Report - loader-1001.exe

NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 Pow
ScreenShot
Created 2024.06.10 10:10 Machine s1_win7_x6401
Filename loader-1001.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score
9
Behavior Score
10.2
ZERO API file : malware
VT API (file) 31 detected (AIDetectMalware, Unsafe, V3ip, malicious, high confidence, Artemis, NSIS, PWSX, VIDAR, YXEEBZ, moderate, score, Phonzy, ABRisk, CKWD, Static AI, Suspicious PE, PossibleThreat)
md5 58ca6d5068fa4fed981cf5ef8a04e4d5
sha256 abc83f0b74c53bc98b6147e7fcc2a41c0a925bce79636b9557c0bb372e4f1205
ssdeep 1536:XferrLkSRoe8C4UZsys0Dh1duFp+FI+PlQ:Xfi3k+oWDBDh1duFpDWlQ
imphash f4639a0b3116c2cfc71144b88a929cfd
impfuzzy 48:7/dKePusa/toE77+nzEqQ7/allLHAOe+ztlkAOr8L5Sv0WbP06Uyv5/1byAknBoJ:bdKemvafl5APkTPF84O
  Network IP location

Signature (25cnts)

Level Description
danger File has been identified by 31 AntiVirus engines on VirusTotal as malicious
watch Creates a suspicious Powershell process
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice URL downloaded by powershell script
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Uses Windows APIs to generate a cryptographic key

Rules (47cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning NSIS_Installer Null Soft Installer binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PowerShell PowerShell script scripts
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (14cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c US Akamai International B.V. 23.210.247.57 clean
https://cdn-edge-node.com/online_security_mkl.exe US CLOUDFLARENET 172.67.165.254 39716 mailcious
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1001 US AMAZON-02 13.225.110.102 39690 mailcious
https://d2lvl7wmj7b91p.cloudfront.net/load/load.php?c=1001 Unknown 54.230.169.11 clean
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1001 US AMAZON-02 13.225.110.102 39689 mailcious
d2lvl7wmj7b91p.cloudfront.net Unknown 54.230.169.96 clean
d22hce23hy1ej9.cloudfront.net US AMAZON-02 13.225.110.70 mailcious
adblock2024.shop US CLOUDFLARENET 104.21.43.83 mailcious
cdn-edge-node.com US CLOUDFLARENET 104.21.11.117 mailcious
54.230.169.11 Unknown 54.230.169.11 clean
172.67.165.254 US CLOUDFLARENET 172.67.165.254 mailcious
121.254.136.18 KR LG DACOM Corporation 121.254.136.18 clean
13.225.110.102 US AMAZON-02 13.225.110.102 clean
172.67.176.247 US CLOUDFLARENET 172.67.176.247 clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x408000 RegEnumValueW
 0x408004 RegEnumKeyW
 0x408008 RegQueryValueExW
 0x40800c RegSetValueExW
 0x408010 RegCloseKey
 0x408014 RegDeleteValueW
 0x408018 RegDeleteKeyW
 0x40801c AdjustTokenPrivileges
 0x408020 LookupPrivilegeValueW
 0x408024 OpenProcessToken
 0x408028 RegOpenKeyExW
 0x40802c RegCreateKeyExW
SHELL32.dll
 0x408174 SHGetPathFromIDListW
 0x408178 SHBrowseForFolderW
 0x40817c SHGetFileInfoW
 0x408180 SHFileOperationW
 0x408184 ShellExecuteExW
ole32.dll
 0x408290 CoCreateInstance
 0x408294 OleUninitialize
 0x408298 OleInitialize
 0x40829c IIDFromString
 0x4082a0 CoTaskMemFree
COMCTL32.dll
 0x408034 ImageList_Destroy
 0x408038 None
 0x40803c ImageList_AddMasked
 0x408040 ImageList_Create
USER32.dll
 0x40818c MessageBoxIndirectW
 0x408190 GetDlgItemTextW
 0x408194 SetDlgItemTextW
 0x408198 CreatePopupMenu
 0x40819c AppendMenuW
 0x4081a0 TrackPopupMenu
 0x4081a4 OpenClipboard
 0x4081a8 EmptyClipboard
 0x4081ac SetClipboardData
 0x4081b0 CloseClipboard
 0x4081b4 IsWindowVisible
 0x4081b8 CallWindowProcW
 0x4081bc GetMessagePos
 0x4081c0 CheckDlgButton
 0x4081c4 LoadCursorW
 0x4081c8 SetCursor
 0x4081cc GetSysColor
 0x4081d0 SetWindowPos
 0x4081d4 GetWindowLongW
 0x4081d8 IsWindowEnabled
 0x4081dc SetClassLongW
 0x4081e0 GetSystemMenu
 0x4081e4 EnableMenuItem
 0x4081e8 GetWindowRect
 0x4081ec ScreenToClient
 0x4081f0 EndDialog
 0x4081f4 RegisterClassW
 0x4081f8 SystemParametersInfoW
 0x4081fc CharPrevW
 0x408200 GetClassInfoW
 0x408204 DialogBoxParamW
 0x408208 CharNextW
 0x40820c ExitWindowsEx
 0x408210 DestroyWindow
 0x408214 CreateDialogParamW
 0x408218 SetTimer
 0x40821c SetWindowTextW
 0x408220 PostQuitMessage
 0x408224 SetForegroundWindow
 0x408228 ShowWindow
 0x40822c wsprintfW
 0x408230 SendMessageTimeoutW
 0x408234 FindWindowExW
 0x408238 IsWindow
 0x40823c GetDlgItem
 0x408240 SetWindowLongW
 0x408244 LoadImageW
 0x408248 GetDC
 0x40824c ReleaseDC
 0x408250 EnableWindow
 0x408254 InvalidateRect
 0x408258 SendMessageW
 0x40825c DefWindowProcW
 0x408260 BeginPaint
 0x408264 GetClientRect
 0x408268 FillRect
 0x40826c DrawTextW
 0x408270 EndPaint
 0x408274 CharNextA
 0x408278 wsprintfA
 0x40827c DispatchMessageW
 0x408280 CreateWindowExW
 0x408284 PeekMessageW
 0x408288 GetSystemMetrics
GDI32.dll
 0x408048 GetDeviceCaps
 0x40804c SetBkColor
 0x408050 SelectObject
 0x408054 DeleteObject
 0x408058 CreateBrushIndirect
 0x40805c CreateFontIndirectW
 0x408060 SetBkMode
 0x408064 SetTextColor
KERNEL32.dll
 0x40806c lstrcmpiA
 0x408070 CreateFileW
 0x408074 GetTempFileNameW
 0x408078 RemoveDirectoryW
 0x40807c CreateProcessW
 0x408080 CreateDirectoryW
 0x408084 GetLastError
 0x408088 CreateThread
 0x40808c GlobalLock
 0x408090 GlobalUnlock
 0x408094 GetDiskFreeSpaceW
 0x408098 WideCharToMultiByte
 0x40809c lstrcpynW
 0x4080a0 lstrlenW
 0x4080a4 SetErrorMode
 0x4080a8 GetVersionExW
 0x4080ac GetCommandLineW
 0x4080b0 GetTempPathW
 0x4080b4 GetWindowsDirectoryW
 0x4080b8 WriteFile
 0x4080bc CopyFileW
 0x4080c0 ExitProcess
 0x4080c4 GetCurrentProcess
 0x4080c8 GetModuleFileNameW
 0x4080cc GetFileSize
 0x4080d0 GetTickCount
 0x4080d4 Sleep
 0x4080d8 SetFileAttributesW
 0x4080dc GetFileAttributesW
 0x4080e0 SetCurrentDirectoryW
 0x4080e4 MoveFileW
 0x4080e8 GetFullPathNameW
 0x4080ec GetShortPathNameW
 0x4080f0 SearchPathW
 0x4080f4 CompareFileTime
 0x4080f8 SetFileTime
 0x4080fc CloseHandle
 0x408100 lstrcmpiW
 0x408104 lstrcmpW
 0x408108 ExpandEnvironmentStringsW
 0x40810c GlobalFree
 0x408110 GlobalAlloc
 0x408114 GetModuleHandleW
 0x408118 LoadLibraryExW
 0x40811c FreeLibrary
 0x408120 WritePrivateProfileStringW
 0x408124 GetPrivateProfileStringW
 0x408128 lstrlenA
 0x40812c MultiByteToWideChar
 0x408130 ReadFile
 0x408134 SetFilePointer
 0x408138 FindClose
 0x40813c FindNextFileW
 0x408140 FindFirstFileW
 0x408144 DeleteFileW
 0x408148 MulDiv
 0x40814c lstrcpyA
 0x408150 MoveFileExW
 0x408154 lstrcatW
 0x408158 GetSystemDirectoryW
 0x40815c GetProcAddress
 0x408160 GetModuleHandleA
 0x408164 GetExitCodeProcess
 0x408168 WaitForSingleObject
 0x40816c SetEnvironmentVariableW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure