popup

Report - buildz.exe

Client SW User Data Stealer LokiBot [m] Generic Malware ftp Client info stealer Suspicious_Script_Bin task schedule Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.03.29 08:10 Machine s1_win7_x6401
Filename buildz.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
14.6
ZERO API file : malware
VT API (file) 34 detected (AIDetectMalware, Convagent, malicious, high confidence, score, Stop, Lockbit, unsafe, Save, Attribute, HighConfidence, Artemis, PWSX, high, Krypt, Danabot, Detected, Znyonm, R641315, ZexaF, Vq0@a4iRyjhG, Obfuscated, Static AI, Malicious PE, susgen, Kryptik, HWMW, confidence, 100%)
md5 b63eeaaf33df089b775363868daf45a7
sha256 0a1e937d7c52a8be935a32e1f8385787724aed36aa1900e32055ffc92ef630e3
ssdeep 12288:ZSCyEt/2qirq/+HT4FMIeNi8eu2huSwgDgCXZkMtx8nRs0q9/LN3pkWR4:ZhOEm/QRLhujMtGK9LPkWR4
imphash bf99ed1c6e12a2d49719cb0ce3fd5ba7
impfuzzy 24:0/rkrkRp+PSGklYku/cDvqsHTxPT+vgexIkPZysoHOovIGFJ3NcHjM1WzvctRl8C:33CKoex7TGHNcYMctR/6AQvI
  Network IP location

Signature (32cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process buildz.exe
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (34cnts)

Level Name Description Collection
danger Client_SW_User_Data_Stealer Client_SW_User_Data_Stealer memory
danger Win32_PWS_Loki_m_Zero Win32 PWS Loki memory
warning Generic_Malware_Zero_m [m] Generic Malware memory
warning infoStealer_ftpClients_Zero ftp clients info stealer memory
warning Suspicious_Obfuscation_Script_2 Suspicious obfuscation script (e.g. executable files) binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch schtasks_Zero task schedule memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (16cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://sajdfue.com/test1/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
MX Uninet S.A. de C.V. 189.189.213.86 clean
http://sdfjhuz.com/dl/build2.exe
whois
AR Telecom Argentina S.A. 200.45.93.45 malware
http://sajdfue.com/files/1/build3.exe
whois
CR Instituto Costarricense de Electricidad y Telecom. 201.191.99.134 malware
https://steamcommunity.com/profiles/76561199658817715
whois
US Akamai International B.V. 104.76.78.101 clean
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 172.67.139.220 clean
sdfjhuz.com
whois
KR LG DACOM Corporation 211.168.53.110 malware
sajdfue.com
whois
MX Uninet S.A. de C.V. 189.189.213.86 malware
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
api.2ip.ua
whois
US CLOUDFLARENET 104.21.65.24 clean
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
192.143.159.3
whois
ZA Afrihost 192.143.159.3 clean
172.67.139.220
whois
US CLOUDFLARENET 172.67.139.220 clean
211.168.53.110
whois
KR LG DACOM Corporation 211.168.53.110 clean
78.46.229.36
whois
DE Hetzner Online GmbH 78.46.229.36 clean
104.76.78.101
whois
US Akamai International B.V. 104.76.78.101 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x410008 InterlockedIncrement
 0x41000c ReadConsoleA
 0x410010 GetTickCount
 0x410014 GetConsoleAliasesLengthA
 0x410018 GetWindowsDirectoryA
 0x41001c GlobalAlloc
 0x410020 SetCommConfig
 0x410024 GetLocaleInfoW
 0x410028 GetSystemPowerStatus
 0x41002c GetVersionExW
 0x410030 FindNextVolumeW
 0x410034 GetConsoleAliasW
 0x410038 GetWriteWatch
 0x41003c WriteConsoleW
 0x410040 CreateFileW
 0x410044 GetEnvironmentVariableA
 0x410048 ExitThread
 0x41004c GetHandleInformation
 0x410050 GetLastError
 0x410054 GetProcAddress
 0x410058 FindResourceW
 0x41005c RemoveDirectoryA
 0x410060 LoadLibraryA
 0x410064 FindFirstVolumeMountPointW
 0x410068 SetConsoleCtrlHandler
 0x41006c GetNumberFormatW
 0x410070 SetFileApisToANSI
 0x410074 QueryDosDeviceW
 0x410078 GlobalFindAtomW
 0x41007c GetModuleFileNameA
 0x410080 VirtualProtect
 0x410084 GetCurrentDirectoryA
 0x410088 PeekConsoleInputA
 0x41008c _lopen
 0x410090 GetCurrentProcessId
 0x410094 GetVolumeInformationW
 0x410098 OutputDebugStringW
 0x41009c HeapReAlloc
 0x4100a0 SetStdHandle
 0x4100a4 LCMapStringW
 0x4100a8 GetConsoleAliasExesLengthA
 0x4100ac MultiByteToWideChar
 0x4100b0 EncodePointer
 0x4100b4 DecodePointer
 0x4100b8 ReadFile
 0x4100bc ExitProcess
 0x4100c0 GetModuleHandleExW
 0x4100c4 WideCharToMultiByte
 0x4100c8 GetCommandLineA
 0x4100cc RaiseException
 0x4100d0 RtlUnwind
 0x4100d4 IsProcessorFeaturePresent
 0x4100d8 IsDebuggerPresent
 0x4100dc IsValidCodePage
 0x4100e0 GetACP
 0x4100e4 GetOEMCP
 0x4100e8 GetCPInfo
 0x4100ec SetLastError
 0x4100f0 GetCurrentThreadId
 0x4100f4 EnterCriticalSection
 0x4100f8 LeaveCriticalSection
 0x4100fc FlushFileBuffers
 0x410100 WriteFile
 0x410104 GetConsoleCP
 0x410108 GetConsoleMode
 0x41010c DeleteCriticalSection
 0x410110 HeapSize
 0x410114 HeapFree
 0x410118 SetFilePointerEx
 0x41011c GetStdHandle
 0x410120 GetFileType
 0x410124 GetStartupInfoW
 0x410128 UnhandledExceptionFilter
 0x41012c SetUnhandledExceptionFilter
 0x410130 InitializeCriticalSectionAndSpinCount
 0x410134 Sleep
 0x410138 GetCurrentProcess
 0x41013c TerminateProcess
 0x410140 TlsAlloc
 0x410144 TlsGetValue
 0x410148 TlsSetValue
 0x41014c TlsFree
 0x410150 GetModuleHandleW
 0x410154 GetModuleFileNameW
 0x410158 LoadLibraryExW
 0x41015c HeapAlloc
 0x410160 GetProcessHeap
 0x410164 QueryPerformanceCounter
 0x410168 GetSystemTimeAsFileTime
 0x41016c GetEnvironmentStringsW
 0x410170 FreeEnvironmentStringsW
 0x410174 GetStringTypeW
 0x410178 CloseHandle
USER32.dll
 0x410180 CharUpperBuffA
 0x410184 DrawFrameControl
 0x410188 ChangeMenuA
ADVAPI32.dll
 0x410000 ReadEventLogW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure