popup

Report - bongo.exe

RedLine stealer Emotet Gen1 Amadey RedlineStealer NSIS Generic Malware Malicious Library UPX .NET framework(MSIL) Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus ScreenShot PWS Anti_VM AntiDebug AntiVM PE32 PE File CAB .NET EXE OS Processor
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.01.05 07:58 Machine s1_win7_x6403
Filename bongo.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
26.6
ZERO API file : clean
VT API (file) 38 detected (AIDetectMalware, malicious, high confidence, Crifi, Artemis, MachineLearning, Anomalous, confidence, Attribute, HighConfidence, multiple detections, RisePro, TrojanX, Generic ML PUA, AGEN, Static AI, Malicious SFX, ai score=89, awbz, Detected, Kryptik, Eldorado, Amadey, Redline, score, Probably Heur, ExeHeaderL, YY7xLY9BnhR, susgen, PossibleThreat)
md5 98e589da2cf91986d1e703189919dec1
sha256 137a0704f360303dbaf6efaf66c07d4c74a8fe78b4eef1e67602081c9c2b740f
ssdeep 49152:xhXkxroQ262hhbZo9zce8g3N7D37ghUdmku/wmhbe9ye9+:7XkOQ+fbS9LLZdGYm3e
imphash 646167cce332c1c252cdcb1839e0cf48
impfuzzy 48:mPkNSpUOU4iLzNXMuM9a08vTL5wtV6x9KEl4LTrzUp5aSvd59E5o+RXpNuAC8tGg:ikmUZ4iLBXMuMc08vTLhsNeGmdM
  Network IP location

Signature (57cnts)

Level Description
danger Disables Windows Security features
danger Executed a process and injected code into it
danger File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch A process attempted to delay the analysis task.
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Attempts to identify installed AV products by installation directory
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Looks for the Windows Idle Time to determine the uptime
watch Network activity contains more than one unique useragent
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice An executable file was downloaded by the processes explorhe.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (46cnts)

Level Name Description Collection
danger detect_Redline_Stealer_V2 (no description) binaries (download)
danger RedLine_Stealer_b_Zero RedLine stealer binaries (download)
danger RedLine_Stealer_m_Zero RedLine stealer memory
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
danger Win_Amadey_Zero Amadey bot binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning NSIS_Installer Null Soft Installer binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info CAB_file_format CAB archive file binaries (download)
info CAB_file_format CAB archive file binaries (upload)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info docx Word 2007 file format detection binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info lnk_file_format Microsoft Windows Shortcut File Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info zip_file_format ZIP file format binaries (download)

Network (53cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.68.21/lend/YT.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://77.91.68.21/lend/MRK.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://77.91.68.21/lend/golden.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://77.91.68.21/lend/macheri.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://77.91.68.21/lend/flesh.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://77.91.68.21/lend/bakhtiar.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://185.215.113.68/theme/Plugins/cred64.dll
whois
Unknown 185.215.113.68 clean
http://77.91.68.21/mine/nocry.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://api.ipify.org/?format=ewf
whois
US WEBNX 104.237.62.212 clean
http://185.172.128.53/syncUpd.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.53 malware
http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=seven&s=ab
whois
Unknown 91.92.254.7 38706 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.27 clean
http://5.42.66.0/newrock.exe
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.0 clean
http://185.215.113.68/theme/Plugins/clip64.dll
whois
Unknown 185.215.113.68 clean
http://77.91.68.21/lend/pixelguy.exe
whois
RU Foton Telecom CJSC 77.91.68.21 clean
http://185.215.113.68/theme/index.php
whois
Unknown 185.215.113.68 clean
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
whois
US GOOGLE 216.58.203.78 clean
https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
whois
US GOOGLE 172.217.24.227 clean
https://www.youtube.com/favicon.ico
whois
US GOOGLE 216.58.203.78 clean
https://ipinfo.io/widget/demo/175.208.134.152
whois
US GOOGLE 34.117.186.192 clean
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
whois
US GOOGLE 216.58.203.78 clean
https://www.youtube.com/
whois
US GOOGLE 216.58.203.78 clean
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
whois
US GOOGLE 216.58.203.78 clean
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
whois
US GOOGLE 172.217.24.227 clean
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
whois
US GOOGLE 216.58.203.78 clean
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
whois
US GOOGLE 216.58.203.78 clean
https://fonts.googleapis.com/css?family=YouTube+Sans:500
whois
US GOOGLE 216.58.220.138 clean
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
whois
US GOOGLE 216.58.203.78 clean
https://www.youtube.com/img/desktop/supported_browsers/opera.png
whois
US GOOGLE 216.58.203.78 clean
https://fonts.googleapis.com/css?family=Roboto:400,500
whois
US GOOGLE 216.58.220.138 clean
www.youtube.com
whois
US GOOGLE 172.217.175.14 mailcious
fonts.googleapis.com
whois
US GOOGLE 172.217.25.170 clean
api.ipify.org
whois
US WEBNX 173.231.16.77 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
iplogger.com
whois
US CLOUDFLARENET 104.21.76.57 mailcious
fonts.gstatic.com
whois
US GOOGLE 172.217.25.163 clean
20.79.30.95
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.79.30.95 clean
173.231.16.77
whois
US WEBNX 173.231.16.77 clean
195.20.16.103
whois
FI Eitadat Oy 195.20.16.103 clean
185.215.113.68
whois
Unknown 185.215.113.68 clean
193.233.132.62
whois
RU JSC Redcom-lnternet 193.233.132.62 clean
104.21.76.57
whois
US CLOUDFLARENET 104.21.76.57 clean
5.42.66.0
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.0 malware
216.58.220.138
whois
US GOOGLE 216.58.220.138 mailcious
5.42.65.31
whois
RU CJSC Kolomna-Sviaz TV 5.42.65.31 clean
216.58.203.78
whois
US GOOGLE 216.58.203.78 clean
77.91.68.21
whois
RU Foton Telecom CJSC 77.91.68.21 malware
23.32.56.80
whois
US AKAMAI-AS 23.32.56.80 clean
185.172.128.53
whois
RU OOO Nadym Svyaz Service 185.172.128.53 malware
91.92.254.7
whois
Unknown 91.92.254.7 mailcious
172.217.24.227
whois
US GOOGLE 172.217.24.227 clean
121.254.136.9
whois
KR LG DACOM Corporation 121.254.136.9 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
ET MALWARE Redline Stealer Family Activity (Response)
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY External IP Lookup (ipify .org)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x40a000 GetTokenInformation
 0x40a004 RegDeleteValueA
 0x40a008 RegOpenKeyExA
 0x40a00c RegQueryInfoKeyA
 0x40a010 FreeSid
 0x40a014 OpenProcessToken
 0x40a018 RegSetValueExA
 0x40a01c RegCreateKeyExA
 0x40a020 LookupPrivilegeValueA
 0x40a024 AllocateAndInitializeSid
 0x40a028 RegQueryValueExA
 0x40a02c EqualSid
 0x40a030 RegCloseKey
 0x40a034 AdjustTokenPrivileges
KERNEL32.dll
 0x40a060 _lopen
 0x40a064 _llseek
 0x40a068 CompareStringA
 0x40a06c GetLastError
 0x40a070 GetFileAttributesA
 0x40a074 GetSystemDirectoryA
 0x40a078 LoadLibraryA
 0x40a07c DeleteFileA
 0x40a080 GlobalAlloc
 0x40a084 GlobalFree
 0x40a088 CloseHandle
 0x40a08c WritePrivateProfileStringA
 0x40a090 IsDBCSLeadByte
 0x40a094 GetWindowsDirectoryA
 0x40a098 SetFileAttributesA
 0x40a09c GetProcAddress
 0x40a0a0 GlobalLock
 0x40a0a4 LocalFree
 0x40a0a8 RemoveDirectoryA
 0x40a0ac FreeLibrary
 0x40a0b0 _lclose
 0x40a0b4 CreateDirectoryA
 0x40a0b8 GetPrivateProfileIntA
 0x40a0bc GetPrivateProfileStringA
 0x40a0c0 GlobalUnlock
 0x40a0c4 ReadFile
 0x40a0c8 SizeofResource
 0x40a0cc WriteFile
 0x40a0d0 GetDriveTypeA
 0x40a0d4 lstrcmpA
 0x40a0d8 SetFileTime
 0x40a0dc SetFilePointer
 0x40a0e0 FindResourceA
 0x40a0e4 CreateMutexA
 0x40a0e8 GetVolumeInformationA
 0x40a0ec ExpandEnvironmentStringsA
 0x40a0f0 GetCurrentDirectoryA
 0x40a0f4 FreeResource
 0x40a0f8 GetVersion
 0x40a0fc SetCurrentDirectoryA
 0x40a100 GetTempPathA
 0x40a104 LocalFileTimeToFileTime
 0x40a108 CreateFileA
 0x40a10c SetEvent
 0x40a110 TerminateThread
 0x40a114 GetVersionExA
 0x40a118 LockResource
 0x40a11c GetSystemInfo
 0x40a120 CreateThread
 0x40a124 ResetEvent
 0x40a128 LoadResource
 0x40a12c ExitProcess
 0x40a130 GetModuleHandleW
 0x40a134 CreateProcessA
 0x40a138 FormatMessageA
 0x40a13c GetTempFileNameA
 0x40a140 DosDateTimeToFileTime
 0x40a144 CreateEventA
 0x40a148 GetExitCodeProcess
 0x40a14c FindNextFileA
 0x40a150 LocalAlloc
 0x40a154 GetShortPathNameA
 0x40a158 MulDiv
 0x40a15c GetDiskFreeSpaceA
 0x40a160 EnumResourceLanguagesA
 0x40a164 GetTickCount
 0x40a168 GetSystemTimeAsFileTime
 0x40a16c GetCurrentThreadId
 0x40a170 GetCurrentProcessId
 0x40a174 QueryPerformanceCounter
 0x40a178 TerminateProcess
 0x40a17c SetUnhandledExceptionFilter
 0x40a180 UnhandledExceptionFilter
 0x40a184 GetStartupInfoW
 0x40a188 Sleep
 0x40a18c FindClose
 0x40a190 GetCurrentProcess
 0x40a194 FindFirstFileA
 0x40a198 WaitForSingleObject
 0x40a19c GetModuleFileNameA
 0x40a1a0 LoadLibraryExA
GDI32.dll
 0x40a058 GetDeviceCaps
USER32.dll
 0x40a1a8 SetWindowLongA
 0x40a1ac GetDlgItemTextA
 0x40a1b0 DialogBoxIndirectParamA
 0x40a1b4 ShowWindow
 0x40a1b8 MsgWaitForMultipleObjects
 0x40a1bc SetWindowPos
 0x40a1c0 GetDC
 0x40a1c4 GetWindowRect
 0x40a1c8 DispatchMessageA
 0x40a1cc GetDesktopWindow
 0x40a1d0 CharUpperA
 0x40a1d4 SetDlgItemTextA
 0x40a1d8 ExitWindowsEx
 0x40a1dc MessageBeep
 0x40a1e0 EndDialog
 0x40a1e4 CharPrevA
 0x40a1e8 LoadStringA
 0x40a1ec CharNextA
 0x40a1f0 EnableWindow
 0x40a1f4 ReleaseDC
 0x40a1f8 SetForegroundWindow
 0x40a1fc PeekMessageA
 0x40a200 GetDlgItem
 0x40a204 SendMessageA
 0x40a208 SendDlgItemMessageA
 0x40a20c MessageBoxA
 0x40a210 SetWindowTextA
 0x40a214 GetWindowLongA
 0x40a218 CallWindowProcA
 0x40a21c GetSystemMetrics
msvcrt.dll
 0x40a234 _controlfp
 0x40a238 ?terminate@@YAXXZ
 0x40a23c _acmdln
 0x40a240 _initterm
 0x40a244 __setusermatherr
 0x40a248 _except_handler4_common
 0x40a24c memcpy
 0x40a250 _ismbblead
 0x40a254 __p__fmode
 0x40a258 _cexit
 0x40a25c _exit
 0x40a260 exit
 0x40a264 __set_app_type
 0x40a268 __getmainargs
 0x40a26c _amsg_exit
 0x40a270 __p__commode
 0x40a274 _XcptFilter
 0x40a278 memcpy_s
 0x40a27c _vsnprintf
 0x40a280 memset
COMCTL32.dll
 0x40a03c None
Cabinet.dll
 0x40a044 None
 0x40a048 None
 0x40a04c None
 0x40a050 None
VERSION.dll
 0x40a224 GetFileVersionInfoA
 0x40a228 VerQueryValueA
 0x40a22c GetFileVersionInfoSizeA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure