popup

Report - newtpp.exe

Generic Malware Admin Tool (Sysinternals etc ...) Malicious Packer Downloader Malicious Library UPX PE File PE32 PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.05.06 21:33 Machine s1_win7_x6401
Filename newtpp.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
11
 Behavior Score
11.0
ZERO API file : malware
VT API (file) 53 detected (AIDetectMalware, CoinMiner, Malicious, score, Phorpiex, Unsafe, Mint, Zard, Save, confidence, 100%, Attribute, HighConfidence, high confidence, KadrBot, TrojanBanker, CLASSIC, AGEN, HLLW, AMADEY, YXFEDZ, Real Protect, high, Static AI, Malicious PE, Detected, ABTrojan, XFQU, Artemis, BScope, Propriex, SecurityProtection, PE04C9Z, Akjl, susgen)
md5 8cc0e158c7814f38aa7dcce43e4b5d26
sha256 90766ad30dff5ae4857baa08ecc6bbc137fe1409234444ad8383e2742d60950f
ssdeep 1536:2nlZChFmav82Sd1P6MBr5xDRBj26z6mBmND:OzvOKd1P6CxDXK6WVND
imphash 8d83a073848641257ffcc6771c22bee0
impfuzzy 96:6Es0fR+K3c+qp4MmTu9X1f6OgntK/C0HdcpXMomkDq7AKKEa:K7h19Fw0/rHFomkDq7AVd
  Network IP location

Signature (22cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 53 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed

Rules (15cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader binaries (download)
watch Network_Downloader File Downloader binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (26cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.156.72.39/1
whois
Unknown 185.156.72.39 clean
http://185.156.72.39/2
whois
Unknown 185.156.72.39 clean
http://185.156.72.39/3
whois
Unknown 185.156.72.39 clean
http://185.156.72.39/4
whois
Unknown 185.156.72.39 clean
http://185.156.72.39/5
whois
Unknown 185.156.72.39 clean
www.update.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.72.235.82 clean
213.206.63.137
whois
UZ Buzton J.v. 213.206.63.137 clean
37.254.134.93
whois
IR Iran Telecommunication Company PJS 37.254.134.93 clean
37.254.171.16
whois
IR Iran Telecommunication Company PJS 37.254.171.16 clean
58.39.155.99
whois
CN China Telecom (Group) 58.39.155.99 clean
39.40.106.225
whois
PK Pakistan Telecom Company Limited 39.40.106.225 clean
213.206.60.203
whois
UZ Buzton J.v. 213.206.60.203 clean
37.254.175.221
whois
IR Iran Telecommunication Company PJS 37.254.175.221 clean
20.109.209.108
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.109.209.108 clean
213.206.63.140
whois
UZ Buzton J.v. 213.206.63.140 clean
185.156.72.39
whois
Unknown 185.156.72.39 malware
2.185.151.24
whois
IR Iran Telecommunication Company PJS 2.185.151.24 clean
134.35.59.13
whois
YE Public Telecommunication Corporation 134.35.59.13 clean
178.167.60.47
whois
RU Flex Ltd. 178.167.60.47 clean
213.206.62.255
whois
UZ Buzton J.v. 213.206.62.255 clean
78.106.38.198
whois
RU PVimpelCom 78.106.38.198 clean
93.188.85.2
whois
RU LLC The Capital Plus 93.188.85.2 clean
198.163.193.70
whois
US WINDSTREAM 198.163.193.70 clean
213.230.97.32
whois
UZ Uzbektelekom Joint Stock Company 213.230.97.32 clean
151.238.207.30
whois
IR Aria Shatel Company Ltd 151.238.207.30 clean
185.215.113.66
whois
Unknown 185.215.113.66 malware

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC

PE API

IAT(Import Address Table) Library

WS2_32.dll
 0x410210 gethostname
 0x410214 recvfrom
 0x410218 setsockopt
 0x41021c ind
 0x410220 sendto
 0x410224 ioctlsocket
 0x410228 WSAStartup
 0x41022c shutdown
 0x410230 htons
 0x410234 socket
 0x410238 connect
 0x41023c WSAWaitForMultipleEvents
 0x410240 listen
 0x410244 WSASocketA
 0x410248 WSACreateEvent
 0x41024c WSAGetOverlappedResult
 0x410250 WSAEventSelect
 0x410254 WSAEnumNetworkEvents
 0x410258 WSAGetLastError
 0x41025c WSASend
 0x410260 WSARecv
 0x410264 WSACloseEvent
 0x410268 accept
 0x41026c getpeername
 0x410270 getsockname
 0x410274 inet_addr
 0x410278 gethostbyname
 0x41027c inet_ntoa
 0x410280 closesocket
 0x410284 recv
 0x410288 send
SHLWAPI.dll
 0x41015c StrStrIA
 0x410160 StrCmpNW
 0x410164 StrStrW
 0x410168 PathFileExistsW
 0x41016c StrChrA
 0x410170 PathFindFileNameW
 0x410174 StrCmpNIA
 0x410178 PathMatchSpecW
urlmon.dll
 0x410308 URLDownloadToFileW
WININET.dll
 0x4101d8 HttpSendRequestA
 0x4101dc InternetReadFile
 0x4101e0 InternetCloseHandle
 0x4101e4 HttpOpenRequestA
 0x4101e8 DeleteUrlCacheEntry
 0x4101ec InternetConnectA
 0x4101f0 InternetOpenA
 0x4101f4 InternetCrackUrlA
 0x4101f8 HttpAddRequestHeadersA
 0x4101fc HttpQueryInfoA
 0x410200 InternetOpenUrlA
 0x410204 InternetOpenUrlW
 0x410208 InternetOpenW
ntdll.dll
 0x4102a0 strlen
 0x4102a4 iswdigit
 0x4102a8 iswalpha
 0x4102ac memcpy
 0x4102b0 memset
 0x4102b4 NtQueryVirtualMemory
 0x4102b8 RtlUnwind
 0x4102bc _chkstk
 0x4102c0 _aulldiv
 0x4102c4 wcslen
 0x4102c8 wcscmp
 0x4102cc _allshl
 0x4102d0 _aullshr
 0x4102d4 strstr
 0x4102d8 memmove
 0x4102dc memcmp
 0x4102e0 RtlTimeToSecondsSince1980
 0x4102e4 NtQuerySystemTime
 0x4102e8 strcmp
 0x4102ec mbstowcs
msvcrt.dll
 0x410290 _vscprintf
 0x410294 srand
 0x410298 rand
KERNEL32.dll
 0x410020 GetQueuedCompletionStatus
 0x410024 PostQueuedCompletionStatus
 0x410028 GetSystemInfo
 0x41002c MoveFileExW
 0x410030 SetEvent
 0x410034 CreateProcessW
 0x410038 GetLocaleInfoA
 0x41003c DeleteCriticalSection
 0x410040 GetCurrentThread
 0x410044 GetThreadPriority
 0x410048 SetThreadPriority
 0x41004c GetCurrentProcess
 0x410050 DuplicateHandle
 0x410054 IsBadReadPtr
 0x410058 InterlockedExchangeAdd
 0x41005c InterlockedIncrement
 0x410060 WaitForSingleObject
 0x410064 InterlockedDecrement
 0x410068 InterlockedExchange
 0x41006c HeapFree
 0x410070 HeapValidate
 0x410074 HeapReAlloc
 0x410078 GetProcessHeaps
 0x41007c HeapCreate
 0x410080 HeapSetInformation
 0x410084 GetCurrentProcessId
 0x410088 HeapAlloc
 0x41008c CreateMutexA
 0x410090 GetLastError
 0x410094 ExitProcess
 0x410098 ExpandEnvironmentStringsW
 0x41009c CreateEventA
 0x4100a0 CreateThread
 0x4100a4 GetModuleFileNameW
 0x4100a8 GetVolumeInformationW
 0x4100ac GetDiskFreeSpaceExW
 0x4100b0 SetFileAttributesW
 0x4100b4 DeleteFileW
 0x4100b8 CopyFileW
 0x4100bc lstrcmpiW
 0x4100c0 CreateDirectoryW
 0x4100c4 FindFirstFileW
 0x4100c8 lstrcmpW
 0x4100cc CreateIoCompletionPort
 0x4100d0 FindNextFileW
 0x4100d4 FindClose
 0x4100d8 RemoveDirectoryW
 0x4100dc GetLogicalDrives
 0x4100e0 GetDriveTypeW
 0x4100e4 QueryDosDeviceW
 0x4100e8 lstrcpyW
 0x4100ec WriteFile
 0x4100f0 FlushFileBuffers
 0x4100f4 EnterCriticalSection
 0x4100f8 LeaveCriticalSection
 0x4100fc InitializeCriticalSection
 0x410100 CreateFileW
 0x410104 CreateFileMappingW
 0x410108 MapViewOfFile
 0x41010c GetFileSize
 0x410110 UnmapViewOfFile
 0x410114 lstrlenW
 0x410118 GlobalUnlock
 0x41011c GlobalLock
 0x410120 GlobalAlloc
 0x410124 lstrlenA
 0x410128 lstrcpynW
 0x41012c MultiByteToWideChar
 0x410130 ExitThread
 0x410134 GetTickCount
 0x410138 Sleep
 0x41013c GetModuleHandleW
 0x410140 CloseHandle
USER32.dll
 0x410180 RegisterClassExW
 0x410184 CreateWindowExW
 0x410188 GetMessageA
 0x41018c TranslateMessage
 0x410190 wsprintfW
 0x410194 DefWindowProcA
 0x410198 ChangeClipboardChain
 0x41019c RegisterRawInputDevices
 0x4101a0 GetClipboardData
 0x4101a4 DispatchMessageA
 0x4101a8 OpenClipboard
 0x4101ac EmptyClipboard
 0x4101b0 SetClipboardData
 0x4101b4 IsClipboardFormatAvailable
 0x4101b8 SendMessageA
 0x4101bc SetWindowLongW
 0x4101c0 SetClipboardViewer
 0x4101c4 GetWindowLongW
 0x4101c8 wsprintfA
 0x4101cc wvsprintfA
 0x4101d0 CloseClipboard
ADVAPI32.dll
 0x410000 CryptAcquireContextW
 0x410004 RegQueryValueExW
 0x410008 RegOpenKeyExW
 0x41000c RegSetValueExW
 0x410010 CryptReleaseContext
 0x410014 RegCloseKey
 0x410018 CryptGenRandom
SHELL32.dll
 0x410154 ShellExecuteW
ole32.dll
 0x4102f4 CoInitializeEx
 0x4102f8 CoInitialize
 0x4102fc CoCreateInstance
 0x410300 CoUninitialize
OLEAUT32.dll
 0x410148 SysFreeString
 0x41014c SysAllocString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure