popup

Report - Crypto.exe

Malicious Library Malicious Packer UPX PE File PE32 PNG Format ZIP Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.03.31 11:21 Machine s1_win7_x6403
Filename Crypto.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
11.4
ZERO API file : malware
VT API (file) 46 detected (AIDetectMalware, RisePro, malicious, high confidence, GenericKD, unsafe, Attribute, HighConfidence, a variant of Generik, FFFBWCI, Artemis, FileRepMalware, score, VMProtBad, Redcap, klaxqk, Generic@AI, RDML, YNr+HmFUrY+5t44oJJ3X2A, uipts, DownLoader46, high, Detected, ai score=89, Wacatac, PSWTroj, WYTO7G, AGEN, ZexaF, @F0@aSOUxmni, Chgt, PRIVATELOADER, YXEC3Z, Static AI, Malicious PE, PossibleThreat, confidence, 100%)
md5 9ebd44ed56bec49d85d5c106f0c2e99f
sha256 9b08bf9b0ee4f62f21592107a5fc5e4cc9080aa4b0f1e049cf45ba0ee2296eb7
ssdeep 196608:Pm8wlf8UhGn96UrW1zZeP1qt5r6dhroH0UVP+R:O8IfdhGn9BU2YEdhrwxP+
imphash 6921b1dcd9a9843f77a4c47c3178a4c9
impfuzzy 12:DB21mRW/0yNCPsEEJPSQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:9xgCiJaQ58QtXJHc9NDI5Q8
  Network IP location

Signature (25cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (7cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info zip_file_format ZIP file format binaries (download)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 1 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
193.233.132.108
whois
RU JSC Redcom-lnternet 193.233.132.108 malware

Suricata ids

ET MALWARE RisePro TCP Heartbeat Packet
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET MALWARE RisePro CnC Activity (Outbound)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x93e000 GetVersionExA
USER32.dll
 0x93e008 wsprintfA
GDI32.dll
 0x93e010 CreateCompatibleBitmap
ADVAPI32.dll
 0x93e018 RegCreateKeyExA
SHELL32.dll
 0x93e020 ShellExecuteA
ole32.dll
 0x93e028 CoInitialize
WS2_32.dll
 0x93e030 WSAStartup
CRYPT32.dll
 0x93e038 CryptUnprotectData
SHLWAPI.dll
 0x93e040 PathFindExtensionA
gdiplus.dll
 0x93e048 GdipGetImageEncoders
SETUPAPI.dll
 0x93e050 SetupDiEnumDeviceInfo
ntdll.dll
 0x93e058 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
 0x93e060 RmStartSession
WTSAPI32.dll
 0x93e068 WTSSendMessageW
KERNEL32.dll
 0x93e070 VirtualQuery
USER32.dll
 0x93e078 GetProcessWindowStation
KERNEL32.dll
 0x93e080 LocalAlloc
 0x93e084 LocalFree
 0x93e088 GetModuleFileNameW
 0x93e08c GetProcessAffinityMask
 0x93e090 SetProcessAffinityMask
 0x93e094 SetThreadAffinityMask
 0x93e098 Sleep
 0x93e09c ExitProcess
 0x93e0a0 FreeLibrary
 0x93e0a4 LoadLibraryA
 0x93e0a8 GetModuleHandleA
 0x93e0ac GetProcAddress
USER32.dll
 0x93e0b4 GetProcessWindowStation
 0x93e0b8 GetUserObjectInformationW

EAT(Export Address Table) Library

0x466a40 Start

Similarity measure (PE file only) - Checking for service failure