popup

Report - file.rar

Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.12.21 17:09 Machine s1_win7_x6402
Filename file.rar
Type RAR archive data, v5
AI Score Not founds Behavior Score
5.2
ZERO API file : malware
VT API (file)
md5 6b0f8a62bc4fec439739c021445942f5
sha256 01a52e52f4121ccff2f90486fbe3413255a3ab269395b01aab69f7bb7892546f
ssdeep 98304:3FdKez0Uu+LhiOO/611tIIiQ9/OwdRjHrR6QjbNLLXl1gdUAFHZ0oTJzW36vV:l5/Lhiz6XawJpVfgd3j46vV
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (117cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://5.42.64.41/40d570f44e84a454.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 38591 mailcious
http://45.15.156.229/api/bing_release.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 clean
http://194.33.191.102/autorun.exe
whois
RO Aqua Jump Srl 194.33.191.102 malware
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=XvW4AHeGTk9BJBAfrMTJoSzL.exe&platform=0009&osver=5&isServer=0
whois
US AKAMAI-AS 59.151.136.96 clean
http://77.105.147.130/api/bing_release.php
whois
RU Plus Telecom LLC 77.105.147.130 clean
http://45.15.156.229/api/flash.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 clean
http://109.107.182.3/hugo/rest.exe
whois
RU Teleport-TV Ltd 109.107.182.3 clean
http://195.20.16.45/api/tracemap.php
whois
FI Eitadat Oy 195.20.16.45 38695 mailcious
http://185.172.128.19/latestbuild.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.19 clean
http://zen.topteamlife.com/order/adobe.exe
whois
US CLOUDFLARENET 172.67.138.35 38815 malware
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.43.165.66 clean
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
AL Albanian Satellite Communications sh.p.k. 95.107.163.44 27911 mailcious
http://5.42.64.35/timeSync.exe
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.35 38593 malware
http://77.105.147.130/api/flash.php
whois
RU Plus Telecom LLC 77.105.147.130 clean
https://vk.com/doc418490229_669821688?hash=we6BBhNerpmPCN87ImRmGXGmmNbiwaqIUE7eoga2Rxz&dl=LWFkeguGbB1zYgia1ntLjueUZO6Xo4LDzp1kwruth9L&api=1&no_preview=1#xin
whois
RU VKontakte Ltd 87.240.132.72 clean
https://www.youtube.com/favicon.ico
whois
US GOOGLE 142.250.204.142 clean
https://vk.com/doc418490229_669837378?hash=MnOFxJ6eziq0VhVwK1AJSav5Kza1nVE2q1ZBBZcGWRL&dl=9KbYwSMouDRxKm0lIB9Xdq82AMZkYdJZEamMlGg5LMk&api=1&no_preview=1#rise
whois
RU VKontakte Ltd 87.240.132.72 clean
https://sun6-20.userapi.com/c909518/u418490229/docs/d22/f9bc9c314f2c/tmvwr.bmp?extra=sd0_DwktE5ym3xM-aWd3PZcQQNFY6bp3WQ5VsGllmzEMFAtmw-OyqM1eVt928NFsxWs8QHb0HsGHash_oEI6n1gh9vXdV5kFD25RzEbF90zM7p_djCfq8EJQwnCi2W-JCJQnyO9B9LG4J3GX6Q
whois
RU VKontakte Ltd 95.142.206.0 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 172.67.75.166 clean
https://ipinfo.io/widget/demo/175.208.134.152
whois
US GOOGLE 34.117.186.192 clean
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
whois
US GOOGLE 142.250.204.142 clean
https://vk.com/doc418490229_669809323?hash=kP50PMPFZEp4LI0jKiDZoizq5f0DkvKaUhxGOocg9Dc&dl=ef8AbWt2wxR8jCnafScstynLK9c6NAExi1czT8Aj7RP&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://sun6-22.userapi.com/c909618/u418490229/docs/d43/4b059ba24311/jhiu.bmp?extra=l0kdKyMk_DE9orYnqcSfbjthykugKl64jxq49hWPbhbXCcBf17Opbad2ORHF8yf8kRcMyLmMAybNcazH2et0SNJTgFMvZStMaLIbhHdbSId_FkJfmDNSVrAo-6Kc03ssHd6raxj3iG2283Flmg
whois
RU VKontakte Ltd 95.142.206.2 clean
https://iplis.ru/1cC8u7.mp3
whois
US CLOUDFLARENET 172.67.147.32 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-21.userapi.com/c909218/u418490229/docs/d10/086e039362d4/PL_p.bmp?extra=8F7qp6YQkCH8wV9nhVMbtZ1UkuuPcor_TcnOSrWG7itioGOoY6UpVTsjlY1C5ovb0TjNeuPFvln5OAEgHQIcB_9HA0EVPtSQVuaz_uQw3lZoDp8_oj9TWMoGkawFPDu_w_CVdmKaxp-_bS1jNA
whois
RU VKontakte Ltd 95.142.206.1 clean
https://fonts.googleapis.com/css?family=Roboto:400,500
whois
US GOOGLE 142.250.204.138 clean
https://sun6-23.userapi.com/c909328/u418490229/docs/d37/be767eccf01d/file191223.bmp?extra=8RxI2JAEk2k-tJfACQF-UAFNz5Ph76gpPikca1Ji9eC1di9N5P2da5-yC6h9er6-4brijf2n62vHQGnXQhxdtuJjS74PHA77wi2uQuN6d9lvY8lqxtaYsbdzd0Z2rYvaf2_icqKb3Hg2vVXsAA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://DCFSDFDS2FDHFGJ.SBS/setup294.exe
whois
US CLOUDFLARENET 172.67.222.173 clean
https://vk.com/doc418490229_669810929?hash=moVJunUKZjhyRMc0xySkXZHSaBAL88Cc1tupiMvEEwT&dl=b94zGjzpuQj7BaXz8O1vo6cCAGPlVcVsAKcnHpZ2xlP&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://sun6-21.userapi.com/c909628/u418490229/docs/d52/f159185b6992/BotClients.bmp?extra=slFJ7cnAm4zJ31a8gA__JV7O6Upb3oLdzWCe_2xEmcxJ-iI-vPMhq7NnhDvLjuBsukj5w8rFgXcq3blNonFLqp_PbuM_tRhTHH7rkMm_ZTCxE4XHG6L6mcES_3a2bym1Cd_D5PjIOHzO9wRCnA
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc418490229_669807321?hash=VxBEaHVIT9bEVMzjUs6ZDaUDkTBi1A9bgCEvJPTLeKs&dl=ccjZxaprGX6O639lCOjRrkV8Wz9PFe6NB5IDGXdR71o&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc418490229_669653354?hash=l8DHCu4lEp9Sb8CTCk5eithtVIhhbBkli1pjUtPjJNP&dl=7vSjZ36UYD1hlgYVc9MzZLLGmShUHLSQatIOzo7OZBg&api=1&no_preview=1#logger_statistics
whois
RU VKontakte Ltd 87.240.132.72 clean
https://www.youtube.com/
whois
US GOOGLE 142.250.204.142 clean
https://vk.com/doc418490229_669783554?hash=BH6rDsCdPWk2J9y1TmstXOZKSIMojhaG8Fw9a8GF3Ps&dl=gYknZQrp3U8V5VDWqeRDZZgAOIRQPc5uWYpO07u16QT&api=1&no_preview=1#test22
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc418490229_669674726?hash=zO6JQAo6iYaXqKxkZ7OtAgZUB0nnLHef5V5H7iZ0Erg&dl=V9sXR6aIOgK4znoIV3QEJiCPc0YxrQNplxazvg1DdAs&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://psv4.userapi.com/c237031/u418490229/docs/d30/a2f18a7159cd/Sp.bmp?extra=8t27aDbP5wFBo5a9WsZ_kZ9kOVIEvgcSoR-WyoDH3eR_35CbiWZxGMvLR7K0fHTHPfVpDxBlvQzJxA4aHNSnlH4K-qnSVn4EF_Si-AlL60A3sA0eBI9gwZZPhtvDYp-tVEsJM6NhsfEJQQ0iiQ
whois
RU VKontakte Ltd 87.240.137.134 clean
https://sun6-21.userapi.com/c909618/u418490229/docs/d7/3c13fccecb0d/xincz.bmp?extra=ZSt5xRYqy92_IEekhgFvB1qr9i_FtOiNT51g2xpchVZfODaKJSE90n8UupLNci2RG6gzFjeSyxq0Oqb_34_93iJFW1PdnjomJAvx6CNDXguTjcnMryul_TTRv5tXoPVSIcjoOAUrYTtDfWP7TQ
whois
RU VKontakte Ltd 95.142.206.1 clean
https://fonts.googleapis.com/css?family=YouTube+Sans:500
whois
US GOOGLE 142.250.204.138 clean
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
whois
US GOOGLE 142.250.204.142 clean
https://vk.com/doc418490229_669753909?hash=WT7APgrulCXZFZTSEvdEhpp2wKrYTIZVouZnBZXB72g&dl=7ei7VkBuvhBOPmO5RJDS1eEOZh0NZgZcXNvjBcCFfJ8&api=1&no_preview=1#ww11
whois
RU VKontakte Ltd 87.240.132.72 clean
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
whois
US GOOGLE 142.250.204.142 clean
https://sun6-22.userapi.com/c240331/u418490229/docs/d4/5ba0427424be/WWW11_32.bmp?extra=N-N_wqY1NIwAlVfIR5pYrBcNGu-kwYAzemwNThjJIh_6xOECNLWLQmT5UTWCxQU3irEk4s0tDzSjPFWZEKQav7b9lotmLgJlMtxtS7uhKfr1gWyicC9O0Ot1dTTMTC-uuTl_XLb7ef48c4KGew
whois
RU VKontakte Ltd 95.142.206.2 clean
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
whois
US GOOGLE 142.250.204.142 clean
https://sun6-21.userapi.com/c237031/u418490229/docs/d18/6b546154631b/sdfhj8s.bmp?extra=C_vJLuNWCRIppkkIF6WUoUokqmaeSJqMBjrt4zjg9VnJyJhAvki5z7wZk_JX5JGRJKeGSeM8y6i0C_GOFaYmVyRvRed1FQFM0q1Kou5v6rtOgAt69h0BIEgojXsd2TuTOShLu8kzbNqW-2g7rw
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc418490229_669637079?hash=VdguLglaUQxQEWy7OPzp09fMiy3JG1498Od7lJ6mEhw&dl=Z0vdo01g0fZfW08T5s4JBiEH2UzpBHOBxg4Yxkx8vU4&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 172.67.139.220 clean
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
whois
US GOOGLE 142.251.220.99 clean
https://sun6-23.userapi.com/c237231/u418490229/docs/d12/ececed6be1fb/LG.bmp?extra=pLNgfOmTCOoCaYarwpdyTYgqNb4VBMyPeCK1ctoGNIrUiMRz2sgnoXwnnCBPcRPNVWfRTkA0kvj3KpSooKOvyYdyemYk3kUC3gIdzVA1LdoEQVTtDW9ybLvdgW8VLXHZ3cEBSJgo8-VWwXgr8A
whois
RU VKontakte Ltd 95.142.206.3 clean
https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
whois
US GOOGLE 142.251.220.99 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
whois
US GOOGLE 142.250.204.142 clean
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
whois
US GOOGLE 142.251.220.99 clean
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
whois
US GOOGLE 142.250.204.142 clean
https://www.youtube.com/img/desktop/supported_browsers/opera.png
whois
US GOOGLE 142.250.204.142 clean
fonts.googleapis.com
whois
US GOOGLE 172.217.26.234 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 mailcious
medfioytrkdkcodlskeej.net
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
psv4.userapi.com
whois
RU VKontakte Ltd 87.240.137.134 clean
learn.microsoft.com
whois
US Akamai International B.V. 104.76.76.50 clean
api.2ip.ua
whois
US CLOUDFLARENET 172.67.139.220 clean
iplogger.org
whois
US CLOUDFLARENET 172.67.132.113 mailcious
cdn.discordapp.com
whois
Unknown 162.159.134.233 malware
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
zen.topteamlife.com
whois
US CLOUDFLARENET 172.67.138.35 malware
www.youtube.com
whois
US GOOGLE 142.250.207.46 mailcious
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
fonts.gstatic.com
whois
US GOOGLE 172.217.25.163 clean
zexeq.com
whois
KR SK Broadband Co Ltd 175.120.254.9 malware
www.linkedin.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.14 clean
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 mailcious
vk.com
whois
RU VKontakte Ltd 87.240.132.67 mailcious
dcfsdfds2fdhfgj.sbs
whois
US CLOUDFLARENET 104.21.25.43 clean
iplis.ru
whois
US CLOUDFLARENET 104.21.63.150 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
5.42.64.35
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.35 malware
162.159.133.233
whois
Unknown 162.159.133.233 malware
13.107.42.14
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.14 phishing
195.20.16.188
whois
FI Eitadat Oy 195.20.16.188 clean
172.67.138.35
whois
US CLOUDFLARENET 172.67.138.35 malware
104.21.4.208
whois
US CLOUDFLARENET 104.21.4.208 clean
142.250.204.142
whois
US GOOGLE 142.250.204.142 clean
142.251.220.99
whois
US GOOGLE 142.251.220.99 clean
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
185.172.128.19
whois
RU OOO Nadym Svyaz Service 185.172.128.19 mailcious
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
189.232.1.60
whois
MX Uninet S.A. de C.V. 189.232.1.60 clean
91.92.249.253
whois
BG Natskovi & Sie Ltd. 91.92.249.253 mailcious
5.42.64.41
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.41 mailcious
194.33.191.60
whois
RO Aqua Jump Srl 194.33.191.60 mailcious
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
104.76.76.50
whois
US Akamai International B.V. 104.76.76.50 clean
172.67.222.173
whois
US CLOUDFLARENET 172.67.222.173 clean
172.67.147.32
whois
US CLOUDFLARENET 172.67.147.32 clean
193.233.132.67
whois
RU JSC Redcom-lnternet 193.233.132.67 clean
61.111.58.34
whois
KR LG DACOM Corporation 61.111.58.34 malware
87.240.137.134
whois
RU VKontakte Ltd 87.240.137.134 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
194.33.191.102
whois
RO Aqua Jump Srl 194.33.191.102 malware
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious
195.20.16.45
whois
FI Eitadat Oy 195.20.16.45 mailcious
77.105.147.130
whois
RU Plus Telecom LLC 77.105.147.130 clean
142.250.204.138
whois
US GOOGLE 142.250.204.138 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
193.42.33.14
whois
Unknown 193.42.33.14 malware
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 mailcious
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 mailcious
172.67.139.220
whois
US CLOUDFLARENET 172.67.139.220 clean
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious
109.107.182.3
whois
RU Teleport-TV Ltd 109.107.182.3 mailcious

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Rejetto HTTP File Sever Response
ET INFO Packed Executable Download
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE Redline Stealer Family Activity (Response)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)

Similarity measure (PE file only) - Checking for service failure