popup

Report - s5.exe

Malicious Library UPX Http API HTTP Internet API AntiDebug AntiVM PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.06 09:41 Machine s1_win7_x6403
Filename s5.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
12.4
ZERO API file : clean
VT API (file) 39 detected (AIDetectMalware, Stop, Lockbit, Artemis, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, Kryptik, HVDW, score, Zenpak, Generic@AI, RDML, rHLxQ2CYCM0Jx6m5hruroA, moderate, Krypt, SmokeLoader, Sabsik, Znyonm, Detected, BScope, Klubdepa, unsafe, R002H07K523, Obfuscated, Static AI, Malicious PE, susgen, GenKryptik, ERHN, BotX)
md5 e4c5c50d9c573109411348e4c7f79dd8
sha256 7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce
ssdeep 6144:gU4LI9VtOpy4NT+Cxe0eAb8R5DI1bUUzJ6Gor:g989VQpy4NDe48R5s1dJn+
imphash fb06b251ec823ec2b055f38e217cf323
impfuzzy 48:kTpiOwOERAdR2KKSGJttScfr0uuSB2CQlf:StxR2HSGJttScfrkSBV0
  Network IP location

Signature (28cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 39 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Communicates with host for which no DNS query was performed
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (21cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Network_HTTP Communications over HTTP memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://85.209.11.204/api/files/client/s54
whois
RU SYN LTD 85.209.11.204 clean
http://85.209.11.204/api/files/client/s51
whois
RU SYN LTD 85.209.11.204 clean
http://85.209.11.204/ip.php
whois
RU SYN LTD 85.209.11.204 clean
http://85.209.11.204/api/files/client/s53
whois
RU SYN LTD 85.209.11.204 clean
http://85.209.11.204/api/files/client/s52
whois
RU SYN LTD 85.209.11.204 clean
http://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
whois
US GOOGLE 142.250.206.238 clean
https://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
whois
US GOOGLE 172.217.24.78 clean
https://script.googleusercontent.com/macros/echo?user_content_key=rq3I6Pvq31ESr42SRVFCcH8cBMrOvGfc9LjrAFAjXKqooXQVZnHoVSKZ49ywNUr7mn_h-t_4xp16ZbQUh0u7vYizKKleUSwSOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa0CRDStSlAiWe9EsIf9E4ZPsnymwtpgwALY3ZEKNb
whois
US GOOGLE 142.251.220.33 clean
script.google.com
whois
US GOOGLE 142.250.206.238 clean
script.googleusercontent.com
whois
US GOOGLE 142.250.206.225 clean
85.209.11.204
whois
RU SYN LTD 85.209.11.204 clean
172.217.24.78
whois
US GOOGLE 172.217.24.78 clean
142.251.220.33
whois
US GOOGLE 142.251.220.33 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x401014 GetConsoleAliasesLengthW
 0x401018 SetComputerNameExA
 0x40101c GetConsoleAliasExesLengthA
 0x401020 FindResourceW
 0x401024 BuildCommDCBAndTimeoutsA
 0x401028 DeleteVolumeMountPointA
 0x40102c GlobalAddAtomA
 0x401030 GetCommState
 0x401034 GetSystemWindowsDirectoryW
 0x401038 CreateDirectoryW
 0x40103c AddConsoleAliasW
 0x401040 FindCloseChangeNotification
 0x401044 FreeEnvironmentStringsA
 0x401048 GetModuleHandleW
 0x40104c GetTickCount
 0x401050 CreateNamedPipeW
 0x401054 GetConsoleAliasesA
 0x401058 GetPriorityClass
 0x40105c GetCurrencyFormatW
 0x401060 LoadLibraryW
 0x401064 GetExitCodeProcess
 0x401068 IsProcessorFeaturePresent
 0x40106c GetConsoleAliasW
 0x401070 MultiByteToWideChar
 0x401074 GetVolumePathNameA
 0x401078 GetLastError
 0x40107c InterlockedFlushSList
 0x401080 FindFirstFileW
 0x401084 GetProcAddress
 0x401088 VirtualAlloc
 0x40108c BackupWrite
 0x401090 RemoveDirectoryA
 0x401094 EnumSystemCodePagesW
 0x401098 SearchPathA
 0x40109c InterlockedExchangeAdd
 0x4010a0 OpenWaitableTimerW
 0x4010a4 LocalAlloc
 0x4010a8 GetNumberFormatW
 0x4010ac SetConsoleWindowInfo
 0x4010b0 FoldStringA
 0x4010b4 GlobalFindAtomW
 0x4010b8 DebugSetProcessKillOnExit
 0x4010bc UpdateResourceW
 0x4010c0 VirtualProtect
 0x4010c4 PeekConsoleInputA
 0x4010c8 ReadConsoleInputW
 0x4010cc GetWindowsDirectoryW
 0x4010d0 SetFileAttributesW
 0x4010d4 LocalFileTimeToFileTime
 0x4010d8 CreateFileA
 0x4010dc SetVolumeLabelA
 0x4010e0 FillConsoleOutputCharacterA
 0x4010e4 SetLastError
 0x4010e8 GetModuleHandleA
 0x4010ec HeapAlloc
 0x4010f0 Sleep
 0x4010f4 ExitProcess
 0x4010f8 GetStartupInfoW
 0x4010fc RaiseException
 0x401100 RtlUnwind
 0x401104 GetCPInfo
 0x401108 InterlockedIncrement
 0x40110c InterlockedDecrement
 0x401110 GetACP
 0x401114 GetOEMCP
 0x401118 IsValidCodePage
 0x40111c TlsGetValue
 0x401120 TlsAlloc
 0x401124 TlsSetValue
 0x401128 TlsFree
 0x40112c GetCurrentThreadId
 0x401130 TerminateProcess
 0x401134 GetCurrentProcess
 0x401138 UnhandledExceptionFilter
 0x40113c SetUnhandledExceptionFilter
 0x401140 IsDebuggerPresent
 0x401144 HeapFree
 0x401148 DeleteCriticalSection
 0x40114c LeaveCriticalSection
 0x401150 EnterCriticalSection
 0x401154 VirtualFree
 0x401158 HeapReAlloc
 0x40115c HeapCreate
 0x401160 WriteFile
 0x401164 GetStdHandle
 0x401168 GetModuleFileNameA
 0x40116c HeapSize
 0x401170 LoadLibraryA
 0x401174 InitializeCriticalSectionAndSpinCount
 0x401178 GetModuleFileNameW
 0x40117c FreeEnvironmentStringsW
 0x401180 GetEnvironmentStringsW
 0x401184 GetCommandLineW
 0x401188 SetHandleCount
 0x40118c GetFileType
 0x401190 GetStartupInfoA
 0x401194 QueryPerformanceCounter
 0x401198 GetCurrentProcessId
 0x40119c GetSystemTimeAsFileTime
 0x4011a0 LCMapStringA
 0x4011a4 WideCharToMultiByte
 0x4011a8 LCMapStringW
 0x4011ac GetStringTypeA
 0x4011b0 GetStringTypeW
 0x4011b4 GetLocaleInfoA
USER32.dll
 0x4011c4 LoadMenuW
 0x4011c8 CharToOemBuffW
 0x4011cc ChangeDisplaySettingsW
GDI32.dll
 0x401000 GetCharWidthA
 0x401004 GetCharacterPlacementA
 0x401008 GetCharABCWidthsFloatA
 0x40100c GetBoundsRect
SHELL32.dll
 0x4011bc ShellAboutW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure