8 __stdio_common_vsprintf_s
 0x140250600 _set_fmode
 0x140250608 __stdio_common_vsscanf
 0x140250610 __stdio_common_vfprintf
 0x140250618 __acrt_iob_func
 0x140250620 __p__commode
api-ms-win-crt-locale-l1-1-0.dll
 0x1402504f8 _configthreadlocale

EAT(Export Address Table) Library

0x140373880 DotNetRuntimeDebugHeader

Similarity measure (PE file only) - Checking for service failure