popup

Report - 1.exe

Client SW User Data Stealer LokiBot Emotet ftp Client info stealer Malicious Library Malicious Packer UPX Socket Http API ScreenShot PWS HTTP DNS Internet API AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.02.21 16:20 Machine s1_win7_x6403
Filename 1.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
2
 Behavior Score
8.8
ZERO API file : mailcious
VT API (file) 46 detected (AIDetectMalware, Vidar, Malicious, score, trojanpws, Artemis, Unsafe, confidence, 100%, Genus, moderate confidence, a variant of WinGo, TrojanPSW, kvqhkk, CLOUD, YXFBRZ, Generic Reputation PUA, Detected, Malware@#25498mr2uj93o, Wacatac, DCX2AY, ABTrojan, XOQH, Rozena, QQPass, QQRob, Anhl, susgen, PossibleThreat)
md5 efc2de49c53a388807ef989c2f6efa46
sha256 1fed343aeac08b762cc565480913c8d0abfde1f3b18c79dc9e0a5133da903c46
ssdeep 24576:dRrnyyHUF9Du6bbPJJ2sm5ChFzK8Pka0HEI1od8RbEYdmJl57BWBBkok4+i/Hjzw:dJvHku6iT5kK84Y8R7duWxk4+wHjzUBX
imphash 167344a4df394fbba605fc972e41437a
impfuzzy 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztir6UP:KwO+VAXOmG8nP
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Yara rule detected in process memory
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (25cnts)

Level Name Description Collection
danger Client_SW_User_Data_Stealer Client_SW_User_Data_Stealer memory
danger Win32_PWS_Loki_m_Zero Win32 PWS Loki memory
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
warning infoStealer_ftpClients_Zero ftp clients info stealer memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_DNS Communications use DNS memory
notice Network_HTTP Communications over HTTP memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://steamcommunity.com/profiles/76561199828130190
whois
US AKAMAI-AS 23.49.154.73 clean
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US AKAMAI-AS 23.49.154.73 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
23.49.154.73
whois
US AKAMAI-AS 23.49.154.73 mailcious
95.217.24.123
whois
FI Hetzner Online GmbH 95.217.24.123 clean

Suricata ids

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x566020 WriteFile
 0x566024 WriteConsoleW
 0x566028 WaitForMultipleObjects
 0x56602c WaitForSingleObject
 0x566030 VirtualQuery
 0x566034 VirtualFree
 0x566038 VirtualAlloc
 0x56603c SwitchToThread
 0x566040 SuspendThread
 0x566044 SetWaitableTimer
 0x566048 SetUnhandledExceptionFilter
 0x56604c SetProcessPriorityBoost
 0x566050 SetEvent
 0x566054 SetErrorMode
 0x566058 SetConsoleCtrlHandler
 0x56605c ResumeThread
 0x566060 PostQueuedCompletionStatus
 0x566064 LoadLibraryA
 0x566068 LoadLibraryW
 0x56606c SetThreadContext
 0x566070 GetThreadContext
 0x566074 GetSystemInfo
 0x566078 GetSystemDirectoryA
 0x56607c GetStdHandle
 0x566080 GetQueuedCompletionStatusEx
 0x566084 GetProcessAffinityMask
 0x566088 GetProcAddress
 0x56608c GetEnvironmentStringsW
 0x566090 GetConsoleMode
 0x566094 FreeEnvironmentStringsW
 0x566098 ExitProcess
 0x56609c DuplicateHandle
 0x5660a0 CreateThread
 0x5660a4 CreateIoCompletionPort
 0x5660a8 CreateEventA
 0x5660ac CloseHandle
 0x5660b0 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure