popup

Report - home.exe

Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format Lnk Format GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.18 12:43 Machine s1_win7_x6401
Filename home.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
11.8
ZERO API file : mailcious
VT API (file)
md5 0569253c2d7bbd34d6576729c420930f
sha256 d7383edcabb71dfe9407751f24c450aaa0f958b495d08dc1a47d63ee74215b2b
ssdeep 24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJgrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TIrK5Zln2i6
imphash 7482a1595744a3c77ac9461f3f27a729
impfuzzy 96:5jEHYkNaDPc+p7tGOWqneffFmGGFWkOYZoNcAfXyln:GHrNvctGHqW0Z+8
  Network IP location

Signature (27cnts)

Level Description
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to identify installed AV products by installation directory
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Looks up the external IP address
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (9cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info lnk_file_format Microsoft Windows Shortcut File Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info zip_file_format ZIP file format binaries (download)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
194.49.94.152
whois
Unknown 194.49.94.152 mailcious

Suricata ids

ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x506054 GetCurrentThreadId
 0x506058 GetModuleHandleA
 0x50605c GetLocaleInfoA
 0x506060 OpenProcess
 0x506064 CreateToolhelp32Snapshot
 0x506068 MultiByteToWideChar
 0x50606c Sleep
 0x506070 GetTempPathA
 0x506074 GetModuleHandleExA
 0x506078 GetTimeZoneInformation
 0x50607c GetTickCount64
 0x506080 CopyFileA
 0x506084 GetLastError
 0x506088 GetFileAttributesA
 0x50608c TzSpecificLocalTimeToSystemTime
 0x506090 CreateFileA
 0x506094 SetEvent
 0x506098 TerminateThread
 0x50609c LoadLibraryA
 0x5060a0 GetVersionExA
 0x5060a4 DeleteFileA
 0x5060a8 Process32Next
 0x5060ac CloseHandle
 0x5060b0 GetSystemInfo
 0x5060b4 CreateThread
 0x5060b8 ResetEvent
 0x5060bc GetWindowsDirectoryA
 0x5060c0 HeapAlloc
 0x5060c4 SetFileAttributesA
 0x5060c8 GetLocalTime
 0x5060cc GetProcAddress
 0x5060d0 VirtualAllocEx
 0x5060d4 LocalFree
 0x5060d8 IsProcessorFeaturePresent
 0x5060dc GetFileSize
 0x5060e0 RemoveDirectoryA
 0x5060e4 ExitProcess
 0x5060e8 GetCurrentProcessId
 0x5060ec GetProcessHeap
 0x5060f0 GlobalMemoryStatusEx
 0x5060f4 FreeLibrary
 0x5060f8 WideCharToMultiByte
 0x5060fc CreateRemoteThread
 0x506100 CreateProcessA
 0x506104 CreateDirectoryA
 0x506108 GetSystemTime
 0x50610c VirtualFreeEx
 0x506110 LocalAlloc
 0x506114 CreateEventA
 0x506118 GetPrivateProfileStringA
 0x50611c IsWow64Process
 0x506120 IsDebuggerPresent
 0x506124 GetComputerNameA
 0x506128 SetUnhandledExceptionFilter
 0x50612c lstrcatA
 0x506130 lstrcpyA
 0x506134 SetFilePointer
 0x506138 CreateFileW
 0x50613c AreFileApisANSI
 0x506140 EnterCriticalSection
 0x506144 GetFullPathNameW
 0x506148 GetDiskFreeSpaceW
 0x50614c LockFile
 0x506150 LeaveCriticalSection
 0x506154 InitializeCriticalSection
 0x506158 GetFullPathNameA
 0x50615c SetEndOfFile
 0x506160 GetTempPathW
 0x506164 GetFileAttributesW
 0x506168 FormatMessageW
 0x50616c GetDiskFreeSpaceA
 0x506170 DeleteFileW
 0x506174 UnlockFile
 0x506178 LockFileEx
 0x50617c DeleteCriticalSection
 0x506180 GetSystemTimeAsFileTime
 0x506184 FormatMessageA
 0x506188 QueryPerformanceCounter
 0x50618c GetTickCount
 0x506190 FlushFileBuffers
 0x506194 WriteConsoleW
 0x506198 HeapSize
 0x50619c SetEnvironmentVariableW
 0x5061a0 FreeEnvironmentStringsW
 0x5061a4 GetEnvironmentStringsW
 0x5061a8 GetCommandLineW
 0x5061ac GetCommandLineA
 0x5061b0 GetOEMCP
 0x5061b4 GetACP
 0x5061b8 IsValidCodePage
 0x5061bc WaitForSingleObject
 0x5061c0 GetVolumeInformationA
 0x5061c4 CreateMutexA
 0x5061c8 FindClose
 0x5061cc lstrlenA
 0x5061d0 InitializeCriticalSectionEx
 0x5061d4 FindNextFileA
 0x5061d8 GetUserDefaultLocaleName
 0x5061dc TerminateProcess
 0x5061e0 WriteFile
 0x5061e4 GetCurrentProcess
 0x5061e8 HeapFree
 0x5061ec FindFirstFileA
 0x5061f0 WriteProcessMemory
 0x5061f4 Process32First
 0x5061f8 GetPrivateProfileSectionNamesA
 0x5061fc SetStdHandle
 0x506200 HeapReAlloc
 0x506204 EnumSystemLocalesW
 0x506208 GetUserDefaultLCID
 0x50620c ReadFile
 0x506210 IsValidLocale
 0x506214 GetLocaleInfoW
 0x506218 LCMapStringW
 0x50621c CompareStringW
 0x506220 GetTimeFormatW
 0x506224 GetDateFormatW
 0x506228 GetFileSizeEx
 0x50622c GetConsoleOutputCP
 0x506230 ReadConsoleW
 0x506234 GetConsoleMode
 0x506238 GetStdHandle
 0x50623c GetModuleFileNameW
 0x506240 GetFileType
 0x506244 SetFilePointerEx
 0x506248 GetModuleHandleExW
 0x50624c GetModuleFileNameA
 0x506250 lstrcpynA
 0x506254 LoadLibraryExW
 0x506258 TlsFree
 0x50625c TlsSetValue
 0x506260 TlsGetValue
 0x506264 TlsAlloc
 0x506268 InitializeCriticalSectionAndSpinCount
 0x50626c SetLastError
 0x506270 RaiseException
 0x506274 RtlUnwind
 0x506278 InitializeSListHead
 0x50627c GetStartupInfoW
 0x506280 UnhandledExceptionFilter
 0x506284 GetStringTypeW
 0x506288 FindFirstFileW
 0x50628c FindFirstFileExW
 0x506290 FindNextFileW
 0x506294 GetFileAttributesExW
 0x506298 GetFinalPathNameByHandleW
 0x50629c GetModuleHandleW
 0x5062a0 GetFileInformationByHandleEx
 0x5062a4 GetLocaleInfoEx
 0x5062a8 InitializeSRWLock
 0x5062ac ReleaseSRWLockExclusive
 0x5062b0 AcquireSRWLockExclusive
 0x5062b4 TryAcquireSRWLockExclusive
 0x5062b8 LCMapStringEx
 0x5062bc EncodePointer
 0x5062c0 DecodePointer
 0x5062c4 CompareStringEx
 0x5062c8 GetCPInfo
USER32.dll
 0x5062f8 ReleaseDC
 0x5062fc EnumDisplayDevicesA
 0x506300 wsprintfA
 0x506304 GetWindowRect
 0x506308 MessageBoxA
 0x50630c GetDesktopWindow
 0x506310 GetSystemMetrics
 0x506314 CharNextA
 0x506318 GetDC
 0x50631c GetKeyboardLayoutList
GDI32.dll
 0x50603c CreateCompatibleBitmap
 0x506040 SelectObject
 0x506044 CreateCompatibleDC
 0x506048 DeleteObject
 0x50604c BitBlt
ADVAPI32.dll
 0x506000 SystemFunction036
 0x506004 RegOpenKeyExA
 0x506008 RegSetValueExA
 0x50600c RegEnumKeyA
 0x506010 RegCloseKey
 0x506014 GetCurrentHwProfileA
 0x506018 RegQueryValueExA
 0x50601c CredEnumerateA
 0x506020 RegCreateKeyExA
 0x506024 CredFree
 0x506028 GetUserNameA
 0x50602c RegEnumKeyExA
SHELL32.dll
 0x5062e4 SHGetFolderPathA
 0x5062e8 ShellExecuteA
ole32.dll
 0x50638c CoCreateInstance
 0x506390 CoInitializeEx
 0x506394 CoUninitialize
 0x506398 CoInitialize
WS2_32.dll
 0x506324 shutdown
 0x506328 getaddrinfo
 0x50632c WSAStartup
 0x506330 closesocket
 0x506334 WSACleanup
 0x506338 socket
 0x50633c connect
 0x506340 recv
 0x506344 freeaddrinfo
 0x506348 setsockopt
 0x50634c WSAGetLastError
 0x506350 send
CRYPT32.dll
 0x506034 CryptUnprotectData
SHLWAPI.dll
 0x5062f0 PathFindExtensionA
gdiplus.dll
 0x506358 GdipSaveImageToFile
 0x50635c GdipGetImageEncodersSize
 0x506360 GdipFree
 0x506364 GdipDisposeImage
 0x506368 GdipCreateBitmapFromHBITMAP
 0x50636c GdipAlloc
 0x506370 GdipCloneImage
 0x506374 GdipGetImageEncoders
 0x506378 GdiplusShutdown
 0x50637c GdiplusStartup
SETUPAPI.dll
 0x5062d0 SetupDiGetClassDevsA
 0x5062d4 SetupDiEnumDeviceInfo
 0x5062d8 SetupDiGetDeviceInterfaceDetailA
 0x5062dc SetupDiEnumDeviceInterfaces
ntdll.dll
 0x506384 RtlUnicodeStringToAnsiString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure