popup

Report - archive.rar

Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.08 11:11 Machine s1_win7_x6402
Filename archive.rar
Type RAR archive data, v5
AI Score Not founds Behavior Score
5.2
ZERO API file : clean
VT API (file)
md5 2074be740d489e298715968ed68fd122
sha256 e83b773fd848f80d85e5a2e2121b4681a87bfe9e1567b62f32726a3aaba8282d
ssdeep 393216:Blp4NRae5LtT37veosKeSI/DA2Mx+SiZFhLEo+d48+aDu:BCge5hT37veo4PPOiZLYdt+eu
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (37cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://176.111.174.109/psyzh
whois
Unknown 176.111.174.109 40370 malware
http://77.105.133.27/download/123p.exe
whois
RU Plus Telecom LLC 77.105.133.27 40857 malware
http://5.42.99.177/api/crazyfish.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.99.177 40006 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US AKAMAI-AS 23.201.35.155 clean
http://80.78.242.100/d/525403
whois
RU Master Internet s.r.o. 80.78.242.100 40853 mailcious
http://43.153.49.49:8888/down/0GPThy6iSZBT.exe
whois
Unknown 43.153.49.49 mailcious
http://5.42.99.177/api/twofish.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.99.177 40008 mailcious
http://80.78.242.100/d/385132
whois
RU Master Internet s.r.o. 80.78.242.100 clean
http://77.105.133.27/download/th/space.php
whois
RU Plus Telecom LLC 77.105.133.27 40856 mailcious
https://lop.foxesjoy.com/ssl/crt.exe
whois
US CLOUDFLARENET 104.21.66.124 40188 malware
https://db-ip.com/demo/home.php?s=
whois
US CLOUDFLARENET 104.26.4.15 clean
raw.githubusercontent.com
whois
US FASTLY 185.199.109.133 malware
db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
api64.ipify.org
whois
US WEBNX 104.237.62.213 clean
api.myip.com
whois
US CLOUDFLARENET 104.26.9.59 clean
lop.foxesjoy.com
whois
US CLOUDFLARENET 104.21.66.124 malware
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
cdn.discordapp.com
whois
Unknown 162.159.133.233 malware
vk.com
whois
RU VKontakte Ltd 87.240.132.72 mailcious
iplogger.org
whois
US CLOUDFLARENET 172.67.132.113 mailcious
176.111.174.109
whois
Unknown 176.111.174.109 malware
182.162.106.33
whois
KR LG DACOM Corporation 182.162.106.33 malware
43.153.49.49
whois
Unknown 43.153.49.49 mailcious
173.231.16.77
whois
US WEBNX 173.231.16.77 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
104.21.66.124
whois
US CLOUDFLARENET 104.21.66.124 malware
185.199.111.133
whois
US FASTLY 185.199.111.133 mailcious
5.42.99.177
whois
RU CJSC Kolomna-Sviaz TV 5.42.99.177 mailcious
87.240.129.133
whois
RU VKontakte Ltd 87.240.129.133 mailcious
77.105.133.27
whois
RU Plus Telecom LLC 77.105.133.27 mailcious
162.159.135.233
whois
Unknown 162.159.135.233 malware
182.162.106.144
whois
KR LG DACOM Corporation 182.162.106.144 clean
172.67.132.113
whois
US CLOUDFLARENET 172.67.132.113 clean
77.91.77.80
whois
RU Foton Telecom CJSC 77.91.77.80 malware
80.78.242.100
whois
RU Master Internet s.r.o. 80.78.242.100 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET HUNTING Redirect to Discord Attachment Download
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)

Similarity measure (PE file only) - Checking for service failure