popup

Report - random.exe

Gen1 Emotet Generic Malware Themida Malicious Packer Malicious Library UPX Antivirus AntiDebug AntiVM PE File PE32 OS Processor Check PowerShell PE64 CAB
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.05.03 16:42 Machine s1_win7_x6403
Filename random.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
14.2
ZERO API file : clean
VT API (file) 59 detected (Amadey, Malicious, score, Doina, Unsafe, Save, confidence, 100%, Delf, Genus, Attribute, HighConfidence, high confidence, MalwareX, Convagent, Deyma, kwwbbz, CLASSIC, Redcap, chcml, MulDrop31, YXFEAZ, Real Protect, moderate, Static AI, Malicious PE, Detected, Egairtigado, Eldorado, R679980, Artemis, BScope, Genetic, PE04C9Z, Gencirc, AA9bprBr9Pc, susgen)
md5 26cc5a6cfd8e8ecc433337413c14cddb
sha256 e29a3db17025e34336b10d36e5dd59ff5d1ac07ada8df0cddba0d3f3db689f65
ssdeep 6144:3iUuGdolfFd313lcnGpPpnbJoHtbspmZfkCw3uWgGUS/T+WiU+9GTA/nw4AO2Y0k:3iUuGdolfFd1lGkpbCVkCweWgB7v9j
imphash 1e7280afbf80c2800b272220ce0718da
impfuzzy 96:8X+W8GjAlh55WJcpH+r26ptWrDZDGRgFBh1:8JaBWwZVh1
  Network IP location

Signature (32cnts)

Level Description
danger File has been identified by 59 AntiVirus engines on VirusTotal as malicious
watch Attempts to identify installed AV products by installation directory
watch Checks for the presence of known devices from debuggers and forensic tools
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the version of Bios
watch Communicates with host for which no DNS query was performed
watch Detects VMWare through the in instruction feature
watch Installs itself for autorun at Windows startup
watch Manipulates memory of a non-child process indicative of process injection
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process ramez.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (29cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
warning themida_packer themida packer binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info CAB_file_format CAB archive file binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PowerShell PowerShell script scripts
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (37cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://94.26.90.80/VisualCode.exe
whois
US Digital Energy Technologies Ltd. 94.26.90.80 malware
http://80.64.18.219/files/fate/random.exe
whois
RU Joint Stock Company Tagnet 80.64.18.219 malware
http://80.64.18.219/files/6336929412/bPtJj46.exe
whois
RU Joint Stock Company Tagnet 80.64.18.219 malware
http://80.64.18.219/files/Machiavellismz/random.exe
whois
RU Joint Stock Company Tagnet 80.64.18.219 clean
http://80.64.18.219/files/qqdoup/random.exe
whois
RU Joint Stock Company Tagnet 80.64.18.219 clean
http://185.156.72.96/te4h2nus/index.php
whois
Unknown 185.156.72.96 clean
http://80.64.18.219/files/7453936223/08IyOOF.exe
whois
RU Joint Stock Company Tagnet 80.64.18.219 malware
http://80.64.18.219/files/5964778733/fV8FBMo.exe
whois
RU Joint Stock Company Tagnet 80.64.18.219 malware
ntp.nict.jp
whois
JP National Institute of Information and Communications Technology 133.243.238.243 clean
pool.ntp.org
whois
KR LG DACOM Corporation 106.247.248.106 clean
time.google.com
whois
MX GOOGLE 216.239.35.4 clean
time-a-g.nist.gov
whois
US US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGY 129.6.15.28 clean
time.apple.com
whois
JP APPLE-AUSTIN 17.253.68.251 clean
clients2.googleusercontent.com
whois
US GOOGLE 142.250.206.225 clean
accounts.google.com
whois
US GOOGLE 142.250.157.84 clean
ntp.time.nl
whois
NL Stichting Internet Domeinregistratie Nederland 94.198.159.14 clean
gruppialadunia2022.com
whois
US HAWKHOST 198.252.104.139 clean
time.cloudflare.com
whois
Unknown 162.159.200.1 clean
ntp1.hetzner.de
whois
DE Hetzner Online GmbH 213.239.239.164 clean
clientservices.googleapis.com
whois
US GOOGLE 142.250.207.99 clean
162.159.200.123
whois
Unknown 162.159.200.123 clean
213.239.239.164
whois
DE Hetzner Online GmbH 213.239.239.164 clean
94.26.90.80
whois
US Digital Energy Technologies Ltd. 94.26.90.80 malware
121.174.142.82
whois
KR Korea Telecom 121.174.142.82 clean
185.156.72.96
whois
Unknown 185.156.72.96 clean
94.198.159.10
whois
NL Stichting Internet Domeinregistratie Nederland 94.198.159.10 clean
17.253.114.35
whois
KR APPLE-AUSTIN 17.253.114.35 clean
142.250.66.33
whois
US GOOGLE 142.250.66.33 phishing
80.64.18.219
whois
RU Joint Stock Company Tagnet 80.64.18.219 malware
133.243.238.164
whois
JP National Institute of Information and Communications Technology 133.243.238.164 clean
142.250.198.238
whois
US GOOGLE 142.250.198.238 clean
198.252.104.139
whois
US HAWKHOST 198.252.104.139 clean
129.6.15.28
whois
US US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGY 129.6.15.28 clean
154.81.179.131
whois
US MULTA-ASN1 154.81.179.131 mailcious
216.239.35.8
whois
MX GOOGLE 216.239.35.8 clean
64.233.188.84
whois
US GOOGLE 64.233.188.84 clean
142.250.197.195
whois
US GOOGLE 142.250.197.195 clean

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE Amadey CnC Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Upatre Downloader SSL certificate
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x44f05c CreateFileA
 0x44f060 Process32FirstW
 0x44f064 CloseHandle
 0x44f068 GetSystemInfo
 0x44f06c CreateThread
 0x44f070 GetThreadContext
 0x44f074 GetProcAddress
 0x44f078 VirtualAllocEx
 0x44f07c CreateToolhelp32Snapshot
 0x44f080 Process32NextW
 0x44f084 CreateProcessA
 0x44f088 CreateDirectoryA
 0x44f08c SetThreadContext
 0x44f090 SetEndOfFile
 0x44f094 HeapSize
 0x44f098 GetProcessHeap
 0x44f09c SetEnvironmentVariableW
 0x44f0a0 Sleep
 0x44f0a4 GetFileAttributesA
 0x44f0a8 GetLastError
 0x44f0ac Wow64RevertWow64FsRedirection
 0x44f0b0 GetTempPathA
 0x44f0b4 ReadProcessMemory
 0x44f0b8 SetCurrentDirectoryA
 0x44f0bc OpenProcess
 0x44f0c0 GetModuleHandleA
 0x44f0c4 ResumeThread
 0x44f0c8 GetComputerNameExW
 0x44f0cc GetVersionExW
 0x44f0d0 WaitForSingleObject
 0x44f0d4 CreateMutexA
 0x44f0d8 PeekNamedPipe
 0x44f0dc CreatePipe
 0x44f0e0 VirtualAlloc
 0x44f0e4 Wow64DisableWow64FsRedirection
 0x44f0e8 WriteFile
 0x44f0ec VirtualFree
 0x44f0f0 SetHandleInformation
 0x44f0f4 WriteProcessMemory
 0x44f0f8 GetModuleFileNameA
 0x44f0fc RemoveDirectoryA
 0x44f100 ReadFile
 0x44f104 FreeEnvironmentStringsW
 0x44f108 GetEnvironmentStringsW
 0x44f10c GetOEMCP
 0x44f110 GetACP
 0x44f114 IsValidCodePage
 0x44f118 FindNextFileW
 0x44f11c FindFirstFileExW
 0x44f120 FindClose
 0x44f124 GetTimeZoneInformation
 0x44f128 HeapReAlloc
 0x44f12c ReadConsoleW
 0x44f130 SetStdHandle
 0x44f134 GetFullPathNameW
 0x44f138 GetCurrentDirectoryW
 0x44f13c DeleteFileW
 0x44f140 EnumSystemLocalesW
 0x44f144 GetUserDefaultLCID
 0x44f148 IsValidLocale
 0x44f14c GetLocaleInfoW
 0x44f150 LCMapStringW
 0x44f154 CompareStringW
 0x44f158 HeapAlloc
 0x44f15c HeapFree
 0x44f160 GetConsoleMode
 0x44f164 GetConsoleOutputCP
 0x44f168 FlushFileBuffers
 0x44f16c SetFilePointerEx
 0x44f170 GetFileSizeEx
 0x44f174 GetCommandLineW
 0x44f178 GetCommandLineA
 0x44f17c GetStdHandle
 0x44f180 GetModuleFileNameW
 0x44f184 FileTimeToSystemTime
 0x44f188 SystemTimeToTzSpecificLocalTime
 0x44f18c GetFileType
 0x44f190 GetFileInformationByHandle
 0x44f194 GetDriveTypeW
 0x44f198 RaiseException
 0x44f19c GetCurrentThreadId
 0x44f1a0 IsProcessorFeaturePresent
 0x44f1a4 FreeLibraryWhenCallbackReturns
 0x44f1a8 CreateThreadpoolWork
 0x44f1ac SubmitThreadpoolWork
 0x44f1b0 CloseThreadpoolWork
 0x44f1b4 GetModuleHandleExW
 0x44f1b8 InitializeConditionVariable
 0x44f1bc WakeConditionVariable
 0x44f1c0 WakeAllConditionVariable
 0x44f1c4 SleepConditionVariableCS
 0x44f1c8 SleepConditionVariableSRW
 0x44f1cc InitOnceComplete
 0x44f1d0 InitOnceBeginInitialize
 0x44f1d4 InitializeSRWLock
 0x44f1d8 ReleaseSRWLockExclusive
 0x44f1dc AcquireSRWLockExclusive
 0x44f1e0 EnterCriticalSection
 0x44f1e4 LeaveCriticalSection
 0x44f1e8 InitializeCriticalSectionEx
 0x44f1ec TryEnterCriticalSection
 0x44f1f0 DeleteCriticalSection
 0x44f1f4 WaitForSingleObjectEx
 0x44f1f8 QueryPerformanceCounter
 0x44f1fc GetSystemTimeAsFileTime
 0x44f200 GetModuleHandleW
 0x44f204 EncodePointer
 0x44f208 DecodePointer
 0x44f20c MultiByteToWideChar
 0x44f210 WideCharToMultiByte
 0x44f214 LCMapStringEx
 0x44f218 GetStringTypeW
 0x44f21c GetCPInfo
 0x44f220 InitializeCriticalSectionAndSpinCount
 0x44f224 SetEvent
 0x44f228 ResetEvent
 0x44f22c CreateEventW
 0x44f230 UnhandledExceptionFilter
 0x44f234 SetUnhandledExceptionFilter
 0x44f238 GetCurrentProcess
 0x44f23c TerminateProcess
 0x44f240 IsDebuggerPresent
 0x44f244 GetStartupInfoW
 0x44f248 GetCurrentProcessId
 0x44f24c InitializeSListHead
 0x44f250 RtlUnwind
 0x44f254 SetLastError
 0x44f258 TlsAlloc
 0x44f25c TlsGetValue
 0x44f260 TlsSetValue
 0x44f264 TlsFree
 0x44f268 FreeLibrary
 0x44f26c LoadLibraryExW
 0x44f270 ExitProcess
 0x44f274 CreateFileW
 0x44f278 WriteConsoleW
USER32.dll
 0x44f290 GetSystemMetrics
 0x44f294 ReleaseDC
 0x44f298 GetDC
GDI32.dll
 0x44f044 BitBlt
 0x44f048 CreateCompatibleBitmap
 0x44f04c SelectObject
 0x44f050 CreateCompatibleDC
 0x44f054 DeleteObject
ADVAPI32.dll
 0x44f000 RevertToSelf
 0x44f004 RegCloseKey
 0x44f008 RegQueryInfoKeyW
 0x44f00c RegGetValueA
 0x44f010 RegQueryValueExA
 0x44f014 GetSidSubAuthorityCount
 0x44f018 GetSidSubAuthority
 0x44f01c GetUserNameA
 0x44f020 LookupAccountNameA
 0x44f024 ImpersonateLoggedOnUser
 0x44f028 RegSetValueExA
 0x44f02c OpenProcessToken
 0x44f030 RegOpenKeyExA
 0x44f034 RegEnumValueA
 0x44f038 DuplicateTokenEx
 0x44f03c GetSidIdentifierAuthority
SHELL32.dll
 0x44f280 SHGetFolderPathA
 0x44f284 ShellExecuteA
 0x44f288 SHFileOperationA
ole32.dll
 0x44f320 CoUninitialize
 0x44f324 CoCreateInstance
 0x44f328 CoInitialize
WININET.dll
 0x44f2a0 HttpOpenRequestA
 0x44f2a4 InternetWriteFile
 0x44f2a8 InternetOpenUrlA
 0x44f2ac InternetOpenW
 0x44f2b0 HttpEndRequestW
 0x44f2b4 HttpAddRequestHeadersA
 0x44f2b8 HttpSendRequestExA
 0x44f2bc InternetOpenA
 0x44f2c0 InternetCloseHandle
 0x44f2c4 HttpSendRequestA
 0x44f2c8 InternetConnectA
 0x44f2cc InternetReadFile
gdiplus.dll
 0x44f300 GdiplusStartup
 0x44f304 GdipSaveImageToFile
 0x44f308 GdipGetImageEncodersSize
 0x44f30c GdiplusShutdown
 0x44f310 GdipGetImageEncoders
 0x44f314 GdipCreateBitmapFromHBITMAP
 0x44f318 GdipDisposeImage
WS2_32.dll
 0x44f2d4 closesocket
 0x44f2d8 inet_pton
 0x44f2dc getaddrinfo
 0x44f2e0 WSAStartup
 0x44f2e4 send
 0x44f2e8 socket
 0x44f2ec connect
 0x44f2f0 recv
 0x44f2f4 htons
 0x44f2f8 freeaddrinfo

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure