popup

Report - release_ver9.rar

Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.12.11 14:24 Machine s1_win7_x6402
Filename release_ver9.rar
Type RAR archive data, v5
AI Score Not founds Behavior Score
5.6
ZERO API file : clean
VT API (file)
md5 a64249c49fd7686653154060beaa68dc
sha256 c3c3259c0632e2ad6260d505378b9d23a995df2260f5a48f6fbd572ca3c9be58
ssdeep 196608:nQEim0Uq0gdPyIAjsvIuxwypgiICFY9R1voPuJlNTdIxuEHeHxCH:nLim0Uq/YjxO9qFAY93cuJl3IxJHeHxI
imphash
impfuzzy
  Network IP location

Signature (13cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (47cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://never.hitsturbo.com/order/tuc6.exe
whois
US CLOUDFLARENET 104.21.46.59 malware
http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 clean
http://5.42.64.41/40d570f44e84a454.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 38591 mailcious
http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 clean
http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 clean
http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 clean
http://109.107.182.3/moda/good.exe
whois
RU Teleport-TV Ltd 109.107.182.3 mailcious
http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 clean
http://195.20.16.45/api/tracemap.php
whois
FI Eitadat Oy 195.20.16.45 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 clean
http://5.42.64.35/timeSync.exe
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.35 38593 malware
http://193.233.132.34/autorun.exe
whois
RU JSC Redcom-lnternet 193.233.132.34 mailcious
http://195.20.16.45/api/firegate.php
whois
FI Eitadat Oy 195.20.16.45 clean
http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 clean
https://IOIOUOIUOUOUIYJGROUP.SBS/setup294.exe
whois
US CLOUDFLARENET 104.21.37.196 malware
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
https://api.myip.com/
whois
US CLOUDFLARENET 104.26.9.59 clean
https://iplis.ru/1Gemv7.mp3
whois
US CLOUDFLARENET 104.21.63.150 clean
medfioytrkdkcodlskeej.net
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
iplis.ru
whois
US CLOUDFLARENET 104.21.63.150 mailcious
ioiouoiuououiyjgroup.sbs
whois
US CLOUDFLARENET 172.67.212.175 malware
iplogger.org
whois
US CLOUDFLARENET 172.67.132.113 mailcious
never.hitsturbo.com
whois
US CLOUDFLARENET 172.67.168.30 malware
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
vk.com
whois
RU VKontakte Ltd 87.240.132.72 mailcious
api.myip.com
whois
US CLOUDFLARENET 104.26.8.59 clean
194.49.94.97
whois
Unknown 194.49.94.97 malware
5.42.64.41
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 mailcious
5.42.64.35
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.35 malware
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
104.21.63.150
whois
US CLOUDFLARENET 104.21.63.150 clean
193.233.132.34
whois
RU JSC Redcom-lnternet 193.233.132.34 mailcious
185.216.70.235
whois
Unknown 185.216.70.235 clean
23.43.165.105
whois
US CCCH-3 23.43.165.105 clean
104.21.37.196
whois
US CLOUDFLARENET 104.21.37.196 clean
193.233.132.51
whois
RU JSC Redcom-lnternet 193.233.132.51 mailcious
87.240.132.67
whois
RU VKontakte Ltd 87.240.132.67 mailcious
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
104.21.46.59
whois
US CLOUDFLARENET 104.21.46.59 malware
195.20.16.45
whois
FI Eitadat Oy 195.20.16.45 clean
172.67.132.113
whois
US CLOUDFLARENET 172.67.132.113 clean
109.107.182.3
whois
RU Teleport-TV Ltd 109.107.182.3 mailcious
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious

Suricata ids

SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE - Served Attached HTTP
ET HUNTING Rejetto HTTP File Sever Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

Similarity measure (PE file only) - Checking for service failure