popup

Report - CryptoWall.exe

ScreenShot KeyLogger AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.06 18:25 Machine s1_win7_x6401
Filename CryptoWall.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
7.8
ZERO API file : malware
VT API (file) 60 detected (AIDetectMalware, Cryptodef, tqGM, malicious, high confidence, CryptoWall, Crowti, Unsafe, ali1003001, FileCryptor, Attribute, HighConfidence, Filecoder, score, YOTD2256, dncaot, jCQ8i3u36MH, XPACK, CRYPWALL, SMJC, Real Protect, high, Detected, ai score=100, GenericMC, Malware@#1gyh86oymb1d1, Eldorado, R135312, ZexaF, iqX@a8QE4fp, BScope, TrojanPSW, Gencirc, FenbSqmDfE8, Static AI, Suspicious PE, susgen, confidence, 100%, Ransomware)
md5 919034c8efb9678f96b47a20fa6199f2
sha256 e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
ssdeep 3072:naRQpzd/99wen3XgWorw8I3h8LkMvqCgQfBUnPy8L6kssU:nJdTwo30ri3h8LkMvqCgQfBUPy8L6ksP
imphash
impfuzzy 3::
  Network IP location

Signature (12cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 60 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Created a process named as a common system process
watch Manipulates memory of a non-child process indicative of process injection
watch One or more of the buffers contains an embedded PE file
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory

Rules (13cnts)

Level Name Description Collection
notice KeyLogger Run a KeyLogger memory
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (12cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://myexternalip.com/raw
whois
US GOOGLE 34.117.118.44 clean
http://ip-addr.es/
whois
FR OVH SAS 188.165.164.184 clean
myexternalip.com
whois
US GOOGLE 34.117.118.44 clean
ip-addr.es
whois
FR OVH SAS 188.165.164.184 clean
34.117.118.44
whois
US GOOGLE 34.117.118.44 clean
91.121.12.127
whois
FR OVH SAS 91.121.12.127 clean
188.165.164.184
whois
FR OVH SAS 188.165.164.184 clean
94.247.28.26
whois
FR CTS Computers and Telecommunications Systems SAS 94.247.28.26 clean
94.247.31.19
whois
ES CTS Computers and Telecommunications Systems SAS 94.247.31.19 clean
185.172.128.90
whois
RU OOO Nadym Svyaz Service 185.172.128.90 mailcious
209.148.85.151
whois
US ROOT-LEVEL-TECHNOLOGY 209.148.85.151 clean
94.247.28.156
whois
FR CTS Computers and Telecommunications Systems SAS 94.247.28.156 clean

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO HTTP Request for External IP Check (ip-addr .es)
ET POLICY External IP Check myexternalip.com

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure