popup

Report - archive.7z

Amadey Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.05 15:24 Machine s1_win7_x6402
Filename archive.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
5.0
ZERO API file : clean
VT API (file)
md5 662ee89f76cfb8a8bddc6894b08203a6
sha256 b2ec6531bba21cea054e9806d55db0b27ee65f08c2c3b2367f8369ea2534141b
ssdeep 393216:u0hxZ/dPwn3FQEThI+vHhijRs8WcvpiQQ/WWm6:9ZC3t3v2G3YiQWm6
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (110cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://detectportal.firefox.com/canonical.html
whois
US GOOGLE 34.107.221.82 clean
http://185.225.200.214/api/crazyfish.php
whois
RU Plus Telecom LLC 185.225.200.214 clean
http://185.215.113.24/0d60be0de163924d/sqlite3.dll
whois
Unknown 185.215.113.24 clean
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll
whois
Unknown 185.215.113.24 clean
http://185.215.113.24/0d60be0de163924d/msvcp140.dll
whois
Unknown 185.215.113.24 clean
http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin
whois
RU OOO FREEnet Group 147.45.44.104 clean
http://185.215.113.16/well/random.exe
whois
Unknown 185.215.113.16 41492 mailcious
http://194.58.114.223/d/525403
whois
RU Domain names registrar REG.RU, Ltd 194.58.114.223 clean
http://185.215.113.19/Vi9leo/index.php
whois
Unknown 185.215.113.19 41489 mailcious
http://185.215.113.24/
whois
Unknown 185.215.113.24 41729 mailcious
http://176.111.174.109/socker
whois
Unknown 176.111.174.109 clean
http://147.45.44.104/prog/66af31c75d213_123p.exe
whois
RU OOO FREEnet Group 147.45.44.104 clean
http://185.215.113.24/0d60be0de163924d/softokn3.dll
whois
Unknown 185.215.113.24 clean
http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe
whois
RU OOO FREEnet Group 147.45.44.104 clean
http://147.45.44.104/prog/66af531b832ee_main.exe#space
whois
RU OOO FREEnet Group 147.45.44.104 clean
http://185.215.113.16/steam/random.exe
whois
Unknown 185.215.113.16 malware
http://185.215.113.24/e2b1563c6670f193.php
whois
Unknown 185.215.113.24 clean
http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene
whois
RU OOO FREEnet Group 147.45.44.104 clean
http://detectportal.firefox.com/success.txt?ipv4
whois
US GOOGLE 34.107.221.82 clean
http://185.215.113.24/0d60be0de163924d/nss3.dll
whois
Unknown 185.215.113.24 clean
http://185.225.200.214/api/twofish.php
whois
RU Plus Telecom LLC 185.225.200.214 clean
http://185.215.113.24/0d60be0de163924d/freebl3.dll
whois
Unknown 185.215.113.24 clean
http://185.215.113.16/nemo/herso.exe
whois
Unknown 185.215.113.16 clean
http://185.215.113.24/0d60be0de163924d/mozglue.dll
whois
Unknown 185.215.113.24 clean
http://www.google.com/
whois
US GOOGLE 142.250.76.132 clean
https://stan.pinefootsteps.com/ssl/crt.exe
whois
US CLOUDFLARENET 104.21.32.226 clean
https://steamcommunity.com/profiles/76561199747278259
whois
US Akamai International B.V. 184.26.241.154 clean
https://iplogger.org/1nhuM4.js
whois
US CLOUDFLARENET 172.67.132.113 clean
https://api.myip.com/
whois
US CLOUDFLARENET 104.26.8.59 clean
detectportal.firefox.com
whois
US GOOGLE 34.107.221.82 clean
stan.pinefootsteps.com
whois
US CLOUDFLARENET 104.21.32.226 clean
www.reddit.com
whois
US FASTLY 151.101.1.140 clean
vanaheim.cn
whois
RU RETN Limited 213.226.112.95 mailcious
firefox.settings.services.mozilla.com
whois
Unknown 34.149.100.209 clean
example.org
whois
No EDGECAST 93.184.215.14 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
accounts.google.com
whois
US GOOGLE 64.233.188.84 clean
prod.content-signature-chains.prod.webservices.mozgcp.net
whois
Unknown 34.160.144.191 clean
accounts.youtube.com
whois
US GOOGLE 142.250.206.206 phishing
contile.services.mozilla.com
whois
US GOOGLE 34.117.188.166 clean
www.wikipedia.org
whois
US WIKIMEDIA 103.102.166.224 clean
play.google.com
whois
US GOOGLE 142.250.206.206 clean
steamcommunity.com
whois
US AKAMAI-AS 23.194.74.106 mailcious
prod.balrog.prod.cloudops.mozgcp.net
whois
US GOOGLE 35.244.181.201 clean
iplogger.org
whois
US CLOUDFLARENET 104.21.4.208 mailcious
www.gstatic.com
whois
US GOOGLE 142.250.206.227 clean
twitter.com
whois
US TWITTER 104.244.42.129 clean
star-mini.c10r.facebook.com
whois
US FACEBOOK 157.240.215.35 clean
shavar.services.mozilla.com
whois
US AMAZON-02 35.165.99.161 clean
cdn.discordapp.com
whois
Unknown 162.159.133.233 malware
content-signature-2.cdn.mozilla.net
whois
Unknown 34.160.144.191 clean
tracking-protection.cdn.mozilla.net
whois
US GOOGLE 34.120.158.37 clean
shavar.prod.mozaws.net
whois
US AMAZON-02 44.239.110.200 clean
pool.hashvault.pro
whois
US 1GSERVERS 142.202.242.43 mailcious
youtube-ui.l.google.com
whois
US GOOGLE 172.217.161.206 clean
push.services.mozilla.com
whois
US GOOGLE 34.107.243.93 clean
www.youtube.com
whois
US GOOGLE 172.217.161.206 mailcious
prod.remote-settings.prod.webservices.mozgcp.net
whois
Unknown 34.149.100.209 clean
www3.l.google.com
whois
US GOOGLE 142.250.206.206 clean
ipv4only.arpa
whois
Unknown 192.0.0.170 clean
prod.detectportal.prod.cloudops.mozgcp.net
whois
US GOOGLE 34.107.221.82 clean
fonts.gstatic.com
whois
US GOOGLE 142.250.207.99 clean
dyna.wikimedia.org
whois
US WIKIMEDIA 103.102.166.224 clean
reddit.map.fastly.net
whois
US FASTLY 151.101.1.140 clean
aus5.mozilla.org
whois
US GOOGLE 35.244.181.201 clean
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
www.facebook.com
whois
US FACEBOOK 157.240.215.35 clean
www.google.com
whois
US GOOGLE 142.250.76.132 clean
api.myip.com
whois
US CLOUDFLARENET 104.26.8.59 clean
tracking-protection.prod.mozaws.net
whois
US GOOGLE 34.120.158.37 clean
benimmekansohbet.com
whois
DE Hetzner Online GmbH 178.63.100.241 clean
34.107.243.93
whois
US GOOGLE 34.107.243.93 clean
77.105.164.24
whois
RU Dynamic Network Technologies Ltd 77.105.164.24 clean
142.250.207.99
whois
US GOOGLE 142.250.207.99 clean
44.239.110.200
whois
US AMAZON-02 44.239.110.200 clean
34.107.221.82
whois
US GOOGLE 34.107.221.82 clean
34.160.144.191
whois
Unknown 34.160.144.191 clean
162.159.135.233
whois
Unknown 162.159.135.233 malware
178.63.100.241
whois
DE Hetzner Online GmbH 178.63.100.241 clean
168.119.176.241
whois
DE Hetzner Online GmbH 168.119.176.241 clean
34.120.158.37
whois
US GOOGLE 34.120.158.37 clean
184.26.241.154
whois
US Akamai International B.V. 184.26.241.154 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
185.215.113.24
whois
Unknown 185.215.113.24 mailcious
194.58.114.223
whois
RU Domain names registrar REG.RU, Ltd 194.58.114.223 clean
176.111.174.92
whois
Unknown 176.111.174.92 clean
193.143.1.5
whois
US BitWeb LLC 193.143.1.5 clean
142.250.76.132
whois
US GOOGLE 142.250.76.132 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
213.226.112.95
whois
RU RETN Limited 213.226.112.95 clean
34.149.100.209
whois
Unknown 34.149.100.209 clean
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84 mailcious
176.111.174.109
whois
Unknown 176.111.174.109 malware
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
147.45.44.104
whois
RU OOO FREEnet Group 147.45.44.104 clean
185.225.200.214
whois
RU Plus Telecom LLC 185.225.200.214 clean
176.113.115.135
whois
RU OOO Network of data-centers Selectel 176.113.115.135 mailcious
176.113.115.136
whois
RU OOO Network of data-centers Selectel 176.113.115.136 mailcious
104.21.32.226
whois
US CLOUDFLARENET 104.21.32.226 malware
35.244.181.201
whois
US GOOGLE 35.244.181.201 clean
34.117.188.166
whois
US GOOGLE 34.117.188.166 clean
125.253.92.50
whois
AU FireNet Pty Ltd 125.253.92.50 clean
142.250.206.206
whois
US GOOGLE 142.250.206.206 mailcious
185.215.113.16
whois
Unknown 185.215.113.16 mailcious
185.215.113.19
whois
Unknown 185.215.113.19 malware
45.143.201.238
whois
Unknown 45.143.201.238 mailcious
142.250.206.227
whois
US GOOGLE 142.250.206.227 clean
62.122.184.58
whois
Unknown 62.122.184.58 mailcious
64.233.187.84
whois
US GOOGLE 64.233.187.84 clean
172.67.132.113
whois
US CLOUDFLARENET 172.67.132.113 clean

Suricata ids

ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET HUNTING Redirect to Discord Attachment Download
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO TLS Handshake Failure
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 6
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET DROP Spamhaus DROP Listed Traffic Inbound group 5

Similarity measure (PE file only) - Checking for service failure