popup

Report - 123.exe

Malicious Library UPX PE32 PE File MZP Format OS Processor Check JPEG Format DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.29 14:33 Machine s1_win7_x6401
Filename 123.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
9.6
ZERO API file : mailcious
VT API (file) 67 detected (AIDetectMalware, DarkKomet, tp6k, malicious, high confidence, Dacic, Nocivo, unsafe, Delf, Save, Zlob, Zorex, score, Zegost, hqxy, fazbwq, DownLoader22, NAPWHICH, QQPass, OAZM, HeurC, KVM007, atmn, DE@74b38h, Detected, X1799, FUSO, ai score=83, TScope, Genetic, SM22, Synaptics, CLASSIC, GenAsa, ETONJRQzPLk, Static AI, Malicious PE, susgen, confidence, 100%)
md5 5ab89a96be7570dfe4f49e6b9a42bc88
sha256 85789e8cfddea18201a13e3c953229ed1b03db7455208a398bb2268a39258354
ssdeep 24576:/nsJ39LyjbJkQFMhmC+6GD9GG6VasP7bgY+yP:/nsHyjtk2MYC5GD9A77
imphash 332f7ce65ead0adfb3d35147033aabe9
impfuzzy 192:v3BEQGsxL1ArqKmpbuuRrSUvK9acooqEse7RPbOQPa:v3rt1AsRA9OUPbOQC
  Network IP location

Signature (19cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 67 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Creates a windows hook that monitors keyboard input (keylogger)
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
notice Allocates read-write-execute memory (usually to unpack itself)
notice Connects to a Dynamic DNS Domain
notice Creates executable files on the filesystem
notice Downloads a file or document from Google Drive
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice Looks up the Dropbox cloud service
notice Performs some HTTP requests
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (14cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (12cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
whois
US AWKNET-LLC 69.42.215.252 clean
http://45.125.57.96:8888/8.77.dll
whois
Unknown 45.125.57.96 clean
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
whois
US GOOGLE 142.251.220.14 malware
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
whois
US GOOGLE 142.251.220.14 mailcious
docs.google.com
whois
US GOOGLE 142.250.206.206 mailcious
xred.mooo.com
whois
Unknown mailcious
freedns.afraid.org
whois
US AWKNET-LLC 69.42.215.252 clean
www.dropbox.com
whois
US DROPBOX 162.125.84.18 mailcious
69.42.215.252
whois
US AWKNET-LLC 69.42.215.252 clean
45.125.57.96
whois
Unknown 45.125.57.96 mailcious
142.251.220.14
whois
US GOOGLE 142.251.220.14 clean
162.125.84.18
whois
US DROPBOX 162.125.84.18 mailcious

Suricata ids

ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET HUNTING Rejetto HTTP File Sever Response

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x4a01cc DeleteCriticalSection
 0x4a01d0 LeaveCriticalSection
 0x4a01d4 EnterCriticalSection
 0x4a01d8 InitializeCriticalSection
 0x4a01dc VirtualFree
 0x4a01e0 VirtualAlloc
 0x4a01e4 LocalFree
 0x4a01e8 LocalAlloc
 0x4a01ec GetTickCount
 0x4a01f0 QueryPerformanceCounter
 0x4a01f4 GetVersion
 0x4a01f8 GetCurrentThreadId
 0x4a01fc InterlockedDecrement
 0x4a0200 InterlockedIncrement
 0x4a0204 VirtualQuery
 0x4a0208 WideCharToMultiByte
 0x4a020c SetCurrentDirectoryA
 0x4a0210 MultiByteToWideChar
 0x4a0214 lstrlenA
 0x4a0218 lstrcpynA
 0x4a021c LoadLibraryExA
 0x4a0220 GetThreadLocale
 0x4a0224 GetStartupInfoA
 0x4a0228 GetProcAddress
 0x4a022c GetModuleHandleA
 0x4a0230 GetModuleFileNameA
 0x4a0234 GetLocaleInfoA
 0x4a0238 GetLastError
 0x4a023c GetCurrentDirectoryA
 0x4a0240 GetCommandLineA
 0x4a0244 FreeLibrary
 0x4a0248 FindFirstFileA
 0x4a024c FindClose
 0x4a0250 ExitProcess
 0x4a0254 ExitThread
 0x4a0258 CreateThread
 0x4a025c WriteFile
 0x4a0260 UnhandledExceptionFilter
 0x4a0264 SetFilePointer
 0x4a0268 SetEndOfFile
 0x4a026c RtlUnwind
 0x4a0270 ReadFile
 0x4a0274 RaiseException
 0x4a0278 GetStdHandle
 0x4a027c GetFileSize
 0x4a0280 GetFileType
 0x4a0284 CreateFileA
 0x4a0288 CloseHandle
user32.dll
 0x4a0290 GetKeyboardType
 0x4a0294 LoadStringA
 0x4a0298 MessageBoxA
 0x4a029c CharNextA
advapi32.dll
 0x4a02a4 RegQueryValueExA
 0x4a02a8 RegOpenKeyExA
 0x4a02ac RegCloseKey
oleaut32.dll
 0x4a02b4 SysFreeString
 0x4a02b8 SysReAllocStringLen
 0x4a02bc SysAllocStringLen
kernel32.dll
 0x4a02c4 TlsSetValue
 0x4a02c8 TlsGetValue
 0x4a02cc LocalAlloc
 0x4a02d0 GetModuleHandleA
advapi32.dll
 0x4a02d8 RegSetValueExA
 0x4a02dc RegQueryValueExA
 0x4a02e0 RegOpenKeyExA
 0x4a02e4 RegNotifyChangeKeyValue
 0x4a02e8 RegFlushKey
 0x4a02ec RegDeleteValueA
 0x4a02f0 RegCreateKeyExA
 0x4a02f4 RegCloseKey
 0x4a02f8 OpenProcessToken
 0x4a02fc LookupPrivilegeValueA
 0x4a0300 GetUserNameA
 0x4a0304 AdjustTokenPrivileges
kernel32.dll
 0x4a030c lstrcpyA
 0x4a0310 WritePrivateProfileStringA
 0x4a0314 WriteFile
 0x4a0318 WaitForSingleObject
 0x4a031c WaitForMultipleObjects
 0x4a0320 VirtualQuery
 0x4a0324 VirtualAlloc
 0x4a0328 UpdateResourceA
 0x4a032c UnmapViewOfFile
 0x4a0330 TerminateProcess
 0x4a0334 Sleep
 0x4a0338 SizeofResource
 0x4a033c SetThreadLocale
 0x4a0340 SetFilePointer
 0x4a0344 SetFileAttributesA
 0x4a0348 SetEvent
 0x4a034c SetErrorMode
 0x4a0350 SetEndOfFile
 0x4a0354 ResumeThread
 0x4a0358 ResetEvent
 0x4a035c RemoveDirectoryA
 0x4a0360 ReadFile
 0x4a0364 OpenProcess
 0x4a0368 OpenMutexA
 0x4a036c MultiByteToWideChar
 0x4a0370 MulDiv
 0x4a0374 MoveFileA
 0x4a0378 MapViewOfFile
 0x4a037c LockResource
 0x4a0380 LoadResource
 0x4a0384 LoadLibraryA
 0x4a0388 LeaveCriticalSection
 0x4a038c InitializeCriticalSection
 0x4a0390 GlobalUnlock
 0x4a0394 GlobalReAlloc
 0x4a0398 GlobalHandle
 0x4a039c GlobalLock
 0x4a03a0 GlobalFree
 0x4a03a4 GlobalFindAtomA
 0x4a03a8 GlobalDeleteAtom
 0x4a03ac GlobalAlloc
 0x4a03b0 GlobalAddAtomA
 0x4a03b4 GetVersionExA
 0x4a03b8 GetVersion
 0x4a03bc GetTimeZoneInformation
 0x4a03c0 GetTickCount
 0x4a03c4 GetThreadLocale
 0x4a03c8 GetTempPathA
 0x4a03cc GetTempFileNameA
 0x4a03d0 GetSystemInfo
 0x4a03d4 GetSystemDirectoryA
 0x4a03d8 GetStringTypeExA
 0x4a03dc GetStdHandle
 0x4a03e0 GetProcAddress
 0x4a03e4 GetPrivateProfileStringA
 0x4a03e8 GetModuleHandleA
 0x4a03ec GetModuleFileNameA
 0x4a03f0 GetLogicalDrives
 0x4a03f4 GetLocaleInfoA
 0x4a03f8 GetLocalTime
 0x4a03fc GetLastError
 0x4a0400 GetFullPathNameA
 0x4a0404 GetFileSize
 0x4a0408 GetFileAttributesA
 0x4a040c GetExitCodeThread
 0x4a0410 GetDriveTypeA
 0x4a0414 GetDiskFreeSpaceA
 0x4a0418 GetDateFormatA
 0x4a041c GetCurrentThreadId
 0x4a0420 GetCurrentProcessId
 0x4a0424 GetCurrentProcess
 0x4a0428 GetComputerNameA
 0x4a042c GetCPInfo
 0x4a0430 GetACP
 0x4a0434 FreeResource
 0x4a0438 InterlockedIncrement
 0x4a043c InterlockedExchange
 0x4a0440 InterlockedDecrement
 0x4a0444 FreeLibrary
 0x4a0448 FormatMessageA
 0x4a044c FindResourceA
 0x4a0450 FindNextFileA
 0x4a0454 FindFirstFileA
 0x4a0458 FindClose
 0x4a045c FileTimeToLocalFileTime
 0x4a0460 FileTimeToDosDateTime
 0x4a0464 EnumCalendarInfoA
 0x4a0468 EnterCriticalSection
 0x4a046c EndUpdateResourceA
 0x4a0470 DeleteFileA
 0x4a0474 DeleteCriticalSection
 0x4a0478 CreateThread
 0x4a047c CreateProcessA
 0x4a0480 CreatePipe
 0x4a0484 CreateMutexA
 0x4a0488 CreateFileMappingA
 0x4a048c CreateFileA
 0x4a0490 CreateEventA
 0x4a0494 CreateDirectoryA
 0x4a0498 CopyFileA
 0x4a049c CompareStringA
 0x4a04a0 CloseHandle
 0x4a04a4 BeginUpdateResourceA
version.dll
 0x4a04ac VerQueryValueA
 0x4a04b0 GetFileVersionInfoSizeA
 0x4a04b4 GetFileVersionInfoA
gdi32.dll
 0x4a04bc UnrealizeObject
 0x4a04c0 StretchBlt
 0x4a04c4 SetWindowOrgEx
 0x4a04c8 SetWinMetaFileBits
 0x4a04cc SetViewportOrgEx
 0x4a04d0 SetTextColor
 0x4a04d4 SetStretchBltMode
 0x4a04d8 SetROP2
 0x4a04dc SetPixel
 0x4a04e0 SetEnhMetaFileBits
 0x4a04e4 SetDIBColorTable
 0x4a04e8 SetBrushOrgEx
 0x4a04ec SetBkMode
 0x4a04f0 SetBkColor
 0x4a04f4 SelectPalette
 0x4a04f8 SelectObject
 0x4a04fc SaveDC
 0x4a0500 RestoreDC
 0x4a0504 RectVisible
 0x4a0508 RealizePalette
 0x4a050c PlayEnhMetaFile
 0x4a0510 PatBlt
 0x4a0514 MoveToEx
 0x4a0518 MaskBlt
 0x4a051c LineTo
 0x4a0520 IntersectClipRect
 0x4a0524 GetWindowOrgEx
 0x4a0528 GetWinMetaFileBits
 0x4a052c GetTextMetricsA
 0x4a0530 GetTextExtentPoint32A
 0x4a0534 GetSystemPaletteEntries
 0x4a0538 GetStockObject
 0x4a053c GetPixel
 0x4a0540 GetPaletteEntries
 0x4a0544 GetObjectA
 0x4a0548 GetEnhMetaFilePaletteEntries
 0x4a054c GetEnhMetaFileHeader
 0x4a0550 GetEnhMetaFileBits
 0x4a0554 GetDeviceCaps
 0x4a0558 GetDIBits
 0x4a055c GetDIBColorTable
 0x4a0560 GetDCOrgEx
 0x4a0564 GetCurrentPositionEx
 0x4a0568 GetClipBox
 0x4a056c GetBrushOrgEx
 0x4a0570 GetBitmapBits
 0x4a0574 GdiFlush
 0x4a0578 ExcludeClipRect
 0x4a057c DeleteObject
 0x4a0580 DeleteEnhMetaFile
 0x4a0584 DeleteDC
 0x4a0588 CreateSolidBrush
 0x4a058c CreatePenIndirect
 0x4a0590 CreatePalette
 0x4a0594 CreateHalftonePalette
 0x4a0598 CreateFontIndirectA
 0x4a059c CreateDIBitmap
 0x4a05a0 CreateDIBSection
 0x4a05a4 CreateCompatibleDC
 0x4a05a8 CreateCompatibleBitmap
 0x4a05ac CreateBrushIndirect
 0x4a05b0 CreateBitmap
 0x4a05b4 CopyEnhMetaFileA
 0x4a05b8 BitBlt
user32.dll
 0x4a05c0 CreateWindowExA
 0x4a05c4 WindowFromPoint
 0x4a05c8 WinHelpA
 0x4a05cc WaitMessage
 0x4a05d0 UpdateWindow
 0x4a05d4 UnregisterClassA
 0x4a05d8 UnhookWindowsHookEx
 0x4a05dc TranslateMessage
 0x4a05e0 TranslateMDISysAccel
 0x4a05e4 TrackPopupMenu
 0x4a05e8 ToAsciiEx
 0x4a05ec SystemParametersInfoA
 0x4a05f0 ShowWindow
 0x4a05f4 ShowScrollBar
 0x4a05f8 ShowOwnedPopups
 0x4a05fc ShowCursor
 0x4a0600 SetWindowsHookExA
 0x4a0604 SetWindowTextA
 0x4a0608 SetWindowPos
 0x4a060c SetWindowPlacement
 0x4a0610 SetWindowLongA
 0x4a0614 SetTimer
 0x4a0618 SetScrollRange
 0x4a061c SetScrollPos
 0x4a0620 SetScrollInfo
 0x4a0624 SetRect
 0x4a0628 SetPropA
 0x4a062c SetParent
 0x4a0630 SetMenuItemInfoA
 0x4a0634 SetMenu
 0x4a0638 SetForegroundWindow
 0x4a063c SetFocus
 0x4a0640 SetCursor
 0x4a0644 SetClassLongA
 0x4a0648 SetCapture
 0x4a064c SetActiveWindow
 0x4a0650 SendMessageA
 0x4a0654 ScrollWindow
 0x4a0658 ScreenToClient
 0x4a065c RemovePropA
 0x4a0660 RemoveMenu
 0x4a0664 ReleaseDC
 0x4a0668 ReleaseCapture
 0x4a066c RegisterWindowMessageA
 0x4a0670 RegisterClipboardFormatA
 0x4a0674 RegisterClassA
 0x4a0678 RedrawWindow
 0x4a067c PtInRect
 0x4a0680 PostQuitMessage
 0x4a0684 PostMessageA
 0x4a0688 PeekMessageA
 0x4a068c OffsetRect
 0x4a0690 OemToCharA
 0x4a0694 MsgWaitForMultipleObjects
 0x4a0698 MessageBoxA
 0x4a069c MapWindowPoints
 0x4a06a0 MapVirtualKeyExA
 0x4a06a4 MapVirtualKeyA
 0x4a06a8 LoadStringA
 0x4a06ac LoadKeyboardLayoutA
 0x4a06b0 LoadIconA
 0x4a06b4 LoadCursorA
 0x4a06b8 LoadBitmapA
 0x4a06bc KillTimer
 0x4a06c0 IsZoomed
 0x4a06c4 IsWindowVisible
 0x4a06c8 IsWindowEnabled
 0x4a06cc IsWindow
 0x4a06d0 IsRectEmpty
 0x4a06d4 IsIconic
 0x4a06d8 IsDialogMessageA
 0x4a06dc IsChild
 0x4a06e0 InvalidateRect
 0x4a06e4 IntersectRect
 0x4a06e8 InsertMenuItemA
 0x4a06ec InsertMenuA
 0x4a06f0 InflateRect
 0x4a06f4 GetWindowThreadProcessId
 0x4a06f8 GetWindowTextLengthA
 0x4a06fc GetWindowTextA
 0x4a0700 GetWindowRect
 0x4a0704 GetWindowPlacement
 0x4a0708 GetWindowLongA
 0x4a070c GetWindowDC
 0x4a0710 GetTopWindow
 0x4a0714 GetSystemMetrics
 0x4a0718 GetSystemMenu
 0x4a071c GetSysColorBrush
 0x4a0720 GetSysColor
 0x4a0724 GetSubMenu
 0x4a0728 GetScrollRange
 0x4a072c GetScrollPos
 0x4a0730 GetScrollInfo
 0x4a0734 GetPropA
 0x4a0738 GetParent
 0x4a073c GetWindow
 0x4a0740 GetMenuStringA
 0x4a0744 GetMenuState
 0x4a0748 GetMenuItemInfoA
 0x4a074c GetMenuItemID
 0x4a0750 GetMenuItemCount
 0x4a0754 GetMenu
 0x4a0758 GetLastActivePopup
 0x4a075c GetKeyboardState
 0x4a0760 GetKeyboardLayoutList
 0x4a0764 GetKeyboardLayout
 0x4a0768 GetKeyState
 0x4a076c GetKeyNameTextA
 0x4a0770 GetIconInfo
 0x4a0774 GetForegroundWindow
 0x4a0778 GetFocus
 0x4a077c GetDesktopWindow
 0x4a0780 GetDCEx
 0x4a0784 GetDC
 0x4a0788 GetCursorPos
 0x4a078c GetCursor
 0x4a0790 GetClipboardData
 0x4a0794 GetClientRect
 0x4a0798 GetClassNameA
 0x4a079c GetClassInfoA
 0x4a07a0 GetCapture
 0x4a07a4 GetActiveWindow
 0x4a07a8 FrameRect
 0x4a07ac FindWindowA
 0x4a07b0 FillRect
 0x4a07b4 EqualRect
 0x4a07b8 EnumWindows
 0x4a07bc EnumThreadWindows
 0x4a07c0 EndPaint
 0x4a07c4 EnableWindow
 0x4a07c8 EnableScrollBar
 0x4a07cc EnableMenuItem
 0x4a07d0 DrawTextA
 0x4a07d4 DrawMenuBar
 0x4a07d8 DrawIconEx
 0x4a07dc DrawIcon
 0x4a07e0 DrawFrameControl
 0x4a07e4 DrawEdge
 0x4a07e8 DispatchMessageA
 0x4a07ec DestroyWindow
 0x4a07f0 DestroyMenu
 0x4a07f4 DestroyIcon
 0x4a07f8 DestroyCursor
 0x4a07fc DeleteMenu
 0x4a0800 DefWindowProcA
 0x4a0804 DefMDIChildProcA
 0x4a0808 DefFrameProcA
 0x4a080c CreatePopupMenu
 0x4a0810 CreateMenu
 0x4a0814 CreateIcon
 0x4a0818 ClientToScreen
 0x4a081c CheckMenuItem
 0x4a0820 CallWindowProcA
 0x4a0824 CallNextHookEx
 0x4a0828 BeginPaint
 0x4a082c CharNextA
 0x4a0830 CharLowerBuffA
 0x4a0834 CharLowerA
 0x4a0838 CharUpperBuffA
 0x4a083c CharToOemA
 0x4a0840 AdjustWindowRectEx
 0x4a0844 ActivateKeyboardLayout
ole32.dll
 0x4a084c CLSIDFromString
kernel32.dll
 0x4a0854 Sleep
oleaut32.dll
 0x4a085c SafeArrayPtrOfIndex
 0x4a0860 SafeArrayGetUBound
 0x4a0864 SafeArrayGetLBound
 0x4a0868 SafeArrayCreate
 0x4a086c VariantChangeType
 0x4a0870 VariantCopyInd
 0x4a0874 VariantCopy
 0x4a0878 VariantClear
 0x4a087c VariantInit
ole32.dll
 0x4a0884 CLSIDFromProgID
 0x4a0888 CoCreateInstance
 0x4a088c CoUninitialize
 0x4a0890 CoInitialize
oleaut32.dll
 0x4a0898 GetErrorInfo
 0x4a089c SysFreeString
comctl32.dll
 0x4a08a4 ImageList_SetIconSize
 0x4a08a8 ImageList_GetIconSize
 0x4a08ac ImageList_Write
 0x4a08b0 ImageList_Read
 0x4a08b4 ImageList_GetDragImage
 0x4a08b8 ImageList_DragShowNolock
 0x4a08bc ImageList_SetDragCursorImage
 0x4a08c0 ImageList_DragMove
 0x4a08c4 ImageList_DragLeave
 0x4a08c8 ImageList_DragEnter
 0x4a08cc ImageList_EndDrag
 0x4a08d0 ImageList_BeginDrag
 0x4a08d4 ImageList_Remove
 0x4a08d8 ImageList_DrawEx
 0x4a08dc ImageList_Draw
 0x4a08e0 ImageList_GetBkColor
 0x4a08e4 ImageList_SetBkColor
 0x4a08e8 ImageList_ReplaceIcon
 0x4a08ec ImageList_Add
 0x4a08f0 ImageList_GetImageCount
 0x4a08f4 ImageList_Destroy
 0x4a08f8 ImageList_Create
shell32.dll
 0x4a0900 ShellExecuteExA
 0x4a0904 ExtractIconExW
wininet.dll
 0x4a090c InternetGetConnectedState
 0x4a0910 InternetReadFile
 0x4a0914 InternetOpenUrlA
 0x4a0918 InternetOpenA
 0x4a091c InternetCloseHandle
shell32.dll
 0x4a0924 SHGetSpecialFolderLocation
 0x4a0928 SHGetPathFromIDListA
 0x4a092c SHGetMalloc
 0x4a0930 SHGetDesktopFolder
advapi32.dll
 0x4a0938 OpenSCManagerA
 0x4a093c CloseServiceHandle
wsock32.dll
 0x4a0944 WSACleanup
 0x4a0948 WSAStartup
 0x4a094c gethostname
 0x4a0950 gethostbyname
 0x4a0954 inet_ntoa
netapi32.dll
 0x4a095c Netbios

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure