popup

Report - build.exe

Vidar Gen1 Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM PE32 PE File OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.13 10:58 Machine s1_win7_x6403
Filename build.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
11.8
ZERO API file : malware
VT API (file)
md5 90dd1720cb5f0a539358d8895d3fd27a
sha256 e69a88b0f9ec61f4acf22f9a3d96f60eb3a04db58a74eb4315700ac465de9e01
ssdeep 3072:6F6GZCIbIXZhMUXjB4xowmDKQ9x4Ua9JKFuo:6F8RZ+Ro5HHSKF
imphash bfbdb436476f8fcaaef94d931ea729c9
impfuzzy 24:hDCqTf4NvhDo1ttUalSfjlENY/JlUyer6wxGTO1EkEQh:1Cqr4Nv8tp8fua7wGNC
  Network IP location

Signature (28cnts)

Level Description
watch Attempts to create or modify system certificates
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process build.exe
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (24cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (14cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://5.75.246.163/softokn3.dll
whois
DE Hetzner Online GmbH 5.75.246.163 clean
http://5.75.246.163/vcruntime140.dll
whois
DE Hetzner Online GmbH 5.75.246.163 clean
http://5.75.246.163/msvcp140.dll
whois
DE Hetzner Online GmbH 5.75.246.163 clean
http://5.75.246.163/freebl3.dll
whois
DE Hetzner Online GmbH 5.75.246.163 clean
http://5.75.246.163/mozglue.dll
whois
DE Hetzner Online GmbH 5.75.246.163 clean
http://5.75.246.163/sqlite3.dll
whois
DE Hetzner Online GmbH 5.75.246.163 clean
http://5.75.246.163/
whois
DE Hetzner Online GmbH 5.75.246.163 clean
http://5.75.246.163/nss3.dll
whois
DE Hetzner Online GmbH 5.75.246.163 clean
https://steamcommunity.com/profiles/76561199568528949
whois
US Akamai International B.V. 104.76.78.101 38188 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
5.75.246.163
whois
DE Hetzner Online GmbH 5.75.246.163 clean
104.76.78.101
whois
US Akamai International B.V. 104.76.78.101 mailcious

Suricata ids

ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

PE API

IAT(Import Address Table) Library

SHLWAPI.dll
 0x4190cc None
msvcrt.dll
 0x4190dc strlen
 0x4190e0 memcmp
 0x4190e4 strcpy_s
 0x4190e8 srand
 0x4190ec memcpy
 0x4190f0 strncpy
 0x4190f4 malloc
 0x4190f8 _wtoi64
 0x4190fc rand
 0x419100 memset
 0x419104 atexit
 0x419108 strchr
 0x41910c strtok_s
 0x419110 ??_U@YAPAXI@Z
KERNEL32.dll
 0x419010 GetStringTypeW
 0x419014 MultiByteToWideChar
 0x419018 LCMapStringW
 0x41901c ExitProcess
 0x419020 lstrlenA
 0x419024 LocalAlloc
 0x419028 VirtualProtect
 0x41902c FileTimeToSystemTime
 0x419030 GetProcAddress
 0x419034 LoadLibraryA
 0x419038 IsValidCodePage
 0x41903c GetOEMCP
 0x419040 GetACP
 0x419044 GetCPInfo
 0x419048 WideCharToMultiByte
 0x41904c HeapAlloc
 0x419050 InterlockedDecrement
 0x419054 UnhandledExceptionFilter
 0x419058 SetUnhandledExceptionFilter
 0x41905c IsDebuggerPresent
 0x419060 EncodePointer
 0x419064 DecodePointer
 0x419068 TerminateProcess
 0x41906c GetCurrentProcess
 0x419070 InitializeCriticalSectionAndSpinCount
 0x419074 LeaveCriticalSection
 0x419078 EnterCriticalSection
 0x41907c GetLastError
 0x419080 HeapFree
 0x419084 RtlUnwind
 0x419088 GetModuleHandleW
 0x41908c Sleep
 0x419090 WriteFile
 0x419094 GetStdHandle
 0x419098 GetModuleFileNameW
 0x41909c LoadLibraryW
 0x4190a0 TlsGetValue
 0x4190a4 TlsSetValue
 0x4190a8 InterlockedIncrement
 0x4190ac SetLastError
 0x4190b0 GetCurrentThreadId
USER32.dll
 0x4190d4 CharToOemA
ADVAPI32.dll
 0x419000 RegGetValueA
 0x419004 RegOpenKeyExA
 0x419008 GetCurrentHwProfileA
ole32.dll
 0x419118 CoCreateInstance
 0x41911c CoSetProxyBlanket
 0x419120 CoInitializeSecurity
 0x419124 CoInitializeEx
OLEAUT32.dll
 0x4190b8 SysFreeString
 0x4190bc VariantInit
 0x4190c0 VariantClear
 0x4190c4 SysAllocString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure