popup

Report - File.rar

PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.02 14:36 Machine s1_win7_x6402
Filename File.rar
Type RAR archive data, v5
AI Score Not founds Behavior Score
7.0
ZERO API file : clean
VT API (file)
md5 c18fbc972354abb0fd945ffccbb93ad3
sha256 0cd161ec28f585e8c49fd1fd771760614052ba6381c66ce68ea614d6b6f753d3
ssdeep 786432:gL66d54hnDMWlCyut1qo9Xi5BUZn9cBbk5V:AX5o4WQH/XA5BoeC
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (110cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://94.142.138.131/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.131 32650 mailcious
http://91.92.243.151/api/tracemap.php
whois
Unknown 91.92.243.151 clean
http://91.92.243.151/api/firecom.php
whois
Unknown 91.92.243.151 clean
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311 mailcious
http://185.172.128.69/newumma.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.69 37499 malware
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.27 clean
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
BA BH Telecom d.d. Sarajevo 185.12.79.25 27911 mailcious
http://ronaldrichards.icu/e9c345fc99a4e67e.php
whois
RU IQHost Ltd 193.106.175.190 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.146.235 clean
http://dl54-broomcleaner.icu/InstallSetup7.exe
whois
RU IQHost Ltd 193.106.175.190 malware
http://michaelcoleman.icu/timeSync.exe
whois
RU IQHost Ltd 193.106.175.190 malware
http://94.142.138.113/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.113 28877 mailcious
http://171.22.28.226/download/Services.exe
whois
DE CMCS 171.22.28.226 37064 malware
https://sun6-23.userapi.com/c909618/u26060933/docs/d4/7caf185e1947/Risepro.bmp?extra=7FXlsGxLQIPRYANXa3bqeG3hcbsNS0dKcak4PUGs8R5-_JslfV8EU9fv6FJOQdvEaI1m1FTJU93cK7oTMfBwNuFssszLscrz9Cp-PC8h5_cL92W_KwdOMx337cegLJS56Rsdw-WyUI_Npc2h
whois
RU VKontakte Ltd 95.142.206.3 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://sun6-21.userapi.com/c909218/u26060933/docs/d31/c926cfacc1f4/new_go.bmp?extra=HtQcuH2QjM0315WmkJdVH1mdYBSvv064tAbEOg4LDcetY4TZLtnYzavt2XLLjq0NXXZQ-680zJ-uVhjhhGOj1dze70rfMIe3a_Ln3Lk-sWoOm4TTPqeibD4bjeVEAMiqwFd9f9Ip5nM3qbmH
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc26060933_667226611?hash=3AOa9zwJbxnrXLo5M1UNZwTTDvxsoWSyfwgmxISqqxL&dl=HnSve9vk6MIyt0bE2UGvnGrn7uoz7zwDsDLBVNodlP4&api=1&no_preview=1#riseK
whois
RU VKontakte Ltd 93.186.225.194 clean
https://vk.com/doc26060933_667223635?hash=qzxpj41H7aJKGYAkotcS9kwFdHSU9KQawZjeS9cVst4&dl=iEliVZrkZcesylYAmZs8zvhVjQpPOUAfyAIZcvJVbPH&api=1&no_preview=1#ww11
whois
RU VKontakte Ltd 93.186.225.194 clean
https://sun6-22.userapi.com/c237331/u493219498/docs/d54/970161281382/tmvwr.bmp?extra=i927vrM_3T63rdgS7FcQie8v-JlaGdg4vrToGaMBTqwShIMTwkEVKCvfe9GoqbuPE_z5vIJs-kAStdG0VWdxGQ9kAITbxJ2ZhF92v5EIR_XuU2MfpG0xGXk2ybTmc8Gf8fEMNTEZ1sgmkstkcA
whois
RU VKontakte Ltd 95.142.206.2 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://api.ip.sb/ip
whois
US CLOUDFLARENET 172.67.75.172 clean
https://fdjbgkhjrpfvsdf.online/setup294.exe
whois
US CLOUDFLARENET 172.67.139.27 clean
https://vk.com/doc825067038_675094078?hash=yy528d2cdSWh8Qb1vjKZzrbg9uO0tUhBgbnW8xFFc7g&dl=fzvSk2lE8vQ96mfYErqNUoJZiKQg6dRgeIDz0UiA5W8&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://vk.com/doc26060933_667223519?hash=4h0hZRp0TSlGi1za4NQqeUs4Z2Owa7H8HcgLzZogiBc&dl=4yZXwXXDHBqFHcM30tryxz8P1qRNU3LWlwbmQoruwmL&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc493219498_672804512?hash=k6gVocJtWMIGa4eR2u3BEQexXtjJzptcjPX2TpQvyHP&dl=RdWtWX0NOjUuv5jSqHuHLHgdyH9LhrvA8lQtBVZeJGP&api=1&no_preview=1#test22
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://vk.com/doc493219498_672768541?hash=tpdx8YXg91Y3FlT5s0RAbnPmPS1Zzyo9eLqcOzyWZYc&dl=WDy5pNA0ek7levBiA9WZCVFsr80DioWsqEq14iAXX84&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://vk.com/doc26060933_667234651?hash=Rv3y1hZYldejZNTzjJxgzdYVgzKs0azR7LT5gowzNJT&dl=fEH5j2bjnO3mwDbqODuUYTgMkVbKBYVrBOOWxCsJzJ0&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 clean
https://vk.com/doc26060933_667218383?hash=7UW057pOa1xiEe10gtJ3QSwoTJDrSVPqZuGSbstptEH&dl=yqIEoQoYSd5j0zYFeVKTzHy16DTH1wq1kX6PBuZazRX&api=1&no_preview=1#bnf
whois
RU VKontakte Ltd 93.186.225.194 clean
https://dzen.ru/?yredirect=true
whois
RU Invest Mobile LLC 62.217.160.2 clean
https://vk.com/doc26060933_667215509?hash=G3Jm1EaMJVztPO45r3HxRNlS4ZgetOknNtYy2avkFPw&dl=8fjE5gX9uYKwtbhjDbbqZIfJvR8v4T4lyZisCWbPlgc&api=1&no_preview=1#1
whois
RU VKontakte Ltd 93.186.225.194 clean
https://sun6-20.userapi.com/c909218/u26060933/docs/d16/6de25ac9c8b9/s2as2fad.bmp?extra=93M5T4Pa8Q3v-6wCV0cMg-imldFl3M7pP9fiQWexCQVfAHR6bOaCYNmIhblaorz2ajVnq9ITftW-KCQwspVW7DbtPyDFKCTvp9SEcQHaQMAlrKO5x90RNNH-89CyjAZ03dQGY6Leo9A9oUVa
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-20.userapi.com/c237331/u825067038/docs/d49/f3d174c7d126/PL_Client.bmp?extra=XDfkwfVkwRcivpIteb_RsNhr6eqpk3Sh24NjsrJ7nR2EAq93CkJ7kmPRE49s-PptoRkiv1DlMYMm4G-EjxMy3ZKbg-9BUhc0NtHIuZM8phnB22dI5a_tz7k-BACUbK_qxxTb405WhzGYuI1t0w
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://sun6-20.userapi.com/c909218/u26060933/docs/d22/a35d812ef006/RisePro.bmp?extra=LgPIMsxlbkpwHU5tCRY0vgUUAviiE7g7nMwb1oAv7HySSrauv2XjWksVWa7ZlFA3JXksarqScqvGtt1ETuNK6vMq7PyUQYgR2vLJ_T_aOnDWK_TKXwfUgdLiFLt-hsv4qpwsSsSIRWLoQTI1
whois
RU VKontakte Ltd 95.142.206.0 clean
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/aadf300fd920/BotClients.bmp?extra=WDt2JKhhn-eQrPHTN9X8R0bO_tJ9q0myEWR4olRZdoa3canBj-lmFAG5cGCHMWcveqzg7IA6SkZEgaXn7_yF1ZPOhbnbI4vHz0fiMpVF8qWL4pijOcDsVf6aNjPpO0eOG8p1J66TE-BKQC-h
whois
RU VKontakte Ltd 95.142.206.1 clean
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/f2f6f33ee91f/WWW11_32.bmp?extra=YkAJ9WwBghZQCvm2tl1uLbMufgtzR6Yn6c26ciwed5aKCO-Rw-yV4cJfXn8nio3l8RYZVp2QwfyPiYJ8Q8fOOfhA000eXJmSBorA7IDhKGejIp04_2OVOLLWjtHDUIjGYHzdNUwjv2l33dHB
whois
RU VKontakte Ltd 95.142.206.1 clean
https://sun6-21.userapi.com/c237031/u493219498/docs/d9/c7fc8ca88f65/file291023.bmp?extra=HJE0rWNAwxwlZMpDm0nMXfYfAV0NPcx59BCa43IG_bXuChoyS7uFn7bse_58CEa8kk12QRrnh7q-Dw-GenGfCBz-k2gxOG-kXj-MvZt78r50ec_AmOipYf-TCxGK9M1dCTfKr6B4BlweimH5oA
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc26060933_667166279?hash=ZwaE4tvZWFZCd2bm3WcrC9P0n7U9VIU9U93MzzIkiVg&dl=pnJSpAC8qJBqMfKXSgNNzjPf12azGKZWlyCFZ86hE2P&api=1&no_preview=1#risepro
whois
RU VKontakte Ltd 93.186.225.194 clean
https://sso.passport.yandex.ru/push?uuid=378496ab-5899-48b7-bf10-80f50778653f&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
whois
RU YANDEX LLC 213.180.204.24 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.5.15 clean
https://vk.com/doc26060933_667204817?hash=6lgEzCTOqGu7pXY0CjbNe2FXz4rab735i6AEdl7puVw&dl=U0RHXi4KJa141aANcboV7iQspCTlmbxFsgLwQz9bGwc&api=1&no_preview=1#maff
whois
RU VKontakte Ltd 93.186.225.194 clean
https://sun6-21.userapi.com/c909418/u26060933/docs/d20/171a1ad09e5c/crypted.bmp?extra=USOyMI-QrVD8ahA0mCuN1w-bxZzgqjcqo6Tzt3gOhGAsI0yQDB1U4gyXEOkH9dOBYLRqxIH032ISFZcZOEZ5KTf6gzdM_yJlTG3ITv6KbMFD9NzdtpVOIBX0BWIXmrNdeuJ6DUaJj52BUDaE
whois
RU VKontakte Ltd 95.142.206.1 clean
https://sun6-23.userapi.com/c236331/u26060933/docs/d36/f582a2f7d651/mggkfn.bmp?extra=kXzl1fMGvZsozKZ51_V9AIUJOViBXHnvbHtPIo-fm1QSon9y47f4eu5t1tnXJsZ-9Yn_qH0wPULruDXEJv5YPVFLCVB8tJk2Mcs-BJAZWoU6geCJmdzITbv3Y6p0_tmBtcEYUqbBEK0nsfd6
whois
RU VKontakte Ltd 95.142.206.3 clean
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 172.67.139.220 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
dl54-broomcleaner.icu
whois
RU IQHost Ltd 193.106.175.190 malware
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 mailcious
yandex.ru
whois
RU YANDEX LLC 5.255.255.70 clean
dzen.ru
whois
RU Invest Mobile LLC 62.217.160.2 clean
medfioytrkdkcodlskeej.net
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
ronaldrichards.icu
whois
RU IQHost Ltd 193.106.175.190 clean
api.2ip.ua
whois
US CLOUDFLARENET 172.67.139.220 clean
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
twitter.com
whois
US TWITTER 104.244.42.129 clean
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
sso.passport.yandex.ru
whois
RU YANDEX LLC 213.180.204.24 clean
michaelcoleman.icu
whois
RU IQHost Ltd 193.106.175.190 malware
api.ip.sb
whois
US CLOUDFLARENET 172.67.75.172 clean
iplogger.com
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
zexeq.com
whois
AR Telecom Argentina S.A. 190.139.250.133 malware
fdjbgkhjrpfvsdf.online
whois
US CLOUDFLARENET 172.67.139.27 clean
api.myip.com
whois
US CLOUDFLARENET 104.26.9.59 clean
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 mailcious
www.maxmind.com
whois
US CLOUDFLARENET 104.18.145.235 clean
vk.com
whois
RU VKontakte Ltd 87.240.132.78 mailcious
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
104.18.146.235
whois
US CLOUDFLARENET 104.18.146.235 clean
93.186.225.194
whois
RU VKontakte Ltd 93.186.225.194 mailcious
185.225.75.171
whois
DE Mayak Smart Services Ltd. 185.225.75.171 mailcious
172.67.139.27
whois
US CLOUDFLARENET 172.67.139.27 mailcious
62.217.160.2
whois
RU Invest Mobile LLC 62.217.160.2 clean
104.244.42.1
whois
US TWITTER 104.244.42.1 suspicious
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
208.67.104.60
whois
Unknown 208.67.104.60 mailcious
5.255.255.70
whois
RU YANDEX LLC 5.255.255.70 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
213.180.204.24
whois
RU YANDEX LLC 213.180.204.24 clean
121.254.136.18
whois
KR LG DACOM Corporation 121.254.136.18 clean
185.173.38.57
whois
RU Altagen JSC 185.173.38.57 clean
194.49.94.40
whois
Unknown 194.49.94.40 clean
194.49.94.41
whois
Unknown 194.49.94.41 clean
171.22.28.226
whois
DE CMCS 171.22.28.226 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
91.92.243.151
whois
Unknown 91.92.243.151 clean
185.172.128.69
whois
RU OOO Nadym Svyaz Service 185.172.128.69 malware
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
172.67.75.172
whois
US CLOUDFLARENET 172.67.75.172 mailcious
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 mailcious
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 mailcious
172.67.139.220
whois
US CLOUDFLARENET 172.67.139.220 clean
211.168.53.110
whois
KR LG DACOM Corporation 211.168.53.110 clean
193.106.175.190
whois
RU IQHost Ltd 193.106.175.190 malware
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious

Suricata ids

ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO DNS Query for Suspicious .icu Domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO HTTP POST Request to Suspicious *.icu domain
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

Similarity measure (PE file only) - Checking for service failure