popup

Report - unsecapp.exe

Malicious Library PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.16 13:27 Machine s1_win7_x6401
Filename unsecapp.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
4.0
ZERO API file : malware
VT API (file) 54 detected (AIDetectMalware, Formbook, malicious, high confidence, Inject4, Zusy, Vl9i, confidence, 100%, ZexaF, peX@aaNRV2f, GenusT, DTQP, Attribute, HighConfidence, score, Noon, bfdm, u7ALXQCfWED, ZPACK, R06CC0DKE23, moderate, Outbreak, Detected, 11JTEDN, Eldorado, R619333, General, ai score=88, unsafe, Gjgl, Static AI, Malicious PE, susgen, PWSX)
md5 7630a755b70921f9f22891035c3628e9
sha256 10f863afc82cd61fdc8a55bc67e2726401ac51c4e9647ddd19dbf1ea30df9e09
ssdeep 6144:ReoIZR781uLl43/1Mg2p7F1bhUlCMSrSJ6Igy9WaukV3Y709:RkvJ4nspglx3J6tykNk2O
imphash
impfuzzy 3::
  Network IP location

Signature (8cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Drops an executable to the user AppData folder
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (53cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.ezus.life/zqco/?wFt=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&o0Ijw=FV31C
whois
US GOOGLE 34.96.147.60 clean
http://www.tauruss29.click/zqco/?wFt=BXZ/xzuuMumnvtIwilHAju88nUMjodQ2L7qTmXiCbitM75fYFK9Ni/+RZPv+ooYbFCP5HCJJxbmcDVUQEF+nSIUi2tQgIq30IPYEAqs=&o0Ijw=FV31C
whois
US HAWKHOST 198.252.99.243 clean
http://www.velvet-key-properties.top/zqco/?wFt=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&o0Ijw=FV31C
whois
CA ACP 162.0.222.119 clean
http://www.stprov.biz/zqco/?wFt=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&o0Ijw=FV31C
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.132 clean
http://www.wearehydrant.com/zqco/?wFt=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&o0Ijw=FV31C
whois
CA TUCOWS 216.40.34.41 clean
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.oneillspubs.com/zqco/?wFt=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&o0Ijw=FV31C
whois
Unknown 199.59.243.225 clean
http://www.speedbikesglobal.com/zqco/?wFt=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&o0Ijw=FV31C
whois
US LEASEWEB-USA-WDC 207.244.126.150 clean
http://www.ofupakoshi.com/zqco/?wFt=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&o0Ijw=FV31C
whois
JP GMO Internet,Inc 118.27.125.154 clean
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.zz23xw.top/zqco/?wFt=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&o0Ijw=FV31C
whois
US VPSQUAN 198.44.187.121 clean
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.surcebmx.shop/zqco/?wFt=sVrFTG3ePMlGeHtN+9NOfDvz/GoZiwZc2hOKEoTgtp1zYewc+7d6IlOKQB9rGmOyetA1JhIO28lR44+yf+JFgN9FJ6btdItGqkraV1A=&o0Ijw=FV31C
whois
US CLOUDFLARENET 172.67.134.1 clean
http://www.brls.money/zqco/?wFt=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&o0Ijw=FV31C
whois
US AMAZON-02 76.76.21.164 clean
http://www.54c7pv.top/zqco/?wFt=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&o0Ijw=FV31C
whois
HK VPSQUAN 154.91.180.241 clean
http://www.ayotundewrites.com/zqco/?wFt=+wI3MeD3jbNUmfUR22cpBsb5CtqXzI827TrKoKznZ2673z1g+k3Zglb4E7/i1xr4Z9cBRHIArS2WPt0us+pQAzv8dUN4XDgXBL/DreA=&o0Ijw=FV31C
whois
NG SkyVision Global Networks Ltd 83.229.19.76 clean
http://www.izabeladesa.com/zqco/?wFt=xgP5YBHAlkZQY3zMM6zpGwRaICyRepfzD3pvdIKGHZOpNZwdZqd18fiXnD4wcHdwNOCnD+EJd+f9y7+0iF4km1rz8VJupnABKYXyGpk=&o0Ijw=FV31C
whois
US UNIFIEDLAYER-AS-1 192.185.223.51 clean
http://www.talknconvert.com/zqco/
whois
US GOOGLE 34.120.137.41 clean
http://www.talknconvert.com/zqco/?wFt=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&o0Ijw=FV31C
whois
US GOOGLE 34.120.137.41 clean
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
whois
US Linode, LLC 45.33.6.223 clean
www.izabeladesa.com
whois
US UNIFIEDLAYER-AS-1 192.185.223.51 clean
www.ofupakoshi.com
whois
JP GMO Internet,Inc 118.27.125.154 clean
www.tauruss29.click
whois
US HAWKHOST 198.252.99.243 clean
www.talknconvert.com
whois
US GOOGLE 34.120.137.41 clean
www.cardsfinanse.online
whois
Unknown clean
www.brls.money
whois
US AMAZON-02 76.76.21.93 clean
www.velvet-key-properties.top
whois
CA ACP 162.0.222.119 clean
www.wearehydrant.com
whois
CA TUCOWS 216.40.34.41 clean
www.oneillspubs.com
whois
Unknown 199.59.243.225 clean
www.ayotundewrites.com
whois
NG SkyVision Global Networks Ltd 83.229.19.76 clean
www.stprov.biz
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.132 clean
www.surcebmx.shop
whois
US CLOUDFLARENET 104.21.25.102 clean
www.speedbikesglobal.com
whois
US LEASEWEB-USA-WDC 207.244.126.150 clean
www.zz23xw.top
whois
US VPSQUAN 198.44.187.121 clean
www.54c7pv.top
whois
HK VPSQUAN 154.91.180.241 clean
www.ezus.life
whois
US GOOGLE 34.96.147.60 clean
34.96.147.60
whois
US GOOGLE 34.96.147.60 clean
83.229.19.76
whois
NG SkyVision Global Networks Ltd 83.229.19.76 clean
199.59.243.225
whois
Unknown 199.59.243.225 mailcious
172.67.134.1
whois
US CLOUDFLARENET 172.67.134.1 clean
198.44.187.121
whois
US VPSQUAN 198.44.187.121 clean
207.244.126.150
whois
US LEASEWEB-USA-WDC 207.244.126.150 mailcious
154.91.180.241
whois
HK VPSQUAN 154.91.180.241 clean
192.185.223.51
whois
US UNIFIEDLAYER-AS-1 192.185.223.51 mailcious
216.40.34.41
whois
CA TUCOWS 216.40.34.41 mailcious
76.76.21.241
whois
US AMAZON-02 76.76.21.241 mailcious
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
208.91.197.132
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.132 mailcious
34.120.137.41
whois
US GOOGLE 34.120.137.41 mailcious
118.27.125.154
whois
JP GMO Internet,Inc 118.27.125.154 clean
198.252.99.243
whois
US HAWKHOST 198.252.99.243 clean
162.0.222.119
whois
CA ACP 162.0.222.119 clean

Suricata ids

ET INFO Observed DNS Query to .biz TLD
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure