Report - ZZ.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader Malicious Packer UPX PE File PE32 OS Processor Check
ScreenShot
Created 2024.09.17 13:33 Machine s1_win7_x6401
Filename ZZ.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
Behavior Score
4.4
ZERO API file : mailcious
VT API (file) 64 detected (AIDetectMalware, Remcos, Malicious, score, Unsafe, Save, confidence, 100%, Kryptik, Attribute, HighConfidence, Windows, Rescoms, RATX, kqldxd, CLASSIC, Real Protect, Static AI, Malicious PE, Detected, TEVC, R634199, FDQO, BScope, Genetic, PSu4l5XLhE8, susgen)
md5 aa4aca6b0973b169a4242718f04d9c54
sha256 2ff32c90e5a04d6a51e0360368daafe35396561f9687a27306f539ae0f354ade
ssdeep 6144:RTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crxT4:RTlrYw1RUh3NFn+N5WfIQIjbs/ZmyT4
imphash 1389569a3a39186f3eb453b501cfe688
impfuzzy 96:mKSzrpXI9LHcp+1OMgZiSLAfGLxdlmPKNUz7KgKd3YdPRsPosV:rAY8ZzLLPm/PiZwRsbV
  Network IP location

Signature (6cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 64 AntiVirus engines on VirusTotal as malicious
watch Creates a windows hook that monitors keyboard input (keylogger)
notice A process attempted to delay the analysis task.
notice Connects to a Dynamic DNS Domain
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (9cnts)

Level Name Description Collection
danger infoStealer_browser_b_Zero browser info stealer binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
sungito2.ddns.net HK Shenzhen Katherine Heng Technology Information Co., Ltd. 154.216.19.222 mailcious
154.216.19.222 HK Shenzhen Katherine Heng Technology Information Co., Ltd. 154.216.19.222 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x4590b4 FindNextFileA
 0x4590b8 ExpandEnvironmentStringsA
 0x4590bc GetLongPathNameW
 0x4590c0 CopyFileW
 0x4590c4 GetLocaleInfoA
 0x4590c8 CreateToolhelp32Snapshot
 0x4590cc Process32NextW
 0x4590d0 Process32FirstW
 0x4590d4 VirtualProtect
 0x4590d8 SetLastError
 0x4590dc VirtualFree
 0x4590e0 VirtualAlloc
 0x4590e4 GetNativeSystemInfo
 0x4590e8 HeapAlloc
 0x4590ec GetProcessHeap
 0x4590f0 FreeLibrary
 0x4590f4 IsBadReadPtr
 0x4590f8 GetTempPathW
 0x4590fc OpenProcess
 0x459100 OpenMutexA
 0x459104 lstrcatW
 0x459108 GetCurrentProcessId
 0x45910c GetTempFileNameW
 0x459110 UnmapViewOfFile
 0x459114 DuplicateHandle
 0x459118 CreateFileMappingW
 0x45911c MapViewOfFile
 0x459120 GetSystemDirectoryA
 0x459124 GlobalAlloc
 0x459128 GlobalLock
 0x45912c GetTickCount
 0x459130 GlobalUnlock
 0x459134 WriteProcessMemory
 0x459138 ResumeThread
 0x45913c GetThreadContext
 0x459140 ReadProcessMemory
 0x459144 CreateProcessW
 0x459148 SetThreadContext
 0x45914c LocalAlloc
 0x459150 GlobalFree
 0x459154 MulDiv
 0x459158 SizeofResource
 0x45915c QueryDosDeviceW
 0x459160 FindFirstVolumeW
 0x459164 GetConsoleScreenBufferInfo
 0x459168 SetConsoleTextAttribute
 0x45916c lstrlenW
 0x459170 GetStdHandle
 0x459174 SetFilePointer
 0x459178 FindResourceA
 0x45917c LockResource
 0x459180 LoadResource
 0x459184 LocalFree
 0x459188 FindVolumeClose
 0x45918c GetVolumePathNamesForVolumeNameW
 0x459190 lstrcpyW
 0x459194 FindFirstFileA
 0x459198 FormatMessageA
 0x45919c FindNextVolumeW
 0x4591a0 AllocConsole
 0x4591a4 lstrcmpW
 0x4591a8 GetModuleFileNameA
 0x4591ac lstrcpynA
 0x4591b0 QueryPerformanceFrequency
 0x4591b4 QueryPerformanceCounter
 0x4591b8 EnterCriticalSection
 0x4591bc LeaveCriticalSection
 0x4591c0 InitializeCriticalSection
 0x4591c4 DeleteCriticalSection
 0x4591c8 HeapSize
 0x4591cc WriteConsoleW
 0x4591d0 SetStdHandle
 0x4591d4 SetEnvironmentVariableW
 0x4591d8 SetEnvironmentVariableA
 0x4591dc FreeEnvironmentStringsW
 0x4591e0 GetEnvironmentStringsW
 0x4591e4 GetCommandLineW
 0x4591e8 GetCommandLineA
 0x4591ec GetOEMCP
 0x4591f0 IsValidCodePage
 0x4591f4 FindFirstFileExA
 0x4591f8 ReadConsoleW
 0x4591fc GetConsoleMode
 0x459200 GetConsoleCP
 0x459204 FlushFileBuffers
 0x459208 GetFileType
 0x45920c GetTimeZoneInformation
 0x459210 EnumSystemLocalesW
 0x459214 GetUserDefaultLCID
 0x459218 IsValidLocale
 0x45921c GetTimeFormatW
 0x459220 GetDateFormatW
 0x459224 HeapReAlloc
 0x459228 GetACP
 0x45922c GetModuleHandleExW
 0x459230 MoveFileExW
 0x459234 RtlUnwind
 0x459238 RaiseException
 0x45923c LoadLibraryExW
 0x459240 GetCPInfo
 0x459244 GetStringTypeW
 0x459248 GetLocaleInfoW
 0x45924c LCMapStringW
 0x459250 CompareStringW
 0x459254 TlsFree
 0x459258 TlsSetValue
 0x45925c TlsGetValue
 0x459260 TlsAlloc
 0x459264 GetFileSize
 0x459268 TerminateThread
 0x45926c GetLastError
 0x459270 CreateDirectoryW
 0x459274 GetModuleHandleA
 0x459278 RemoveDirectoryW
 0x45927c MoveFileW
 0x459280 SetFilePointerEx
 0x459284 GetLogicalDriveStringsA
 0x459288 DeleteFileW
 0x45928c DeleteFileA
 0x459290 SetFileAttributesW
 0x459294 GetFileAttributesW
 0x459298 FindClose
 0x45929c lstrlenA
 0x4592a0 GetDriveTypeA
 0x4592a4 FindNextFileW
 0x4592a8 GetFileSizeEx
 0x4592ac FindFirstFileW
 0x4592b0 GetModuleHandleW
 0x4592b4 ExitProcess
 0x4592b8 CreateMutexA
 0x4592bc GetCurrentProcess
 0x4592c0 GetProcAddress
 0x4592c4 LoadLibraryA
 0x4592c8 CreateProcessA
 0x4592cc PeekNamedPipe
 0x4592d0 CreatePipe
 0x4592d4 TerminateProcess
 0x4592d8 ReadFile
 0x4592dc HeapFree
 0x4592e0 HeapCreate
 0x4592e4 CreateEventA
 0x4592e8 GetLocalTime
 0x4592ec CreateThread
 0x4592f0 SetEvent
 0x4592f4 CreateEventW
 0x4592f8 WaitForSingleObject
 0x4592fc Sleep
 0x459300 GetModuleFileNameW
 0x459304 CloseHandle
 0x459308 ExitThread
 0x45930c CreateFileW
 0x459310 WriteFile
 0x459314 SetConsoleOutputCP
 0x459318 InitializeCriticalSectionAndSpinCount
 0x45931c MultiByteToWideChar
 0x459320 DecodePointer
 0x459324 EncodePointer
 0x459328 WideCharToMultiByte
 0x45932c InitializeSListHead
 0x459330 GetSystemTimeAsFileTime
 0x459334 GetCurrentThreadId
 0x459338 IsProcessorFeaturePresent
 0x45933c GetStartupInfoW
 0x459340 SetUnhandledExceptionFilter
 0x459344 UnhandledExceptionFilter
 0x459348 IsDebuggerPresent
 0x45934c WaitForSingleObjectEx
 0x459350 ResetEvent
 0x459354 SetEndOfFile
USER32.dll
 0x459380 GetMessageA
 0x459384 GetWindowTextW
 0x459388 wsprintfW
 0x45938c GetClipboardData
 0x459390 UnhookWindowsHookEx
 0x459394 GetForegroundWindow
 0x459398 ToUnicodeEx
 0x45939c GetKeyboardLayout
 0x4593a0 SetWindowsHookExA
 0x4593a4 CloseClipboard
 0x4593a8 OpenClipboard
 0x4593ac GetKeyboardState
 0x4593b0 CallNextHookEx
 0x4593b4 GetKeyboardLayoutNameA
 0x4593b8 GetKeyState
 0x4593bc GetWindowTextLengthW
 0x4593c0 DispatchMessageA
 0x4593c4 SetForegroundWindow
 0x4593c8 SetClipboardData
 0x4593cc EnumWindows
 0x4593d0 ExitWindowsEx
 0x4593d4 EmptyClipboard
 0x4593d8 ShowWindow
 0x4593dc SetWindowTextW
 0x4593e0 MessageBoxW
 0x4593e4 IsWindowVisible
 0x4593e8 CloseWindow
 0x4593ec SendInput
 0x4593f0 EnumDisplaySettingsW
 0x4593f4 mouse_event
 0x4593f8 CreatePopupMenu
 0x4593fc TranslateMessage
 0x459400 TrackPopupMenu
 0x459404 DefWindowProcA
 0x459408 CreateWindowExA
 0x45940c AppendMenuA
 0x459410 GetSystemMetrics
 0x459414 RegisterClassExA
 0x459418 GetCursorPos
 0x45941c SystemParametersInfoW
 0x459420 GetWindowThreadProcessId
 0x459424 MapVirtualKeyA
 0x459428 DrawIcon
 0x45942c GetIconInfo
GDI32.dll
 0x459088 BitBlt
 0x45908c CreateCompatibleBitmap
 0x459090 SelectObject
 0x459094 CreateCompatibleDC
 0x459098 StretchBlt
 0x45909c GetDIBits
 0x4590a0 DeleteObject
 0x4590a4 CreateDCA
 0x4590a8 GetObjectA
 0x4590ac DeleteDC
ADVAPI32.dll
 0x459000 CryptAcquireContextA
 0x459004 CryptGenRandom
 0x459008 CryptReleaseContext
 0x45900c GetUserNameW
 0x459010 RegEnumKeyExA
 0x459014 QueryServiceStatus
 0x459018 CloseServiceHandle
 0x45901c OpenSCManagerW
 0x459020 OpenSCManagerA
 0x459024 ControlService
 0x459028 StartServiceW
 0x45902c QueryServiceConfigW
 0x459030 ChangeServiceConfigW
 0x459034 OpenServiceW
 0x459038 EnumServicesStatusW
 0x45903c AdjustTokenPrivileges
 0x459040 LookupPrivilegeValueA
 0x459044 OpenProcessToken
 0x459048 RegCreateKeyA
 0x45904c RegCloseKey
 0x459050 RegQueryInfoKeyW
 0x459054 RegQueryValueExA
 0x459058 RegCreateKeyExW
 0x45905c RegEnumKeyExW
 0x459060 RegSetValueExW
 0x459064 RegSetValueExA
 0x459068 RegOpenKeyExA
 0x45906c RegOpenKeyExW
 0x459070 RegCreateKeyW
 0x459074 RegDeleteValueW
 0x459078 RegEnumValueW
 0x45907c RegQueryValueExW
 0x459080 RegDeleteKeyA
SHELL32.dll
 0x45935c ShellExecuteExA
 0x459360 Shell_NotifyIconA
 0x459364 ExtractIconA
 0x459368 ShellExecuteW
ole32.dll
 0x4594e4 CoInitializeEx
 0x4594e8 CoUninitialize
 0x4594ec CoGetObject
SHLWAPI.dll
 0x459370 PathFileExistsW
 0x459374 PathFileExistsA
 0x459378 StrToIntA
WINMM.dll
 0x459448 waveInOpen
 0x45944c waveInStart
 0x459450 waveInAddBuffer
 0x459454 PlaySoundW
 0x459458 mciSendStringA
 0x45945c mciSendStringW
 0x459460 waveInClose
 0x459464 waveInStop
 0x459468 waveInPrepareHeader
 0x45946c waveInUnprepareHeader
WS2_32.dll
 0x459474 gethostbyname
 0x459478 send
 0x45947c WSAStartup
 0x459480 closesocket
 0x459484 inet_ntoa
 0x459488 htons
 0x45948c htonl
 0x459490 getservbyname
 0x459494 ntohs
 0x459498 getservbyport
 0x45949c gethostbyaddr
 0x4594a0 inet_addr
 0x4594a4 WSASetLastError
 0x4594a8 WSAGetLastError
 0x4594ac recv
 0x4594b0 connect
 0x4594b4 socket
urlmon.dll
 0x4594f4 URLOpenBlockingStreamW
 0x4594f8 URLDownloadToFileW
gdiplus.dll
 0x4594bc GdipSaveImageToStream
 0x4594c0 GdipGetImageEncodersSize
 0x4594c4 GdipFree
 0x4594c8 GdipDisposeImage
 0x4594cc GdipAlloc
 0x4594d0 GdipCloneImage
 0x4594d4 GdipGetImageEncoders
 0x4594d8 GdiplusStartup
 0x4594dc GdipLoadImageFromStream
WININET.dll
 0x459434 InternetOpenUrlW
 0x459438 InternetOpenW
 0x45943c InternetCloseHandle
 0x459440 InternetReadFile

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure