popup

Report - winlog.exe

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.03.12 18:58 Machine s1_win7_x6401
Filename winlog.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score
9
 Behavior Score
7.4
ZERO API file : malware
VT API (file) 37 detected (AIDetect, malware1, malicious, high confidence, score, GenericM, Unsafe, Save, confidence, Kryptik, Eldorado, Attribute, HighConfidence, EOVE, R002H0CCB21, Zusy, PWSX, Cerbu, Siggen12, Vopak, FormBook, PXU06R, Swotter, owqbh, Wacapew, Static AI, Malicious PE, dGZlOgH0wOLX3LIu0g, AgentTesla)
md5 9bdc8f00b437a66c1f1f0b6b45849d04
sha256 1ed998332afc95e5830817b9f215468c55e67cd134c920b497521042bd6d4c38
ssdeep 6144:rPKyLL2a8LiYvx0Mjei55TxnaBDMzuumPy9:mRa8LiDM539aBiNmK9
imphash b76363e9cb88bf9390860da8e50999d2
impfuzzy 48:cBgUcdDjO6wiQzL8r+tAltSv54eObGLlo8t0Q7XEFpV74dT+4EQX/1Eowhxly6UZ:cmUcdvRwivJ81WAV5O8
  Network IP location

Signature (15cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (63cnts)

Level Name Description Collection
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory
info create_com_service Create a COM server memory
info create_service Create a windows service memory
info cred_local Steal credential memory
info escalate_priv Escalade priviledges binaries (upload)
info escalate_priv Escalade priviledges memory
info HasDebugData DebugData Check binaries (download)
info HasOverlay Overlay Check binaries (download)
info HasOverlay Overlay Check binaries (upload)
info HasRichSignature Rich Signature Check binaries (upload)
info hijack_network Hijack network configuration memory
info inject_thread Code injection with CreateRemoteThread in a remote process memory
info IsPacked Entropy Check binaries (download)
info IsPacked Entropy Check binaries (upload)
info IsWindowsGUI (no description) binaries (upload)
info keylogger Run a keylogger memory
info migrate_apc APC queue tasks migration memory
info network_dga Communication using dga memory
info network_dns Communications use DNS memory
info network_dropper File downloader/dropper memory
info network_ftp Communications over FTP memory
info network_http Communications over HTTP memory
info network_p2p_win Communications over P2P network memory
info network_tcp_listen Listen for incoming communication memory
info network_tcp_socket Communications over RAW socket memory
info network_udp_sock Communications over UDP network memory
info screenshot Take screenshot binaries (upload)
info screenshot Take screenshot memory
info sniff_audio Record Audio memory
info spreading_file Malware can spread east-west file memory
info spreading_share Malware can spread east-west using share drive memory
info Str_Win32_Wininet_Library Match Windows Inet API library declaration memory
info Str_Win32_Winsock2_Library Match Winsock 2 API library declaration binaries (download)
info Str_Win32_Winsock2_Library Match Winsock 2 API library declaration memory
info win_files_operation Affect private profile binaries (upload)
info win_files_operation Affect private profile memory
info win_mutex Create or check mutex memory
info win_private_profile Affect private profile binaries (upload)
info win_private_profile Affect private profile memory
info win_registry Affect system registries binaries (upload)
info win_registry Affect system registries memory
info win_token Affect system token binaries (upload)
info win_token Affect system token memory

Network (24cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.usopencoverage.com/nsag/
whois
GB Host Europe GmbH 94.136.40.51 clean
http://www.mauriciozarate.com/nsag/
whois
US WEEBLY 199.34.228.56 clean
http://www.usopencoverage.com/nsag/?NVlTnb=og4DIg58JlKco58KkdqEYNLQLc3eWWfvHIn4nR8VBNKZeGgyeIgd3wA4BT8g076OhyzEqtq0&lhud=UJB4FDGPbJth
whois
GB Host Europe GmbH 94.136.40.51 clean
http://www.translations.tools/nsag/?NVlTnb=1Yx90tXfD0vRUrwJZLNplGUVoptWSuBjE4n4ChdeuvIOAX2e1438cOyuyQxg5V577ZyhmWQ6&lhud=UJB4FDGPbJth
whois
US AUTOMATTIC 192.0.78.25 clean
http://www.mauriciozarate.com/nsag/?NVlTnb=Ue04sXlQiii509Shi2umXEvf3gsXdN0yxpr9ZQMQaC4qPH85OcBkfpKqwav3hGwaJkhlOFwu&lhud=UJB4FDGPbJth
whois
US WEEBLY 199.34.228.56 clean
http://www.bkhlep.xyz/nsag/?NVlTnb=9quu7qxzrtoB+kYIkoOu+N5EFAckOqu46RZA8fowIlCZtpsSFEgon8p3qHkXd1e9TouKQXQv&lhud=UJB4FDGPbJth
whois
JP GMO Internet,Inc 150.95.255.38 mailcious
http://www.bkhlep.xyz/nsag/
whois
JP GMO Internet,Inc 150.95.255.38 mailcious
http://www.explorerthecity.com/nsag/
whois
DE SEDO GmbH 91.195.240.94 clean
http://www.explorerthecity.com/nsag/?NVlTnb=nMtIT7UzM1V7BZ5QE53kf7KTbdq7isGDN9UDKAjWuyMqX8tFeFGDukCfRsacMPMH+iu4H70p&lhud=UJB4FDGPbJth
whois
DE SEDO GmbH 91.195.240.94 clean
http://www.translations.tools/nsag/
whois
US AUTOMATTIC 192.0.78.25 clean
www.translations.tools
whois
US AUTOMATTIC 192.0.78.25 clean
www.5bo5j.com
whois
US AS-XFERNET 199.197.13.53 clean
www.856380692.xyz
whois
CN NINGBO, ZHEJIANG Province, P.R.China. 103.88.34.80 mailcious
www.usopencoverage.com
whois
GB Host Europe GmbH 94.136.40.51 clean
www.explorerthecity.com
whois
DE SEDO GmbH 91.195.240.94 clean
www.mauriciozarate.com
whois
US WEEBLY 199.34.228.56 clean
www.bkhlep.xyz
whois
JP GMO Internet,Inc 150.95.255.38 clean
91.195.240.94
whois
DE SEDO GmbH 91.195.240.94 phishing
94.136.40.51
whois
GB Host Europe GmbH 94.136.40.51 mailcious
150.95.255.38
whois
JP GMO Internet,Inc 150.95.255.38 mailcious
103.88.34.80
whois
CN NINGBO, ZHEJIANG Province, P.R.China. 103.88.34.80 suspicious
199.197.13.53
whois
US AS-XFERNET 199.197.13.53 clean
192.0.78.25
whois
US AUTOMATTIC 192.0.78.25 mailcious
199.34.228.56
whois
US WEEBLY 199.34.228.56 malware

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x407064 GetTickCount
 0x407068 GetShortPathNameA
 0x40706c GetFullPathNameA
 0x407070 MoveFileA
 0x407074 SetCurrentDirectoryA
 0x407078 GetFileAttributesA
 0x40707c SetFileAttributesA
 0x407080 CompareFileTime
 0x407084 SearchPathA
 0x407088 GetFileSize
 0x40708c GetModuleFileNameA
 0x407090 GetCurrentProcess
 0x407094 CopyFileA
 0x407098 ExitProcess
 0x40709c GetWindowsDirectoryA
 0x4070a0 GetTempPathA
 0x4070a4 Sleep
 0x4070a8 lstrcmpiA
 0x4070ac GetVersion
 0x4070b0 SetErrorMode
 0x4070b4 lstrcpynA
 0x4070b8 GetDiskFreeSpaceA
 0x4070bc GlobalUnlock
 0x4070c0 GlobalLock
 0x4070c4 CreateThread
 0x4070c8 GetLastError
 0x4070cc CreateDirectoryA
 0x4070d0 CreateProcessA
 0x4070d4 RemoveDirectoryA
 0x4070d8 CreateFileA
 0x4070dc GetTempFileNameA
 0x4070e0 lstrcatA
 0x4070e4 GetSystemDirectoryA
 0x4070e8 WaitForSingleObject
 0x4070ec SetFileTime
 0x4070f0 CloseHandle
 0x4070f4 GlobalFree
 0x4070f8 lstrcmpA
 0x4070fc ExpandEnvironmentStringsA
 0x407100 GetExitCodeProcess
 0x407104 GlobalAlloc
 0x407108 lstrlenA
 0x40710c GetCommandLineA
 0x407110 GetProcAddress
 0x407114 FindFirstFileA
 0x407118 FindNextFileA
 0x40711c DeleteFileA
 0x407120 SetFilePointer
 0x407124 ReadFile
 0x407128 FindClose
 0x40712c GetPrivateProfileStringA
 0x407130 WritePrivateProfileStringA
 0x407134 WriteFile
 0x407138 MulDiv
 0x40713c MultiByteToWideChar
 0x407140 LoadLibraryExA
 0x407144 GetModuleHandleA
 0x407148 FreeLibrary
USER32.dll
 0x40716c SetCursor
 0x407170 GetWindowRect
 0x407174 EnableMenuItem
 0x407178 GetSystemMenu
 0x40717c SetClassLongA
 0x407180 IsWindowEnabled
 0x407184 SetWindowPos
 0x407188 GetSysColor
 0x40718c EndDialog
 0x407190 ScreenToClient
 0x407194 LoadCursorA
 0x407198 CheckDlgButton
 0x40719c GetMessagePos
 0x4071a0 LoadBitmapA
 0x4071a4 CallWindowProcA
 0x4071a8 IsWindowVisible
 0x4071ac CloseClipboard
 0x4071b0 SetForegroundWindow
 0x4071b4 GetWindowLongA
 0x4071b8 RegisterClassA
 0x4071bc TrackPopupMenu
 0x4071c0 AppendMenuA
 0x4071c4 CreatePopupMenu
 0x4071c8 GetSystemMetrics
 0x4071cc SetDlgItemTextA
 0x4071d0 GetDlgItemTextA
 0x4071d4 MessageBoxIndirectA
 0x4071d8 CharPrevA
 0x4071dc DispatchMessageA
 0x4071e0 PeekMessageA
 0x4071e4 GetDC
 0x4071e8 EnableWindow
 0x4071ec InvalidateRect
 0x4071f0 SendMessageA
 0x4071f4 DefWindowProcA
 0x4071f8 BeginPaint
 0x4071fc GetClientRect
 0x407200 FillRect
 0x407204 DrawTextA
 0x407208 SystemParametersInfoA
 0x40720c CreateWindowExA
 0x407210 GetClassInfoA
 0x407214 DialogBoxParamA
 0x407218 CharNextA
 0x40721c ExitWindowsEx
 0x407220 SetTimer
 0x407224 PostQuitMessage
 0x407228 SetWindowLongA
 0x40722c SendMessageTimeoutA
 0x407230 LoadImageA
 0x407234 wsprintfA
 0x407238 GetDlgItem
 0x40723c FindWindowExA
 0x407240 IsWindow
 0x407244 SetClipboardData
 0x407248 EmptyClipboard
 0x40724c OpenClipboard
 0x407250 EndPaint
 0x407254 CreateDialogParamA
 0x407258 DestroyWindow
 0x40725c ShowWindow
 0x407260 SetWindowTextA
GDI32.dll
 0x407040 SelectObject
 0x407044 SetBkMode
 0x407048 CreateFontIndirectA
 0x40704c SetTextColor
 0x407050 DeleteObject
 0x407054 GetDeviceCaps
 0x407058 CreateBrushIndirect
 0x40705c SetBkColor
SHELL32.dll
 0x407150 SHGetSpecialFolderLocation
 0x407154 SHGetPathFromIDListA
 0x407158 SHBrowseForFolderA
 0x40715c SHGetFileInfoA
 0x407160 SHFileOperationA
 0x407164 ShellExecuteA
ADVAPI32.dll
 0x407000 RegDeleteValueA
 0x407004 SetFileSecurityA
 0x407008 RegOpenKeyExA
 0x40700c RegDeleteKeyA
 0x407010 RegEnumValueA
 0x407014 RegCloseKey
 0x407018 RegCreateKeyExA
 0x40701c RegSetValueExA
 0x407020 RegQueryValueExA
 0x407024 RegEnumKeyA
COMCTL32.dll
 0x40702c ImageList_AddMasked
 0x407030 ImageList_Destroy
 0x407034 ImageList_Create
 0x407038 None
ole32.dll
 0x407268 OleUninitialize
 0x40726c OleInitialize
 0x407270 CoTaskMemFree
 0x407274 CoCreateInstance

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure