Report - Video.scr

Gen1 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check DLL .NET DLL
ScreenShot
Created 2024.05.12 02:42 Machine s1_win7_x6403
Filename Video.scr
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
Behavior Score
10.4
ZERO API file : mailcious
VT API (file) 48 detected (AIDetectMalware, Crypren, tpW3, Python, unsafe, Miner, Attribute, HighConfidence, malicious, high confidence, Mozi, score, Crytes, hjtpjc, PhotoMiner, CLASSIC, Infected, WebPage, Gen2, Tool, BtcMine, ZexaF, 0nKfaybz@roi, CoinMiner, Bitcoinworm, ai score=100, HeurC, KVM007, Bflient, ~AD2@3d18gh, 113J9WD, Detected, R342010, Phonzy, Bkjl, Static AI, Suspicious PE, BitMiner)
md5 5616a3471565d34d779b5b3d0520bb70
sha256 9194b57673209c8534888f61b0cdefa34f463ae50cd78f72ab2b3348220baaf9
ssdeep 98304:RLbSThOfTCiFBXmfFs+JhEpCVoR8oMEOJ6Ty3RvX+UGD823FUuzmH:tBfTCiUs0VSLOJgyBGUA8Ch8
imphash 91ae93ed3ff0d6f8a4f22d2edd30a58e
impfuzzy 24:Skgwt3aDaODu9Wu9T/2bjar9UltMS1hbJnc+pl3rOovbKlvUIoUTlONoEqMo6iMJ:VgSokR9+tMS1hlc+ppaRNUIpONfiQx
  Network IP location

Signature (19cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Connects to an IRC server
watch Enumerates services
watch Installs itself for autorun at Windows startup
watch Looks for the Windows Idle Time to determine the uptime
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates a service
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (13cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info Is_DotNET_DLL (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (113cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://:21/ Unknown 0.0.0.0 clean
router.utorrent.com IS Advania Island ehf 82.221.103.244 clean
xmr.crypto-pool.fr Unknown mailcious
router.bittorrent.com US ASN-QUADRANET-GLOBAL 67.215.246.10 clean
dht.transmissionbt.com FR Online S.a.s. 212.129.33.59 clean
bttracker.debian.org SE Umea University 130.239.18.158 clean
218.91.199.159 CN Chinanet 218.91.199.159 clean
43.148.209.248 Unknown 43.148.209.248 clean
207.238.159.149 US XO-AS15 207.238.159.149 clean
216.143.85.79 US LEVEL3 216.143.85.79 clean
207.231.69.233 US SUREWEST 207.231.69.233 clean
99.91.23.244 US ATT-INTERNET4 99.91.23.244 clean
133.12.140.4 JP Research Organization of Information and Systems, National Institute of Informatics 133.12.140.4 clean
27.113.12.88 KR GREEN CABLE TELEVISION STATION 27.113.12.88 clean
4.222.27.244 US LEVEL3 4.222.27.244 clean
38.189.76.249 US COGENT-174 38.189.76.249 clean
201.150.207.129 MX Uninet S.A. de C.V. 201.150.207.129 clean
1.102.136.178 KR Korea Telecom 1.102.136.178 clean
115.244.115.106 Unknown 115.244.115.106 clean
2.163.223.45 DE Deutsche Telekom AG 2.163.223.45 clean
25.84.217.99 Unknown 25.84.217.99 clean
24.172.253.152 US TWC-11426-CAROLINAS 24.172.253.152 clean
42.112.20.235 VN The Corporation for Financing & Promoting Technology 42.112.20.235 clean
115.84.224.134 PH Eastern Telecoms Phils., Inc. 115.84.224.134 clean
140.31.88.22 US DNIC-AS-00668 140.31.88.22 clean
8.169.215.91 Unknown 8.169.215.91 clean
13.74.229.29 IE MICROSOFT-CORP-MSN-AS-BLOCK 13.74.229.29 clean
128.233.155.218 CA USASK 128.233.155.218 clean
146.126.109.119 US SOUTHERNET 146.126.109.119 clean
175.12.116.69 CN Chinanet 175.12.116.69 clean
106.223.123.110 IN Bharti Airtel Ltd. AS for GPRS Service 106.223.123.110 clean
112.67.207.134 CN Chinanet 112.67.207.134 clean
210.227.49.7 JP NTT Communications Corporation 210.227.49.7 clean
97.83.231.200 US CHARTER-20115 97.83.231.200 clean
36.212.222.1 CN China TieTong Telecommunications Corporation 36.212.222.1 clean
85.186.143.96 RO Liberty Global B.V. 85.186.143.96 clean
158.98.68.190 Unknown 158.98.68.190 clean
151.54.15.78 IT Wind Tre S.p.A. 151.54.15.78 clean
58.92.93.63 JP NTT Communications Corporation 58.92.93.63 clean
2.234.62.253 IT Fastweb 2.234.62.253 clean
143.174.212.143 Unknown 143.174.212.143 clean
217.127.210.223 ES Telefonica De Espana 217.127.210.223 clean
152.193.215.77 US UUNET 152.193.215.77 clean
1.134.59.210 AU Telstra Corporation Ltd 1.134.59.210 clean
9.222.201.130 Unknown 9.222.201.130 clean
175.159.207.52 HK City University of Hong Kong 175.159.207.52 clean
214.87.183.115 US DNIC-ASBLK-00721-00726 214.87.183.115 clean
49.120.193.76 CN China Education and Research Network Center 49.120.193.76 clean
107.168.169.39 Unknown 107.168.169.39 clean
202.39.99.72 TW SYSTEX CORPORATION 202.39.99.72 clean
137.34.21.147 Unknown 137.34.21.147 clean
72.40.166.12 Unknown 72.40.166.12 clean
210.196.151.158 JP KDDI CORPORATION 210.196.151.158 clean
113.7.79.147 CN CHINA UNICOM China169 Backbone 113.7.79.147 clean
58.109.137.171 AU Microplex PTY LTD 58.109.137.171 clean
81.156.161.135 GB British Telecommunications PLC 81.156.161.135 clean
180.86.236.186 CN China Networks Inter-Exchange 180.86.236.186 clean
16.147.234.174 Unknown 16.147.234.174 clean
33.160.49.115 Unknown 33.160.49.115 clean
161.169.77.217 US WAL-MART 161.169.77.217 clean
87.34.160.163 IE HEAnet 87.34.160.163 clean
139.82.22.164 BR Fundacao Carlos Chagas Filho de Amparo a Pesquisa 139.82.22.164 clean
97.215.96.42 US CELLCO-PART 97.215.96.42 clean
187.250.234.39 MX Uninet S.A. de C.V. 187.250.234.39 clean
60.91.244.88 JP Softbank BB Corp. 60.91.244.88 clean
118.237.162.242 JP So-net Entertainment Corporation 118.237.162.242 clean
186.230.1.64 BR TIM S/A 186.230.1.64 clean
9.113.227.157 Unknown 9.113.227.157 clean
177.237.160.208 MX Cablemas Telecomunicaciones SA de CV 177.237.160.208 clean
83.230.31.82 PL Obsluga pc P.Dudzinski P.Jablonski P.Ral. B.Miller s.c. 83.230.31.82 clean
8.40.42.238 US LEVEL3 8.40.42.238 clean
57.49.213.154 Unknown 57.49.213.154 clean
139.140.208.251 US BOWDOIN 139.140.208.251 clean
16.121.228.245 Unknown 16.121.228.245 clean
160.247.155.231 JP Research Organization of Information and Systems, National Institute of Informatics 160.247.155.231 clean
44.176.131.220 US UCSD 44.176.131.220 clean
151.61.224.48 IT Wind Tre S.p.A. 151.61.224.48 clean
129.80.108.100 Unknown 129.80.108.100 clean
50.245.163.96 US COMCAST-7922 50.245.163.96 clean
217.182.82.84 FR OVH SAS 217.182.82.84 clean
145.123.81.38 NL SURFnet bv 145.123.81.38 clean
74.116.212.20 US MIDFLORIDA-AS 74.116.212.20 clean
49.108.172.222 JP NTT DOCOMO, INC. 49.108.172.222 clean
206.52.50.126 US NTT-COMMUNICATIONS-2914 206.52.50.126 clean
9.200.59.79 Unknown 9.200.59.79 clean
217.107.190.73 RU Rostelecom 217.107.190.73 clean
114.88.227.84 CN China Telecom (Group) 114.88.227.84 clean
39.118.127.58 KR SK Broadband Co Ltd 39.118.127.58 clean
55.188.217.27 US DNIC-ASBLK-00306-00371 55.188.217.27 clean
36.86.173.1 ID PT Telekomunikasi Indonesia 36.86.173.1 clean
165.206.64.84 US ICN-AS 165.206.64.84 clean
44.163.61.12 US UCSD 44.163.61.12 clean
194.179.152.182 IT Planet Service Srl 194.179.152.182 clean
106.137.220.27 JP KDDI CORPORATION 106.137.220.27 clean
34.146.29.121 Unknown 34.146.29.121 clean
49.36.212.11 IN Reliance Jio Infocomm Limited 49.36.212.11 clean
6.64.206.97 Unknown 6.64.206.97 clean
135.152.65.5 Unknown 135.152.65.5 clean
76.233.240.43 US ATT-INTERNET4 76.233.240.43 clean
210.137.18.3 JP Research Organization of Information and Systems, National Institute of Informatics 210.137.18.3 clean
43.104.48.198 Unknown 43.104.48.198 clean
124.143.107.116 JP Jupiter Telecommunication Co. Ltd 124.143.107.116 clean
172.93.221.30 JP xTom 172.93.221.30 clean
54.26.7.216 Unknown 54.26.7.216 clean
223.101.12.77 CN China Mobile communications corporation 223.101.12.77 clean
90.185.247.142 DK Tele Danmark 90.185.247.142 clean
29.11.232.5 Unknown 29.11.232.5 clean
138.169.142.42 US DNIC-ASBLK-00721-00726 138.169.142.42 clean
157.20.140.153 Unknown 157.20.140.153 clean
82.193.248.177 DE e.discom Telekommunikation GmbH 82.193.248.177 clean
46.135.202.156 CZ Vodafone Czech Republic a.s. 46.135.202.156 clean
11.222.177.15 Unknown 11.222.177.15 clean
104.168.212.46 US HOSTWINDS 104.168.212.46 clean

Suricata ids

PE API

IAT(Import Address Table) Library

USER32.dll
 0x420178 MessageBoxW
 0x42017c MessageBoxA
KERNEL32.dll
 0x420000 SystemTimeToTzSpecificLocalTime
 0x420004 DecodePointer
 0x420008 GetLastError
 0x42000c SetDllDirectoryW
 0x420010 GetModuleFileNameW
 0x420014 GetProcAddress
 0x420018 GetCommandLineW
 0x42001c GetEnvironmentVariableW
 0x420020 SetEnvironmentVariableW
 0x420024 ExpandEnvironmentStringsW
 0x420028 GetTempPathW
 0x42002c WaitForSingleObject
 0x420030 Sleep
 0x420034 GetExitCodeProcess
 0x420038 CreateProcessW
 0x42003c GetStartupInfoW
 0x420040 LoadLibraryExW
 0x420044 GetShortPathNameW
 0x420048 FormatMessageW
 0x42004c LoadLibraryA
 0x420050 MultiByteToWideChar
 0x420054 WideCharToMultiByte
 0x420058 SetEndOfFile
 0x42005c HeapReAlloc
 0x420060 UnhandledExceptionFilter
 0x420064 SetUnhandledExceptionFilter
 0x420068 GetCurrentProcess
 0x42006c TerminateProcess
 0x420070 IsProcessorFeaturePresent
 0x420074 QueryPerformanceCounter
 0x420078 GetCurrentProcessId
 0x42007c GetCurrentThreadId
 0x420080 GetSystemTimeAsFileTime
 0x420084 InitializeSListHead
 0x420088 IsDebuggerPresent
 0x42008c GetModuleHandleW
 0x420090 RtlUnwind
 0x420094 SetLastError
 0x420098 EnterCriticalSection
 0x42009c LeaveCriticalSection
 0x4200a0 DeleteCriticalSection
 0x4200a4 InitializeCriticalSectionAndSpinCount
 0x4200a8 TlsAlloc
 0x4200ac TlsGetValue
 0x4200b0 TlsSetValue
 0x4200b4 TlsFree
 0x4200b8 FreeLibrary
 0x4200bc GetCommandLineA
 0x4200c0 ReadFile
 0x4200c4 CreateFileW
 0x4200c8 GetDriveTypeW
 0x4200cc GetFileType
 0x4200d0 CloseHandle
 0x4200d4 PeekNamedPipe
 0x4200d8 RaiseException
 0x4200dc FileTimeToSystemTime
 0x4200e0 GetFullPathNameW
 0x4200e4 GetFullPathNameA
 0x4200e8 CreateDirectoryW
 0x4200ec RemoveDirectoryW
 0x4200f0 FindClose
 0x4200f4 FindFirstFileExW
 0x4200f8 FindNextFileW
 0x4200fc SetStdHandle
 0x420100 SetConsoleCtrlHandler
 0x420104 DeleteFileW
 0x420108 GetStdHandle
 0x42010c WriteFile
 0x420110 ExitProcess
 0x420114 GetModuleHandleExW
 0x420118 GetACP
 0x42011c HeapFree
 0x420120 HeapAlloc
 0x420124 GetConsoleMode
 0x420128 ReadConsoleW
 0x42012c SetFilePointerEx
 0x420130 GetConsoleCP
 0x420134 CompareStringW
 0x420138 LCMapStringW
 0x42013c GetCurrentDirectoryW
 0x420140 FlushFileBuffers
 0x420144 SetEnvironmentVariableA
 0x420148 GetFileAttributesExW
 0x42014c IsValidCodePage
 0x420150 GetOEMCP
 0x420154 GetCPInfo
 0x420158 GetEnvironmentStringsW
 0x42015c FreeEnvironmentStringsW
 0x420160 GetStringTypeW
 0x420164 GetProcessHeap
 0x420168 WriteConsoleW
 0x42016c GetTimeZoneInformation
 0x420170 HeapSize
WS2_32.dll
 0x420184 ntohl

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure