Report - getimage15.php

Craxs RAT Malicious Packer UPX PE File PE32 .NET EXE PNG Format ZIP Format
ScreenShot
Created 2024.03.29 07:46 Machine s1_win7_x6401
Filename getimage15.php
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
Behavior Score
16.0
ZERO API file : malware
VT API (file) 50 detected (AIDetectMalware, RisePro, malicious, high confidence, score, unsafe, Vv3x, Genus, Attribute, HighConfidence, VMProtect, BC suspicious, PWSX, Redcap, czylj, high, Generic Reputation PUA, Detected, ai score=79, PSWTroj, Casdet, ABRisk, UWGG, Injection, ZexaF, @JW@amP0yRcG, Chgt, Generic@AI, RDML, +IYg8LGzBLSyJ1TnDhiqGg, EQ7zBjDO0dg, Static AI, Malicious PE, susgen, confidence, 100%)
md5 9ffa99ae9f8ab00f8e944cb3317f1dd3
sha256 2caec1ce51c8304261e5ac88333d805a13c5fa2b0ca1c0c19a7e5a9a2af78b43
ssdeep 98304:2QTLK3OmctIY4tTNEsxwyNJqSVCS+Nfl4gvqvU7dYblDQdKw7:I3AIYxvyrzVCVNN4bcJYbidKw
imphash 84d3942a6283bd1fa0ecc5bc71ddea94
impfuzzy 6:AwBGL6Q7xdLqR/bdc9SvWx/0yNCgyPVe6XEAML+rKhW+nbpjtlJoZ/O4ErBJAEHX:DB21mRW/0yNCPsEEJPxTOZGJjA/DW
  Network IP location

Signature (38cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process getimage15.php
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info Tries to locate where the browsers are installed

Rules (10cnts)

Level Name Description Collection
danger Craxs_RAT Craxs RAT binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info zip_file_format ZIP file format binaries (download)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://193.233.132.197/lumma27.exe RU JSC Redcom-lnternet 193.233.132.197 1 @@Snc7y
http://5.42.66.22/crypted_de7109ba.exe RU CJSC Kolomna-Sviaz TV 5.42.66.22 1 clean
https://db-ip.com/demo/home.php?s=175.208.134.152 US CLOUDFLARENET 104.26.4.15 clean
ipinfo.io US GOOGLE 34.117.186.192 1 clean
db-ip.com US CLOUDFLARENET 172.67.75.166 1 clean
104.26.4.15 US CLOUDFLARENET 104.26.4.15 1 clean
34.117.186.192 US GOOGLE 34.117.186.192 1 clean
5.42.66.22 RU CJSC Kolomna-Sviaz TV 5.42.66.22 1 malware
193.233.132.197 RU JSC Redcom-lnternet 193.233.132.197 1 mailcious
5.42.65.117 RU CJSC Kolomna-Sviaz TV 5.42.65.117 1 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x7e7000 GetVersionExA
USER32.dll
 0x7e7008 wsprintfA
GDI32.dll
 0x7e7010 CreateCompatibleBitmap
ADVAPI32.dll
 0x7e7018 RegCreateKeyExA
SHELL32.dll
 0x7e7020 ShellExecuteA
ole32.dll
 0x7e7028 CoInitialize
WS2_32.dll
 0x7e7030 WSAStartup
CRYPT32.dll
 0x7e7038 CryptUnprotectData
SHLWAPI.dll
 0x7e7040 PathFindExtensionA
gdiplus.dll
 0x7e7048 GdipGetImageEncoders
SETUPAPI.dll
 0x7e7050 SetupDiEnumDeviceInfo
ntdll.dll
 0x7e7058 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
 0x7e7060 RmStartSession
KERNEL32.dll
 0x7e7068 GetSystemTimeAsFileTime
KERNEL32.dll
 0x7e7070 HeapAlloc
 0x7e7074 HeapFree
 0x7e7078 ExitProcess
 0x7e707c GetModuleHandleA
 0x7e7080 LoadLibraryA
 0x7e7084 GetProcAddress

EAT(Export Address Table) Library

0x466a40 Start


Similarity measure (PE file only) - Checking for service failure