popup

Report - asusns.exe

Formbook AntiDebug AntiVM PE32 PE File .NET EXE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.26 13:40 Machine s1_win7_x6403
Filename asusns.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
8
 Behavior Score
9.6
ZERO API file : malware
VT API (file) 43 detected (Agensla, GenericKD, AgentTesla, Vzoj, TrojanPSW, Malcode, gdn33, malicious, high confidence, Kryptik, AKFG, score, Gencirc, Krypt, Swotter, osihm, Inject4, Static AI, Malicious PE, Eldorado, ai score=82, 8YIDO5, Detected, unsafe, Chgt, R06CH0DKM23, MSIL@AI, MSIL2, aPPNnipDfTU3Tp0DLbw, GenKryptik, GJKZ, ZemsilF, Lm0@a8EbNco, confidence, 100%)
md5 e59325a169b1a80fd0525ea86e130ff8
sha256 ece7b97dcb7fcba52f0b348578e52178bbb7bcc22540ed9123997b90c14323e8
ssdeep 12288:fy8oXi8ViC92Z8y/2mpBT32oQMwUaQs5+A6JYJL:fFUzN82mpJ2zMwUaQkoJcL
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 43 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Code injection by writing an executable or DLL to the memory of another process
watch Deletes executed files from disk
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Resolves a suspicious Top Level Domain (TLD)
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info This executable has a PDB path

Rules (13cnts)

Level Name Description Collection
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (42cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.oneillspubs.com/zqco/
whois
Unknown 199.59.243.225 38338 mailcious
http://www.ezus.life/zqco/
whois
US GOOGLE 34.96.147.60 38339 mailcious
http://www.zz23xw.top/zqco/
whois
US VPSQUAN 198.44.187.121 38337 mailcious
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.ofupakoshi.com/zqco/
whois
JP GMO Internet,Inc 118.27.125.154 38341 mailcious
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.speedbikesglobal.com/zqco/?-KdqcZn=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&oL=5GEbKQ
whois
US LEASEWEB-USA-WDC 207.244.126.150 38340 mailcious
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.talknconvert.com/zqco/?-KdqcZn=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&oL=5GEbKQ
whois
US GOOGLE 34.120.137.41 38336 mailcious
http://www.ezus.life/zqco/?-KdqcZn=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&oL=5GEbKQ
whois
US GOOGLE 34.96.147.60 38339 mailcious
http://www.54c7pv.top/zqco/?-KdqcZn=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&oL=5GEbKQ
whois
HK VPSQUAN 154.91.180.241 38344 mailcious
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.54c7pv.top/zqco/
whois
HK VPSQUAN 154.91.180.241 38344 mailcious
http://www.wearehydrant.com/zqco/
whois
CA TUCOWS 216.40.34.41 38343 mailcious
http://www.velvet-key-properties.top/zqco/?-KdqcZn=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&oL=5GEbKQ
whois
CA ACP 162.0.222.119 38342 mailcious
http://www.wearehydrant.com/zqco/?-KdqcZn=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&oL=5GEbKQ
whois
CA TUCOWS 216.40.34.41 38343 mailcious
http://www.velvet-key-properties.top/zqco/
whois
CA ACP 162.0.222.119 38342 mailcious
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.zz23xw.top/zqco/?-KdqcZn=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&oL=5GEbKQ
whois
US VPSQUAN 198.44.187.121 38337 mailcious
http://www.oneillspubs.com/zqco/?-KdqcZn=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&oL=5GEbKQ
whois
Unknown 199.59.243.225 38338 mailcious
http://www.ofupakoshi.com/zqco/?-KdqcZn=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&oL=5GEbKQ
whois
JP GMO Internet,Inc 118.27.125.154 38341 mailcious
http://www.speedbikesglobal.com/zqco/
whois
US LEASEWEB-USA-WDC 207.244.126.150 38340 mailcious
http://www.talknconvert.com/zqco/
whois
US GOOGLE 34.120.137.41 38336 mailcious
www.talknconvert.com
whois
US GOOGLE 34.120.137.41 mailcious
www.ofupakoshi.com
whois
JP GMO Internet,Inc 118.27.125.154 mailcious
www.velvet-key-properties.top
whois
CA ACP 162.0.222.119 mailcious
www.wearehydrant.com
whois
CA TUCOWS 216.40.34.41 mailcious
www.oneillspubs.com
whois
Unknown 199.59.243.225 mailcious
www.speedbikesglobal.com
whois
US LEASEWEB-USA-WDC 207.244.126.150 mailcious
www.zz23xw.top
whois
US VPSQUAN 198.44.187.121 mailcious
www.54c7pv.top
whois
HK VPSQUAN 154.91.180.241 mailcious
www.ezus.life
whois
US GOOGLE 34.96.147.60 mailcious
34.96.147.60
whois
US GOOGLE 34.96.147.60 mailcious
198.44.187.121
whois
US VPSQUAN 198.44.187.121 mailcious
207.244.126.150
whois
US LEASEWEB-USA-WDC 207.244.126.150 mailcious
154.91.180.241
whois
HK VPSQUAN 154.91.180.241 mailcious
199.59.243.225
whois
Unknown 199.59.243.225 mailcious
216.40.34.41
whois
CA TUCOWS 216.40.34.41 mailcious
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
34.120.137.41
whois
US GOOGLE 34.120.137.41 mailcious
118.27.125.154
whois
JP GMO Internet,Inc 118.27.125.154 mailcious
162.0.222.119
whois
CA ACP 162.0.222.119 mailcious

Suricata ids

ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed DNS Query to .life TLD
SURICATA HTTP Request abnormal Content-Encoding header
ET INFO HTTP Request to Suspicious *.life Domain

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure