popup

Report - num.exe

Stealc Generic Malware Malicious Library Antivirus UPX PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.09.30 17:16 Machine s1_win7_x6401
Filename num.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
7.2
ZERO API file : clean
VT API (file) 41 detected (AIDetectMalware, Malicious, score, TrojanAitInject, Tedy, Unsafe, Save, confidence, Attribute, HighConfidence, Windows, Threat, Stealc, PWSX, Stealerc, ccmw, DQwxTsXk3kJ, Real Protect, high, Detected, 1Y8LYHX, BScope, PasswordStealer, GdSda, Meterpreter, susgen, Themida)
md5 791fcee57312d4a20cc86ae1cea8dfc4
sha256 27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d
ssdeep 6144:BMi8gYtUokCulxMfpbSGePV0l0F1nE7w+Uw3NKR9hU/W9:2tUoH3IGgVRF14wx8KRF9
imphash 8e9e6de8c6aa184371108e1074479bb3
impfuzzy 24:j/8yfb8J93qsQCTY3BjlzGbtUqlSfMyDkfjY/J3IS:j/8ob8r3qVCTY3LGbt38fMzK1
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process num.exe
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (7cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/msvcp140.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/nss3.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/
whois
Unknown 185.215.113.37 42691 mailcious
http://185.215.113.37/0d60be0de163924d/softokn3.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/mozglue.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/freebl3.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/e2b1563c6670f193.php
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/sqlite3.dll
whois
Unknown 185.215.113.37 clean
185.215.113.37
whois
Unknown 185.215.113.37 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x41e0b8 strncpy
 0x41e0bc ??_V@YAXPAX@Z
 0x41e0c0 memchr
 0x41e0c4 ??_U@YAPAXI@Z
 0x41e0c8 strtok
 0x41e0cc atexit
 0x41e0d0 strtok_s
 0x41e0d4 strcpy_s
 0x41e0d8 vsprintf_s
 0x41e0dc memmove
 0x41e0e0 strlen
 0x41e0e4 malloc
 0x41e0e8 free
 0x41e0ec memcmp
 0x41e0f0 ??2@YAPAXI@Z
 0x41e0f4 memset
 0x41e0f8 memcpy
 0x41e0fc __CxxFrameHandler3
KERNEL32.dll
 0x41e000 GetCurrentProcess
 0x41e004 RaiseException
 0x41e008 GetStringTypeW
 0x41e00c MultiByteToWideChar
 0x41e010 LCMapStringW
 0x41e014 IsValidCodePage
 0x41e018 GetOEMCP
 0x41e01c lstrlenA
 0x41e020 HeapAlloc
 0x41e024 GetProcessHeap
 0x41e028 VirtualProtect
 0x41e02c WaitForSingleObject
 0x41e030 CreateProcessA
 0x41e034 lstrcatA
 0x41e038 VirtualQueryEx
 0x41e03c OpenProcess
 0x41e040 ReadProcessMemory
 0x41e044 WriteFile
 0x41e048 GetACP
 0x41e04c GetCPInfo
 0x41e050 UnhandledExceptionFilter
 0x41e054 SetUnhandledExceptionFilter
 0x41e058 IsDebuggerPresent
 0x41e05c EncodePointer
 0x41e060 DecodePointer
 0x41e064 TerminateProcess
 0x41e068 InitializeCriticalSectionAndSpinCount
 0x41e06c LeaveCriticalSection
 0x41e070 EnterCriticalSection
 0x41e074 RtlUnwind
 0x41e078 GetProcAddress
 0x41e07c GetModuleHandleW
 0x41e080 ExitProcess
 0x41e084 Sleep
 0x41e088 GetStdHandle
 0x41e08c GetModuleFileNameW
 0x41e090 GetLastError
 0x41e094 LoadLibraryW
 0x41e098 TlsGetValue
 0x41e09c TlsSetValue
 0x41e0a0 InterlockedIncrement
 0x41e0a4 SetLastError
 0x41e0a8 GetCurrentThreadId
 0x41e0ac InterlockedDecrement
 0x41e0b0 WideCharToMultiByte

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure