popup

Report - room4.hta

Generic Malware Antivirus Malicious Library PowerShell PE File PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.05.24 09:44 Machine s1_win7_x6403
Filename room4.hta
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
14.6
ZERO API file : clean
VT API (file) 27 detected (Valyria, Malicious, score, jpdglv, TOPIS, RXmrIh5jYAI, VPLT, Outbreak, Detected, Infected, AutoInfector, Eldorado, Ymhl, ai score=88)
md5 409f1bada32d81974fd8606be4cbc943
sha256 44973eb6e87b61951a5244aab9cf1fc9d04d2d97ab9ec6914c56b54f3d3b7743
ssdeep 192:QSc8pfJ204eoWujo+tVo1oLfbAJkJ9M5f29:BcgonouoC
imphash
impfuzzy
  Network IP location

Signature (32cnts)

Level Description
danger The process powershell.exe wrote an executable file to disk which it then attempted to execute
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Creates a suspicious Powershell process
watch Drops a binary and executes it
watch Manipulates memory of a non-child process indicative of process injection
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch One or more non-whitelisted processes were created
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (8cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PowerShell PowerShell script scripts
info PowershellDI Extract Download/Invoke calls from powershell script scripts

Network (33cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.antonio-vivaldi.mobi/fo8o/?I0NK=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Lw8=oat1oSv
whois
DK One.com A/S 46.30.213.191 clean
http://www.magmadokum.com/fo8o/
whois
TR Cizgi Telekomunikasyon Anonim Sirketi 85.159.66.93 clean
http://www.3xfootball.com/fo8o/
whois
HK POWER LINE DATACENTER 154.215.72.110 clean
http://www.goldenjade-travel.com/fo8o/?I0NK=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Lw8=oat1oSv
whois
TW DongFong Technology Co. Ltd. 116.50.37.244 clean
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.rssnewscast.com/fo8o/
whois
DE SEDO GmbH 91.195.240.94 clean
http://www.techchains.info/fo8o/
whois
US ADVANTAGECOM 66.29.149.46 clean
http://www.3xfootball.com/fo8o/?I0NK=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Lw8=oat1oSv
whois
HK POWER LINE DATACENTER 154.215.72.110 clean
http://www.magmadokum.com/fo8o/?I0NK=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Lw8=oat1oSv
whois
TR Cizgi Telekomunikasyon Anonim Sirketi 85.159.66.93 clean
http://www.rssnewscast.com/fo8o/?I0NK=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Lw8=oat1oSv
whois
DE SEDO GmbH 91.195.240.94 clean
http://www.kasegitai.tokyo/fo8o/
whois
JP DigiRock, Inc. 202.172.28.202 clean
http://www.goldenjade-travel.com/fo8o/
whois
TW DongFong Technology Co. Ltd. 116.50.37.244 clean
http://20.86.128.223/room/rooma.exe
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.86.128.223 malware
http://www.techchains.info/fo8o/?I0NK=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Lw8=oat1oSv
whois
US ADVANTAGECOM 66.29.149.46 clean
http://www.antonio-vivaldi.mobi/fo8o/
whois
DK One.com A/S 46.30.213.191 clean
http://www.kasegitai.tokyo/fo8o/?I0NK=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Lw8=oat1oSv
whois
JP DigiRock, Inc. 202.172.28.202 clean
www.liangyuen528.com
whois
Unknown clean
www.magmadokum.com
whois
TR Cizgi Telekomunikasyon Anonim Sirketi 85.159.66.93 clean
www.techchains.info
whois
US ADVANTAGECOM 66.29.149.46 clean
www.kasegitai.tokyo
whois
JP DigiRock, Inc. 202.172.28.202 clean
www.3xfootball.com
whois
HK POWER LINE DATACENTER 154.215.72.110 clean
www.goldenjade-travel.com
whois
TW DongFong Technology Co. Ltd. 116.50.37.244 clean
www.antonio-vivaldi.mobi
whois
DK One.com A/S 46.30.213.191 clean
www.rssnewscast.com
whois
DE SEDO GmbH 91.195.240.94 clean
202.172.28.202
whois
JP DigiRock, Inc. 202.172.28.202 clean
85.159.66.93
whois
TR Cizgi Telekomunikasyon Anonim Sirketi 85.159.66.93 mailcious
116.50.37.244
whois
TW DongFong Technology Co. Ltd. 116.50.37.244 clean
46.30.213.191
whois
DK One.com A/S 46.30.213.191 mailcious
66.29.149.46
whois
US ADVANTAGECOM 66.29.149.46 clean
91.195.240.94
whois
DE SEDO GmbH 91.195.240.94 phishing
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
20.86.128.223
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.86.128.223 malware
154.215.72.110
whois
HK POWER LINE DATACENTER 154.215.72.110 clean

Suricata ids

ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Similarity measure (PE file only) - Checking for service failure