popup

Report - retail.php

Malicious Library Malicious Packer PE File PE32 ZIP Format PNG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.04.03 13:42 Machine s1_win7_x6401
Filename retail.php
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
14.6
ZERO API file : clean
VT API (file) 36 detected (AIDetectMalware, RisePro, malicious, high confidence, score, Artemis, unsafe, Va5c, Attribute, HighConfidence, ADVG, Generic@AI, RDML, wIy6NkEs3yLfdoBJjwM4aA, Siggen28, PRIVATELOADER, YXEDBZ, high, Detected, zbdil, Sabsik, PSWTroj, Emotet, M7JLUY, ABRisk, EBJQ, MalPe, X2205, ZexaF, @7Z@aOzyu8k, Chgt, Static AI, Suspicious PE, confidence)
md5 bf0137e15637ddd2eefc0922092ba059
sha256 007b625dbf26d9e0c83eabe4a77317bf7aacb1aebd26799b494308ef28a6fab8
ssdeep 98304:uCVtrrNZ4y9SB4gfnpAC5H0U7tsM6EVXw5pllaswAH2KsMzhqY1V3yHQWRueMI6D:uctrBqyQBFfpN5H0QJVAPlNwAfTzhqcZ
imphash 781c86f538798e5b8b2b3427fdfc978e
impfuzzy 24:Cx+CiJ/G14AJiQmXJai1JcDRZcp+ZGvHZZZHgdpOovXkeJbt0+7RvPFQHwRmjM2E:Cx++14ASXJ4Zcp+svZZZDat0+dTRYE
  Network IP location

Signature (32cnts)

Level Description
danger File has been identified by 36 AntiVirus engines on VirusTotal as malicious
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the CPU name from registry
watch Checks the version of Bios
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Virtual Machines through their custom firmware
watch Detects VirtualBox through the presence of a registry key
watch Detects VMWare through the in instruction feature
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a shortcut to an executable file
notice Expresses interest in specific running processes
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info zip_file_format ZIP file format binaries (download)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 172.67.75.166 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
193.233.132.67
whois
RU JSC Redcom-lnternet 193.233.132.67 mailcious
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean

Suricata ids

ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xdf3000 GetModuleHandleA
USER32.dll
 0xdf3008 wsprintfA
GDI32.dll
 0xdf3010 CreateCompatibleBitmap
ADVAPI32.dll
 0xdf3018 RegCloseKey
SHELL32.dll
 0xdf3020 ShellExecuteA
ole32.dll
 0xdf3028 CoInitialize
WS2_32.dll
 0xdf3030 WSAStartup
CRYPT32.dll
 0xdf3038 CryptUnprotectData
SHLWAPI.dll
 0xdf3040 PathFindExtensionA
gdiplus.dll
 0xdf3048 GdipGetImageEncoders
SETUPAPI.dll
 0xdf3050 SetupDiEnumDeviceInfo
ntdll.dll
 0xdf3058 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
 0xdf3060 RmStartSession
kernel32.dll
 0xdf3068 GetSystemTimeAsFileTime
 0xdf306c CreateEventA
 0xdf3070 GetModuleHandleA
 0xdf3074 TerminateProcess
 0xdf3078 GetCurrentProcess
 0xdf307c CreateToolhelp32Snapshot
 0xdf3080 Thread32First
 0xdf3084 GetCurrentProcessId
 0xdf3088 GetCurrentThreadId
 0xdf308c OpenThread
 0xdf3090 Thread32Next
 0xdf3094 CloseHandle
 0xdf3098 SuspendThread
 0xdf309c ResumeThread
 0xdf30a0 WriteProcessMemory
 0xdf30a4 GetSystemInfo
 0xdf30a8 VirtualAlloc
 0xdf30ac VirtualProtect
 0xdf30b0 VirtualFree
 0xdf30b4 GetProcessAffinityMask
 0xdf30b8 SetProcessAffinityMask
 0xdf30bc GetCurrentThread
 0xdf30c0 SetThreadAffinityMask
 0xdf30c4 Sleep
 0xdf30c8 LoadLibraryA
 0xdf30cc FreeLibrary
 0xdf30d0 GetTickCount
 0xdf30d4 SystemTimeToFileTime
 0xdf30d8 FileTimeToSystemTime
 0xdf30dc GlobalFree
 0xdf30e0 HeapAlloc
 0xdf30e4 HeapFree
 0xdf30e8 GetProcAddress
 0xdf30ec ExitProcess
 0xdf30f0 EnterCriticalSection
 0xdf30f4 LeaveCriticalSection
 0xdf30f8 InitializeCriticalSection
 0xdf30fc DeleteCriticalSection
 0xdf3100 MultiByteToWideChar
 0xdf3104 GetModuleHandleW
 0xdf3108 LoadResource
 0xdf310c FindResourceExW
 0xdf3110 FindResourceExA
 0xdf3114 WideCharToMultiByte
 0xdf3118 GetThreadLocale
 0xdf311c GetUserDefaultLCID
 0xdf3120 GetSystemDefaultLCID
 0xdf3124 EnumResourceNamesA
 0xdf3128 EnumResourceNamesW
 0xdf312c EnumResourceLanguagesA
 0xdf3130 EnumResourceLanguagesW
 0xdf3134 EnumResourceTypesA
 0xdf3138 EnumResourceTypesW
 0xdf313c CreateFileW
 0xdf3140 LoadLibraryW
 0xdf3144 GetLastError
 0xdf3148 GetCommandLineA
 0xdf314c GetCPInfo
 0xdf3150 InterlockedIncrement
 0xdf3154 InterlockedDecrement
 0xdf3158 GetACP
 0xdf315c GetOEMCP
 0xdf3160 IsValidCodePage
 0xdf3164 TlsGetValue
 0xdf3168 TlsAlloc
 0xdf316c TlsSetValue
 0xdf3170 TlsFree
 0xdf3174 SetLastError
 0xdf3178 UnhandledExceptionFilter
 0xdf317c SetUnhandledExceptionFilter
 0xdf3180 IsDebuggerPresent
 0xdf3184 RaiseException
 0xdf3188 LCMapStringA
 0xdf318c LCMapStringW
 0xdf3190 SetHandleCount
 0xdf3194 GetStdHandle
 0xdf3198 GetFileType
 0xdf319c GetStartupInfoA
 0xdf31a0 GetModuleFileNameA
 0xdf31a4 FreeEnvironmentStringsA
 0xdf31a8 GetEnvironmentStrings
 0xdf31ac FreeEnvironmentStringsW
 0xdf31b0 GetEnvironmentStringsW
 0xdf31b4 HeapCreate
 0xdf31b8 HeapDestroy
 0xdf31bc QueryPerformanceCounter
 0xdf31c0 HeapReAlloc
 0xdf31c4 GetStringTypeA
 0xdf31c8 GetStringTypeW
 0xdf31cc GetLocaleInfoA
 0xdf31d0 HeapSize
 0xdf31d4 WriteFile
 0xdf31d8 RtlUnwind
 0xdf31dc SetFilePointer
 0xdf31e0 GetConsoleCP
 0xdf31e4 GetConsoleMode
 0xdf31e8 InitializeCriticalSectionAndSpinCount
 0xdf31ec SetStdHandle
 0xdf31f0 WriteConsoleA
 0xdf31f4 GetConsoleOutputCP
 0xdf31f8 WriteConsoleW
 0xdf31fc CreateFileA
 0xdf3200 FlushFileBuffers
 0xdf3204 VirtualQuery

EAT(Export Address Table) Library

0x466e80 Start

Similarity measure (PE file only) - Checking for service failure