popup

Report - PlayerUI5.exe

Emotet Gen AsyncRAT backdoor
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.03.22 17:51 Machine s1_win7_x6402
Filename PlayerUI5.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
9
 Behavior Score
17.6
ZERO API file : malware
VT API (file) 26 detected (GenericKD, Save, Blocker, ZemsilF, em0@au6akzd, Attribute, HighConfidence, Malicious, PWSX, Siggen12, Artemis, ai score=82, Wacapew, Static AI, Malicious PE, PossibleThreat, GdSda, confidence, 100%, HgIASRIA)
md5 1c9bb6efaebb7a43cab38e3d58b5134c
sha256 596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f
ssdeep 768:YdTddyzeY8phVbizLDQ9ANxKeE3R4ekDlEJJJJJJJJJJJJJJJJJcgll3YELFBk68:llJE46EsseeQXJH4CfK/CUcgQIb
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (36cnts)

Level Description
danger Executed a process and injected code into it
danger Stops Windows services
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Loads a driver
watch Looks for the Windows Idle Time to determine the uptime
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info This executable has a PDB path

Rules (29cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info HasDebugData DebugData Check binaries (download)
info HasDebugData DebugData Check binaries (upload)
info HasOverlay Overlay Check binaries (download)
info HasRichSignature Rich Signature Check binaries (download)
info ImportTableIsBad ImportTable Check binaries (download)
info IsConsole (no description) binaries (download)
info IsNET_EXE (no description) binaries (upload)
info IsPacked Entropy Check binaries (download)
info IsWindowsGUI (no description) binaries (download)
info IsWindowsGUI (no description) binaries (upload)
info screenshot Take screenshot binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)
info win_files_operation Affect private profile binaries (download)
info win_registry Affect system registries binaries (download)

Network (34cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://mytoolsprivacy.site/downloads/privacytools3.exe
whois
CH Private Layer INC 179.43.158.179 clean
http://103.124.106.203/cof4/inst.exe
whois
IN DEDIPATH-LLC 103.124.106.203 malware
http://whatitis.site/dlc/mixinte
whois
RU JSC The First 92.63.99.163 clean
http://aretywer.xyz/Corepad092.exe
whois
GB A.b Internet Solutions 45.144.30.78 clean
http://file.ekkggr3.com/iuww/jvppp.exe
whois
US CLOUDFLARENET 104.21.66.169 clean
http://188.93.233.223/proxy1.exe
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.223 clean
http://45.133.1.139/Manager/Temp/EFgzd7IrnKmvSY7NoweEU7Pm/KG5pc5F7jZu3r0hr7kiig97u.exe
whois
US DEDIPATH-LLC 45.133.1.139 clean
https://iplogger.org/1ixtu7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://iplogger.org/1lx5k
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://pastebin.com/raw/mH2EJxkv
whois
US CLOUDFLARENET 104.23.99.190 clean
https://iplogger.org/1hVa87
whois
DE Hetzner Online GmbH 88.99.66.31 clean
digitalassets.ams3.digitaloceanspaces.com
whois
NL DIGITALOCEAN-ASN 5.101.110.225
aretywer.xyz
whois
GB A.b Internet Solutions 45.144.30.78 clean
mytoolsprivacy.site
whois
CH Private Layer INC 179.43.158.179 clean
jg3.3uag.pw
whois
Unknown clean
whatitis.site
whois
UA PE Konstantin Vladimirovich Kravchenko 91.200.41.57 clean
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 clean
d0wnl0ads.online
whois
Unknown clean
pastebin.com
whois
US CLOUDFLARENET 104.23.98.190 mailcious
file.ekkggr3.com
whois
US CLOUDFLARENET 172.67.162.110 clean
msiamericas.com
whois
LT Vardas.lt, Uab 141.136.39.190 clean
www.investinae.com
whois
US UNIFIEDLAYER-AS-1 108.167.143.77 clean
172.67.162.110
whois
US CLOUDFLARENET 172.67.162.110 clean
45.133.1.139
whois
US DEDIPATH-LLC 45.133.1.139 malware
188.93.233.223
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.223 malware
103.124.106.203
whois
IN DEDIPATH-LLC 103.124.106.203 malware
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
141.136.39.190
whois
LT Vardas.lt, Uab 141.136.39.190 clean
104.23.99.190
whois
US CLOUDFLARENET 104.23.99.190 mailcious
179.43.158.179
whois
CH Private Layer INC 179.43.158.179 clean
45.144.30.78
whois
GB A.b Internet Solutions 45.144.30.78 clean
5.101.110.225
whois
NL DIGITALOCEAN-ASN 5.101.110.225 malware
91.200.41.57
whois
UA PE Konstantin Vladimirovich Kravchenko 91.200.41.57
108.167.143.77
whois
US UNIFIEDLAYER-AS-1 108.167.143.77 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure