popup

Report - poter.exe

EnigmaProtector Malicious Packer PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.05.13 09:02 Machine s1_win7_x6401
Filename poter.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
6.6
ZERO API file : malware
VT API (file) 35 detected (malicious, high confidence, score, RemAdmAmmyy, Strictor, Save, Attribute, HighConfidence, Enigma, PWSX, RisePro, moderate, Detected, Wacatac, 1OXVGSY, R646865, ZexaF, bJ0@aaU71Qak, Probably Heur, ExeHeaderL, ai score=81)
md5 3acbdb001a0be2555921f0361189f9b5
sha256 577c882863773dd3c84a219133a967b6354e89822e871d6ddf954f0c3a2976a9
ssdeep 49152:/YAdQItwwztvgIBRUPgafOKR9UUVlNKnwGs1r/6brfoh93o0CjLGPFHeaz5BpGN4:/YAN9YIu4KR9UA0wGWHbyqN+azX8C
imphash 272279f18f704f637aa129691266b291
impfuzzy 6:nERGDvZ/OiBJAEcXQwDLzRgSdn8BbMqtYbdic9SvWx/0yNCgyPVe6XEAML+rKhWi:EcDvZGqA9AwDXRgKQcb/0yNCPsEEJPx
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Looks up the external IP address
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
warning EnigmaProtector_IN EnigmaProtector binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 172.67.75.166 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
147.45.47.126
whois
RU OOO FREEnet Group 147.45.47.126 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean

Suricata ids

ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xd43fac GetModuleHandleA
 0xd43fb0 GetProcAddress
 0xd43fb4 ExitProcess
 0xd43fb8 LoadLibraryA
user32.dll
 0xd43fc0 MessageBoxA
advapi32.dll
 0xd43fc8 RegCloseKey
oleaut32.dll
 0xd43fd0 SysFreeString
gdi32.dll
 0xd43fd8 CreateFontA
shell32.dll
 0xd43fe0 ShellExecuteA
version.dll
 0xd43fe8 GetFileVersionInfoA
ole32.dll
 0xd43ff0 CoInitialize
WS2_32.dll
 0xd43ff8 WSAStartup
CRYPT32.dll
 0xd44000 CryptUnprotectData
SHLWAPI.dll
 0xd44008 PathFindExtensionA
gdiplus.dll
 0xd44010 GdipGetImageEncoders
SETUPAPI.dll
 0xd44018 SetupDiEnumDeviceInfo
ntdll.dll
 0xd44020 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
 0xd44028 RmStartSession

EAT(Export Address Table) Library


Similarity measure (PE file only) - Checking for service failure