Report - Archive.rar

Escalate priviledges PWS KeyLogger AntiDebug AntiVM ftp

ScreenShot

Info
Location map


Created	2023.11.01 18:42	Machine	s1_win7_x6402
Filename	Archive.rar
Type	RAR archive data, v5
AI Score	Not founds	Behavior Score	5.0
ZERO API	file : clean
VT API (file)	1 detected ()
md5	8988dd76e0075a66d1030daa58d220f1
sha256	c4818189e772ada93116ca28a6226f5b86f763daaf6fe8dc2ad8ab0c87f7a90a
ssdeep	393216:Xo5JIcjxzuHjmJydtTQHRRns+rZfeayhSXBpgrMyY3fv2zwjGyM9lE48v9/NBLD1:Yj16m/s+VeVmurMDfvYwjfM/GvhvLnp
imphash
impfuzzy

Network IP location

Signature (13cnts)

Level	Description
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	File has been identified by one AntiVirus engine on VirusTotal as malicious
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (12cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	ftp_command	ftp command	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (19cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://94.142.138.113/api/firegate.php whois		Ihor Hosting LLC	94.142.138.113	36152	mailcious
http://94.142.138.113/api/tracemap.php whois		Ihor Hosting LLC	94.142.138.113	28877	mailcious
https://vk.com/doc26060933_667173484?hash=A1dmV4pq2EY7qgmQUNzGLIsxaMexd8IeIWU9C4qfGWs&dl=HW3dyNuyU3NU5OenwscyGVYZxNCzBaTesYkhsTpR8qs&api=1&no_preview=1 whois		VKontakte Ltd	87.240.137.164		clean
https://sun6-21.userapi.com/c237231/u26060933/docs/d41/b01ef5bd7b4a/Setup.bmp?extra=fPPLkVjVVeEJBIi4Of7fAGBCJkUgPJP0zTNhqwXCyZxyqQK-ShKZ5pV0Q9N_iwIsrcQGex6idPQM1iCflk3FKizdrZfEwMM53QuRuvk2p_dEZymICGeJzS0sCUFyDI0lpF31qoWurBw1MNPi whois		VKontakte Ltd	95.142.206.1		clean
https://api.myip.com/ whois		CLOUDFLARENET	104.26.9.59		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois		VKontakte Ltd	87.240.137.164		mailcious
iplis.ru whois		Hetzner Online GmbH	148.251.234.93		mailcious
iplogger.org whois		Hetzner Online GmbH	148.251.234.83		mailcious
ipinfo.io whois		GOOGLE	34.117.59.81		clean
api.myip.com whois		CLOUDFLARENET	172.67.75.163		clean
vk.com whois		VKontakte Ltd	87.240.132.72		mailcious
sun6-21.userapi.com whois		VKontakte Ltd	95.142.206.1		mailcious
148.251.234.83 whois		Hetzner Online GmbH	148.251.234.83		clean
148.251.234.93 whois		Hetzner Online GmbH	148.251.234.93		mailcious
104.26.9.59 whois		CLOUDFLARENET	104.26.9.59		clean
95.142.206.1 whois		VKontakte Ltd	95.142.206.1		mailcious
87.240.137.164 whois		VKontakte Ltd	87.240.137.164		mailcious
94.142.138.113 whois		Ihor Hosting LLC	94.142.138.113		mailcious
34.117.59.81 whois		GOOGLE	34.117.59.81		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure