popup

Report - setup.rar

Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.03 17:38 Machine s1_win7_x6402
Filename setup.rar
Type RAR archive data, v5
AI Score Not founds Behavior Score
4.8
ZERO API file : clean
VT API (file)
md5 d7b36686b22ecf8da8c34bf6d55ad331
sha256 9ccaee42c525cbfa332db514830fa41ac78f0da4f8bd6e7b94574cff5e508822
ssdeep 786432:TB6Iwor817zo6k+RLEx4kbFoFgj7BOey2AjcmdysuF:lHLg17zoKoxNAgjVOIodysuF
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
http://91.92.243.151/api/tracemap.php
whois
Unknown 91.92.243.151 37889 mailcious
ironhost.io
whois
US CLOUDFLARENET 172.67.193.129 clean
61.111.58.34
whois
KR LG DACOM Corporation 61.111.58.34 malware
172.67.193.129
whois
US CLOUDFLARENET 172.67.193.129 clean
91.92.243.151
whois
Unknown 91.92.243.151 mailcious
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
208.67.104.60
whois
Unknown 208.67.104.60 mailcious

Suricata ids

ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure