popup

Report - rost.exe

RedLine stealer Amadey RedLine Infostealer RedlineStealer UltraVNC Generic Malware NSIS Hide_EXE Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) .NET framework(MSIL) ScreenShot PWS Anti_VM AntiDebug AntiVM PE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.01.26 09:11 Machine s1_win7_x6403
Filename rost.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
32.2
ZERO API file : malware
VT API (file) 38 detected (AIDetectMalware, Malicious, score, Zusy, unsafe, Save, Attribute, HighConfidence, high confidence, Enigma, Blacked, Scar, RisePro, Detected, ai score=87, HeurC, KVMH008, Sabsik, AA1G04, Eldorado, R632639, ZexaF, jHW@aKG4ybfk, BScope, Bitrep, Genetic, Probably Heur, ExeHeaderL, Static AI, Malicious PE)
md5 2f9214f932a930a4cdff2b48a3a8eded
sha256 f969980852d4ccaf32b5700f4aa0934c853b1afa18c0a7f329e841d62cb35f46
ssdeep 24576:vpqzJdQmBHqhszkXEoiDYq4dXwQaN2K3yWds0JkKyV/aDdhCm2Ft:RqzHRUEoEYq4lXadsL4sF
imphash 5ab723dc8d5af21b79dc301ed6a56a64
impfuzzy 12:c2cDvZGqA9AwDXRgKQcOx/0yNCPsKAJSn:clDRdWAwDOdxCTn
  Network IP location

Signature (65cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Disables Windows Security features
danger Executed a process and injected code into it
danger File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Checks the CPU name from registry
watch Checks the version of Bios
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Connects to an IRC server
watch Creates a slightly modified copy of itself
watch Deletes a large number of files from the system indicative of ransomware
watch Deletes executed files from disk
watch Detects VirtualBox through the presence of a file
watch Drops 157 unknown file mime types indicative of ransomware writing encrypted files back to disk
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Looks for the Windows Idle Time to determine the uptime
watch Network activity contains more than one unique useragent
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes rost.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (46cnts)

Level Name Description Collection
danger detect_Redline_Stealer_V2 (no description) binaries (download)
danger MALWARE_Win_VT_RedLine Detects RedLine infostealer binaries (download)
danger RedLine_Stealer_b_Zero RedLine stealer binaries (download)
danger RedLine_Stealer_m_Zero RedLine stealer memory
danger Win_Amadey_Zero Amadey bot binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning hide_executable_file Hide executable file binaries (download)
warning NSIS_Installer Null Soft Installer binaries (download)
warning UltraVNC_Zero UltraVNC binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (upload)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info bmp_file_format bmp file format binaries (download)
info CAB_file_format CAB archive file binaries (download)
info chm_file_format chm file format binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info docx Word 2007 file format detection binaries (download)
info icon_file_format icon file format binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info zip_file_format ZIP file format binaries (download)

Network (53cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://109.107.182.3/lego/sadsadsadsa.exe
whois
RU Teleport-TV Ltd 109.107.182.3 malware
http://109.107.182.3/cost/niks.exe
whois
RU Teleport-TV Ltd 109.107.182.3 clean
http://109.107.182.3/lego/MRK.exe
whois
RU Teleport-TV Ltd 109.107.182.3 clean
http://109.107.182.3/lego/alex.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39110 malware
http://109.107.182.3/lego/moto.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39111 malware
http://109.107.182.3/lego/fsdfsfsfs.exe
whois
RU Teleport-TV Ltd 109.107.182.3 malware
http://109.107.182.3/lego/rdx1122.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39118 malware
http://185.215.113.68/theme/Plugins/cred64.dll
whois
Unknown 185.215.113.68 38948 malware
http://109.107.182.3/lego/Atqumy.exe
whois
RU Teleport-TV Ltd 109.107.182.3 mailcious
http://109.107.182.3/cost/networa.exe
whois
RU Teleport-TV Ltd 109.107.182.3 clean
http://185.215.113.68/mine/stan.exe
whois
Unknown 185.215.113.68 39114 malware
http://109.107.182.3/lego/installs.exe
whois
RU Teleport-TV Ltd 109.107.182.3 clean
http://109.107.182.3/lego/crypted.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39115 malware
http://109.107.182.3/cost/ko.exe
whois
RU Teleport-TV Ltd 109.107.182.3 clean
http://185.215.113.68/mine/amers.exe
whois
Unknown 185.215.113.68 clean
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
whois
RU OOO Nadym Svyaz Service 185.172.128.90 38981 mailcious
http://109.107.182.3/cost/vinu.exe
whois
RU Teleport-TV Ltd 109.107.182.3 clean
http://185.215.113.68/theme/Plugins/clip64.dll
whois
Unknown 185.215.113.68 38951 malware
http://185.172.128.109/syncUpd.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.109 39052 malware
http://185.172.128.19/latestrocki.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.19 39054 malware
http://109.107.182.3/lego/2024.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39120 malware
http://185.215.113.68/theme/index.php
whois
Unknown 185.215.113.68 38935 mailcious
https://www.google.com/favicon.ico
whois
US GOOGLE 142.250.66.36 clean
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
whois
US GOOGLE 142.251.170.84 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1cKQEpRqzJgd1mJyXaQDg8g6EPaDZyF3Iq1LCz13B1O_GRb-DpHv1Q3bMHBt1iGhMePExXmg&passive=1209600&flowName=WebLi
whois
US GOOGLE 142.251.170.84 clean
https://accounts.google.com/_/bscframe
whois
US GOOGLE 142.251.170.84 clean
https://accounts.google.com/
whois
US GOOGLE 142.251.170.84 clean
https://accounts.google.com/generate_204?Gfi3rg
whois
US GOOGLE 142.251.170.84 clean
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3H8r8UWuhQ6m2JhTn_UJWtMXXOP18B2sMD6q0yM1EirdCpLoeYafxU7OnBJOlDJRzgLznF
whois
US GOOGLE 142.251.170.84 clean
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
whois
US GOOGLE 216.58.203.67 clean
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
pool.hashvault.pro
whois
US 1GSERVERS 142.202.242.43 mailcious
www.google.com
whois
US GOOGLE 142.250.76.132 clean
ssl.gstatic.com
whois
US GOOGLE 142.250.76.131 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
accounts.google.com
whois
US GOOGLE 142.250.157.84 clean
94.156.67.230
whois
BG Terasyst Ltd 94.156.67.230 clean
195.20.16.103
whois
FI Eitadat Oy 195.20.16.103 mailcious
5.42.64.33
whois
RU CJSC Kolomna-Sviaz TV 5.42.64.33 mailcious
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
185.215.113.68
whois
Unknown 185.215.113.68 malware
185.172.128.19
whois
RU OOO Nadym Svyaz Service 185.172.128.19 mailcious
141.95.211.148
whois
Unknown 141.95.211.148 mailcious
142.251.170.84
whois
US GOOGLE 142.251.170.84 clean
142.250.66.36
whois
US GOOGLE 142.250.66.36 clean
216.58.203.67
whois
US GOOGLE 216.58.203.67 clean
193.233.132.62
whois
RU JSC Redcom-lnternet 193.233.132.62 mailcious
185.172.128.90
whois
RU OOO Nadym Svyaz Service 185.172.128.90 mailcious
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
185.172.128.109
whois
RU OOO Nadym Svyaz Service 185.172.128.109 malware
109.107.182.3
whois
RU Teleport-TV Ltd 109.107.182.3 mailcious
125.253.92.50
whois
AU FireNet Pty Ltd 125.253.92.50 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET HUNTING Download Request Containing Suspicious Filename - Crypted

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x84513c VirtualAlloc
 0x845140 VirtualFree
 0x845144 GetModuleHandleA
 0x845148 GetProcAddress
 0x84514c ExitProcess
 0x845150 LoadLibraryA
user32.dll
 0x845158 MessageBoxA
advapi32.dll
 0x845160 RegCloseKey
oleaut32.dll
 0x845168 SysFreeString
gdi32.dll
 0x845170 CreateFontA
shell32.dll
 0x845178 ShellExecuteA
version.dll
 0x845180 GetFileVersionInfoA
ole32.dll
 0x845188 CoInitializeEx
ws2_32.dll
 0x845190 WSAStartup
crypt32.dll
 0x845198 CryptUnprotectData
shlwapi.dll
 0x8451a0 PathFindExtensionA
gdiplus.dll
 0x8451a8 GdiplusStartup
setupapi.dll
 0x8451b0 SetupDiEnumDeviceInterfaces
ntdll.dll
 0x8451b8 RtlUnicodeStringToAnsiString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure