popup

Report - 66d5df681876c_file010924.exe#file

Suspicious_Script_Bin Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.09.04 10:22 Machine s1_win7_x6403
Filename 66d5df681876c_file010924.exe#file
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
9.4
ZERO API file : malware
VT API (file) 58 detected (AIDetectMalware, Chapak, malicious, high confidence, score, Lockbit, Zusy, Unsafe, Save, Genus, GenKryptik, HBDP, Artemis, PWSX, Obscure, CLASSIC, Kryptik, qmzpl, Siggen29, STOP, YXEIBZ, Real Protect, high, Krypt, Static AI, Malicious PE, Tepfer, Detected, ai score=87, GCleaner, 1CBIMJW, Eldorado, Hpgen, R662980, Glupteba, GdSda, Obfuscated, susgen, HBDB, confidence, 100%)
md5 7972b08246e568495d9d116fc2d0b159
sha256 2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84
ssdeep 24576:60oeRhL4Zihw/WaRupypku1ADMH0h0kT:60J482RuRuQMm
imphash 00e87a3230db3a6bdb4035240d620685
impfuzzy 48:FOYFIEdX87FAStv1YnZJtIecf10SmCQSty2Ya:0+I0X8h5ttYZJtIecf+SFOa
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 58 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Installs itself for autorun at Windows startup
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses suspicious command line tools or Windows utilities
notice Allocates read-write-execute memory (usually to unpack itself)
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (22cnts)

Level Name Description Collection
warning Suspicious_Obfuscation_Script_2 Suspicious obfuscation script (e.g. executable files) binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://cajgtus.com/test1/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
whois
CO Telmex Colombia S.A. 186.145.236.93 41982 mailcious
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 172.67.139.220 clean
cajgtus.com
whois
CO Telmex Colombia S.A. 186.145.236.93 malware
api.2ip.ua
whois
US CLOUDFLARENET 172.67.139.220 clean
172.67.139.220
whois
US CLOUDFLARENET 172.67.139.220 clean
186.233.231.45
whois
BR Solucao Network Provedor Ltda 186.233.231.45 clean

Suricata ids

ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x401014 CreateJobObjectW
 0x401018 InterlockedCompareExchange
 0x40101c UnlockFile
 0x401020 CreateHardLinkA
 0x401024 GetTickCount
 0x401028 GetNumberFormatA
 0x40102c GetConsoleAliasExesW
 0x401030 SetCommState
 0x401034 GlobalAlloc
 0x401038 LoadLibraryW
 0x40103c LocalShrink
 0x401040 GetCalendarInfoA
 0x401044 SetVolumeMountPointA
 0x401048 GetSystemWindowsDirectoryA
 0x40104c GetConsoleAliasExesLengthW
 0x401050 SetConsoleCP
 0x401054 GetFileAttributesA
 0x401058 GetModuleFileNameW
 0x40105c CreateActCtxA
 0x401060 GetThreadPriorityBoost
 0x401064 VerifyVersionInfoW
 0x401068 GetLogicalDriveStringsA
 0x40106c GetCurrentDirectoryW
 0x401070 SetLastError
 0x401074 GetProcAddress
 0x401078 CreateNamedPipeA
 0x40107c GetConsoleDisplayMode
 0x401080 GetProcessVersion
 0x401084 SetEnvironmentVariableW
 0x401088 InterlockedExchangeAdd
 0x40108c CreateFileMappingW
 0x401090 GetNumberFormatW
 0x401094 CreateEventW
 0x401098 OpenEventA
 0x40109c QueryDosDeviceW
 0x4010a0 GlobalWire
 0x4010a4 EnumDateFormatsA
 0x4010a8 EnumResourceNamesA
 0x4010ac VirtualProtect
 0x4010b0 WaitForDebugEvent
 0x4010b4 PeekConsoleInputA
 0x4010b8 GetShortPathNameW
 0x4010bc SetProcessShutdownParameters
 0x4010c0 SetFileShortNameA
 0x4010c4 GetDiskFreeSpaceExA
 0x4010c8 ReadConsoleInputW
 0x4010cc GetTempPathA
 0x4010d0 EnumCalendarInfoExA
 0x4010d4 LCMapStringW
 0x4010d8 CommConfigDialogW
 0x4010dc HeapReAlloc
 0x4010e0 RtlUnwind
 0x4010e4 HeapSize
 0x4010e8 RaiseException
 0x4010ec SetDefaultCommConfigW
 0x4010f0 GetCurrentProcess
 0x4010f4 SetEndOfFile
 0x4010f8 LoadLibraryA
 0x4010fc GetLocaleInfoA
 0x401100 MultiByteToWideChar
 0x401104 GetLastError
 0x401108 HeapFree
 0x40110c HeapAlloc
 0x401110 GetModuleHandleW
 0x401114 ExitProcess
 0x401118 DecodePointer
 0x40111c GetCommandLineW
 0x401120 HeapSetInformation
 0x401124 GetStartupInfoW
 0x401128 GetCPInfo
 0x40112c InterlockedIncrement
 0x401130 InterlockedDecrement
 0x401134 GetACP
 0x401138 GetOEMCP
 0x40113c IsValidCodePage
 0x401140 EncodePointer
 0x401144 TlsAlloc
 0x401148 TlsGetValue
 0x40114c TlsSetValue
 0x401150 TlsFree
 0x401154 GetCurrentThreadId
 0x401158 UnhandledExceptionFilter
 0x40115c SetUnhandledExceptionFilter
 0x401160 IsDebuggerPresent
 0x401164 TerminateProcess
 0x401168 IsProcessorFeaturePresent
 0x40116c HeapCreate
 0x401170 WriteFile
 0x401174 GetStdHandle
 0x401178 InitializeCriticalSectionAndSpinCount
 0x40117c DeleteCriticalSection
 0x401180 LeaveCriticalSection
 0x401184 EnterCriticalSection
 0x401188 FreeEnvironmentStringsW
 0x40118c GetEnvironmentStringsW
 0x401190 SetHandleCount
 0x401194 GetFileType
 0x401198 QueryPerformanceCounter
 0x40119c GetCurrentProcessId
 0x4011a0 GetSystemTimeAsFileTime
 0x4011a4 WideCharToMultiByte
 0x4011a8 GetStringTypeW
 0x4011ac Sleep
USER32.dll
 0x4011b4 LoadMenuW
 0x4011b8 CharUpperW
 0x4011bc GetSysColor
 0x4011c0 GetMenuStringA
 0x4011c4 GetCaretPos
 0x4011c8 DrawStateA
GDI32.dll
 0x401000 GetCharWidthFloatA
 0x401004 CreateDCW
 0x401008 GetCharWidth32A
 0x40100c GetBitmapBits

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure