popup

Report - home.exe

Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format Lnk Format GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.26 13:49 Machine s1_win7_x6403
Filename home.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
13.2
ZERO API file : mailcious
VT API (file) 43 detected (AIDetectMalware, Mint, Zard, Artemis, unsafe, malicious, ZexaF, Dv1@a4aq2Fpk, Attribute, HighConfidence, high confidence, ADVG, score, Tasker, TrojanX, Fajl, azfwy, MulDrop24, Sdum, Eldorado, RiseProStealer, R624285, BScope, TrojanPSW, RisePro, ai score=84, GdSda, CLASSIC, susgen, confidence, 100%)
md5 b5f964d3dbe27ea562d3a750af190bea
sha256 5a95175c3141c8f5891ce74366218d450a3180e6ca6636d940cd305594199ef7
ssdeep 24576:2opGDjnvrPpkjos0OtjcFc5kM49dj+IuxWQOIjuJuVvhbqL0HtFcgekRP9dT0WNI:OnvrPGT0Egyudc4tI3bqL0NFchaP9dTy
imphash 078471ac5a76189ffe465abe0c89c6b7
impfuzzy 96:5jEJkNadPc+p7tGOWqneffQBmGSWkO0pLNcTiXE9n:GiNtctGHOoWI1I
  Network IP location

Signature (29cnts)

Level Description
danger File has been identified by 43 AntiVirus engines on VirusTotal as malicious
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Looks up the external IP address
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (9cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info lnk_file_format Microsoft Windows Shortcut File Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info zip_file_format ZIP file format binaries (download)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 172.67.75.166 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
194.49.94.152
whois
Unknown 194.49.94.152 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean

Suricata ids

ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x537054 GetCurrentThreadId
 0x537058 GetModuleHandleA
 0x53705c GetLocaleInfoA
 0x537060 OpenProcess
 0x537064 CreateToolhelp32Snapshot
 0x537068 MultiByteToWideChar
 0x53706c Sleep
 0x537070 GetTempPathA
 0x537074 GetModuleHandleExA
 0x537078 GetTimeZoneInformation
 0x53707c GetTickCount64
 0x537080 CopyFileA
 0x537084 GetLastError
 0x537088 GetFileAttributesA
 0x53708c TzSpecificLocalTimeToSystemTime
 0x537090 CreateFileA
 0x537094 SetEvent
 0x537098 TerminateThread
 0x53709c LoadLibraryA
 0x5370a0 GetVersionExA
 0x5370a4 DeleteFileA
 0x5370a8 Process32Next
 0x5370ac CloseHandle
 0x5370b0 GetSystemInfo
 0x5370b4 CreateThread
 0x5370b8 ResetEvent
 0x5370bc GetWindowsDirectoryA
 0x5370c0 HeapAlloc
 0x5370c4 SetFileAttributesA
 0x5370c8 GetLocalTime
 0x5370cc GetProcAddress
 0x5370d0 VirtualAllocEx
 0x5370d4 LocalFree
 0x5370d8 IsProcessorFeaturePresent
 0x5370dc GetFileSize
 0x5370e0 RemoveDirectoryA
 0x5370e4 GetCurrentProcessId
 0x5370e8 GetProcessHeap
 0x5370ec GlobalMemoryStatusEx
 0x5370f0 FreeLibrary
 0x5370f4 WideCharToMultiByte
 0x5370f8 CreateRemoteThread
 0x5370fc CreateProcessA
 0x537100 CreateDirectoryA
 0x537104 GetSystemTime
 0x537108 VirtualFreeEx
 0x53710c LocalAlloc
 0x537110 CreateEventA
 0x537114 GetPrivateProfileStringA
 0x537118 IsWow64Process
 0x53711c IsDebuggerPresent
 0x537120 GetComputerNameA
 0x537124 SetUnhandledExceptionFilter
 0x537128 SetFilePointer
 0x53712c CreateFileW
 0x537130 AreFileApisANSI
 0x537134 EnterCriticalSection
 0x537138 GetFullPathNameW
 0x53713c GetDiskFreeSpaceW
 0x537140 LockFile
 0x537144 LeaveCriticalSection
 0x537148 InitializeCriticalSection
 0x53714c GetFullPathNameA
 0x537150 SetEndOfFile
 0x537154 GetTempPathW
 0x537158 GetFileAttributesW
 0x53715c FormatMessageW
 0x537160 GetDiskFreeSpaceA
 0x537164 DeleteFileW
 0x537168 UnlockFile
 0x53716c LockFileEx
 0x537170 DeleteCriticalSection
 0x537174 GetSystemTimeAsFileTime
 0x537178 FormatMessageA
 0x53717c QueryPerformanceCounter
 0x537180 GetTickCount
 0x537184 FlushFileBuffers
 0x537188 WriteConsoleW
 0x53718c HeapSize
 0x537190 SetEnvironmentVariableW
 0x537194 FreeEnvironmentStringsW
 0x537198 GetEnvironmentStringsW
 0x53719c GetCommandLineW
 0x5371a0 GetCommandLineA
 0x5371a4 GetOEMCP
 0x5371a8 GetACP
 0x5371ac IsValidCodePage
 0x5371b0 WaitForSingleObject
 0x5371b4 GetVolumeInformationA
 0x5371b8 CreateMutexA
 0x5371bc FindClose
 0x5371c0 lstrlenA
 0x5371c4 InitializeCriticalSectionEx
 0x5371c8 FindNextFileA
 0x5371cc GetUserDefaultLocaleName
 0x5371d0 TerminateProcess
 0x5371d4 WriteFile
 0x5371d8 GetCurrentProcess
 0x5371dc HeapFree
 0x5371e0 FindFirstFileA
 0x5371e4 WriteProcessMemory
 0x5371e8 Process32First
 0x5371ec GetPrivateProfileSectionNamesA
 0x5371f0 SetStdHandle
 0x5371f4 HeapReAlloc
 0x5371f8 EnumSystemLocalesW
 0x5371fc GetUserDefaultLCID
 0x537200 ReadFile
 0x537204 IsValidLocale
 0x537208 GetLocaleInfoW
 0x53720c LCMapStringW
 0x537210 CompareStringW
 0x537214 GetTimeFormatW
 0x537218 GetDateFormatW
 0x53721c GetFileSizeEx
 0x537220 GetConsoleOutputCP
 0x537224 ReadConsoleW
 0x537228 GetConsoleMode
 0x53722c GetStdHandle
 0x537230 GetModuleFileNameW
 0x537234 GetModuleHandleExW
 0x537238 ExitProcess
 0x53723c GetModuleFileNameA
 0x537240 lstrcpynA
 0x537244 GetFileType
 0x537248 SetFilePointerEx
 0x53724c LoadLibraryExW
 0x537250 TlsFree
 0x537254 TlsSetValue
 0x537258 TlsGetValue
 0x53725c TlsAlloc
 0x537260 InitializeCriticalSectionAndSpinCount
 0x537264 SetLastError
 0x537268 RaiseException
 0x53726c RtlUnwind
 0x537270 InitializeSListHead
 0x537274 GetStartupInfoW
 0x537278 FindFirstFileW
 0x53727c FindFirstFileExW
 0x537280 FindNextFileW
 0x537284 GetFileAttributesExW
 0x537288 GetFinalPathNameByHandleW
 0x53728c GetModuleHandleW
 0x537290 GetFileInformationByHandleEx
 0x537294 GetLocaleInfoEx
 0x537298 InitializeSRWLock
 0x53729c ReleaseSRWLockExclusive
 0x5372a0 AcquireSRWLockExclusive
 0x5372a4 TryAcquireSRWLockExclusive
 0x5372a8 LCMapStringEx
 0x5372ac EncodePointer
 0x5372b0 DecodePointer
 0x5372b4 CompareStringEx
 0x5372b8 GetCPInfo
 0x5372bc GetStringTypeW
 0x5372c0 UnhandledExceptionFilter
USER32.dll
 0x5372f0 GetWindowRect
 0x5372f4 GetDC
 0x5372f8 GetSystemMetrics
 0x5372fc GetKeyboardLayoutList
 0x537300 GetDesktopWindow
 0x537304 ReleaseDC
 0x537308 EnumDisplayDevicesA
 0x53730c CharNextA
 0x537310 wsprintfA
GDI32.dll
 0x53703c CreateCompatibleBitmap
 0x537040 SelectObject
 0x537044 CreateCompatibleDC
 0x537048 DeleteObject
 0x53704c BitBlt
ADVAPI32.dll
 0x537000 SystemFunction036
 0x537004 RegOpenKeyExA
 0x537008 RegSetValueExA
 0x53700c RegEnumKeyA
 0x537010 RegCloseKey
 0x537014 GetCurrentHwProfileA
 0x537018 RegQueryValueExA
 0x53701c CredEnumerateA
 0x537020 RegCreateKeyExA
 0x537024 CredFree
 0x537028 GetUserNameA
 0x53702c RegEnumKeyExA
SHELL32.dll
 0x5372dc SHGetFolderPathA
 0x5372e0 ShellExecuteA
ole32.dll
 0x537380 CoUninitialize
 0x537384 CoInitializeEx
 0x537388 CoCreateInstance
 0x53738c CoInitialize
WS2_32.dll
 0x537318 WSACleanup
 0x53731c closesocket
 0x537320 shutdown
 0x537324 getaddrinfo
 0x537328 WSAStartup
 0x53732c WSAGetLastError
 0x537330 socket
 0x537334 connect
 0x537338 recv
 0x53733c freeaddrinfo
 0x537340 setsockopt
 0x537344 send
CRYPT32.dll
 0x537034 CryptUnprotectData
SHLWAPI.dll
 0x5372e8 PathFindExtensionA
gdiplus.dll
 0x53734c GdipSaveImageToFile
 0x537350 GdipGetImageEncodersSize
 0x537354 GdipFree
 0x537358 GdipDisposeImage
 0x53735c GdipCreateBitmapFromHBITMAP
 0x537360 GdipAlloc
 0x537364 GdipCloneImage
 0x537368 GdipGetImageEncoders
 0x53736c GdiplusShutdown
 0x537370 GdiplusStartup
SETUPAPI.dll
 0x5372c8 SetupDiEnumDeviceInterfaces
 0x5372cc SetupDiGetClassDevsA
 0x5372d0 SetupDiEnumDeviceInfo
 0x5372d4 SetupDiGetDeviceInterfaceDetailA
ntdll.dll
 0x537378 RtlUnicodeStringToAnsiString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure