popup

Report - wlanext.exe

Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.29 11:25 Machine s1_win7_x6401
Filename wlanext.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
6
 Behavior Score
10.6
ZERO API file : malware
VT API (file) 35 detected (Malicious, score, confidence, 100%, Malcode, gdn34, high confidence, GenKryptik, GQMB, Agensla, PWSX, QQPass, QQRob, Simw, Inject4, Krypt, Outbreak, Taskun, Kryptik, Eldorado, bpcwi, Wacatac, AgentTesla, MBFC, VSOXHO, Detected, Artemis, unsafe, Chgt, R002H0DKS23, MSIL@AI, MSIL2, +J4+EpRurWsL54L4+cm3Lw, Static AI, Malicious PE, susgen, AKFO)
md5 09b88ab4bf59c36094bafec7a32bafed
sha256 ab7f85f4adde2c79c6c465b22e43f09a8bbba24b47b477ef00c2729ebd6bf268
ssdeep 12288:5wh7T6eE++l9jv4v7yl3ZtL1LbiTdWT8Korq9kFYeAHICjO8wVQmbCpANi:5whX6e49jvYQ3H1vd8b29XwE
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (22cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
watch A process attempted to delay the analysis task.
watch Allocates execute permission to another process indicative of possible code injection
watch Code injection by writing an executable or DLL to the memory of another process
watch Deletes executed files from disk
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername
info This executable has a PDB path

Rules (16cnts)

Level Name Description Collection
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
notice Generic_PWS_Memory_Zero PWS Memory memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (40cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.brls.money/zqco/?8E8fDE=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&VYr=gIPPDnH2f7x
whois
US AMAZON-02 76.76.21.164 38345 mailcious
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.54c7pv.top/zqco/?8E8fDE=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&VYr=gIPPDnH2f7x
whois
HK VPSQUAN 154.91.180.241 38344 mailcious
http://www.zz23xw.top/zqco/?8E8fDE=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&VYr=gIPPDnH2f7x
whois
US VPSQUAN 198.44.187.121 38337 mailcious
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.ofupakoshi.com/zqco/?8E8fDE=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&VYr=gIPPDnH2f7x
whois
JP GMO Internet,Inc 118.27.125.154 38341 mailcious
http://www.ezus.life/zqco/?8E8fDE=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&VYr=gIPPDnH2f7x
whois
US GOOGLE 34.96.147.60 38339 mailcious
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.speedbikesglobal.com/zqco/?8E8fDE=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&VYr=gIPPDnH2f7x
whois
US LEASEWEB-USA-WDC 207.244.126.150 38340 mailcious
http://www.velvet-key-properties.top/zqco/?8E8fDE=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&VYr=gIPPDnH2f7x
whois
CA ACP 162.0.222.119 38342 mailcious
http://www.stprov.biz/zqco/?8E8fDE=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&VYr=gIPPDnH2f7x
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.132 38346 mailcious
http://www.wearehydrant.com/zqco/?8E8fDE=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&VYr=gIPPDnH2f7x
whois
CA TUCOWS 216.40.34.41 38343 mailcious
http://www.oneillspubs.com/zqco/?8E8fDE=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&VYr=gIPPDnH2f7x
whois
Unknown 199.59.243.225 38338 mailcious
http://www.talknconvert.com/zqco/?8E8fDE=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&VYr=gIPPDnH2f7x
whois
US GOOGLE 34.120.137.41 38336 mailcious
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.talknconvert.com/zqco/
whois
US GOOGLE 34.120.137.41 38336 mailcious
www.ofupakoshi.com
whois
JP GMO Internet,Inc 118.27.125.154 mailcious
www.talknconvert.com
whois
US GOOGLE 34.120.137.41 mailcious
www.velvet-key-properties.top
whois
CA ACP 162.0.222.119 mailcious
www.cardsfinanse.online
whois
Unknown mailcious
www.brls.money
whois
US AMAZON-02 76.76.21.164 mailcious
www.wearehydrant.com
whois
CA TUCOWS 216.40.34.41 mailcious
www.oneillspubs.com
whois
Unknown 199.59.243.225 mailcious
www.stprov.biz
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.132 mailcious
www.speedbikesglobal.com
whois
US LEASEWEB-USA-WDC 207.244.126.150 mailcious
www.zz23xw.top
whois
US VPSQUAN 198.44.187.121 mailcious
www.54c7pv.top
whois
HK VPSQUAN 154.91.180.241 mailcious
www.ezus.life
whois
US GOOGLE 34.96.147.60 mailcious
34.96.147.60
whois
US GOOGLE 34.96.147.60 mailcious
198.44.187.121
whois
US VPSQUAN 198.44.187.121 mailcious
207.244.126.150
whois
US LEASEWEB-USA-WDC 207.244.126.150 mailcious
154.91.180.241
whois
HK VPSQUAN 154.91.180.241 mailcious
199.59.243.225
whois
Unknown 199.59.243.225 mailcious
216.40.34.41
whois
CA TUCOWS 216.40.34.41 mailcious
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
208.91.197.132
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.132 mailcious
34.120.137.41
whois
US GOOGLE 34.120.137.41 mailcious
118.27.125.154
whois
JP GMO Internet,Inc 118.27.125.154 mailcious
76.76.21.98
whois
US AMAZON-02 76.76.21.98 mailcious
162.0.222.119
whois
CA ACP 162.0.222.119 mailcious

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .biz TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure