popup

Report - cVI5v4hgahjKJBO4qaFks3SD.exe

Trojan_PWS_Stealer Credential User Data Emotet Antivirus AsyncRAT backdoor SQLite Cookie Gen
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.03.22 18:47 Machine s1_win7_x6402
Filename cVI5v4hgahjKJBO4qaFks3SD.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
9
 Behavior Score
22.2
ZERO API file : malware
VT API (file) 44 detected (malicious, high confidence, Siggen12, GenericKD, Artemis, Unsafe, Save, ZemsilF, am0@aC18vXm, Attribute, HighConfidence, DropperX, Hoej, Static AI, Malicious PE, AGEN, Bladabindi, score, ai score=82, Small, IPLogger, CLOUD, GdSda, confidence, 100%, HgIASRIA)
md5 2151c4b970eff0071948dbbc19066aa4
sha256 ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
ssdeep 192:hJLUwuWWtqqKGCaGMSsCZssyPv0bQF2T:jLUHHEeCaLSsys172
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (46cnts)

Level Description
danger File has been identified by 44 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
danger Stops Windows services
warning Drops 230 unknown file mime types indicative of ransomware writing encrypted files back to disk
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to identify installed AV products by registry key
watch Communicates with host for which no DNS query was performed
watch Creates known Hupigon files
watch Installs itself for autorun at Windows startup
watch Loads a driver
watch Network activity contains more than one unique useragent
watch One or more non-whitelisted processes were created
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice An executable file was downloaded by the process cvi5v4hgahjkjbo4qafks3sd.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (71cnts)

Level Name Description Collection
danger Trojan_PWS_Stealer_1_Zero Trojan.PWS.Stealer Zero binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_1_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
warning Credential_User_Data_Check_Zero Credential User Data Check binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch SQLite_cookies_Check_Zero SQLite Cookie Check... select binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Str_Win32_Http_API Match Windows Http API call binaries (download)
notice Str_Win32_Internet_API Match Windows Inet API call binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info GIF_Format_Zero GIF Format binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info create_com_service Create a COM server binaries (download)
info create_service Create a windows service binaries (download)
info cred_ie7 Steal IE 7 credential binaries (download)
info cred_local Steal credential binaries (download)
info escalate_priv Escalade priviledges binaries (download)
info HasDebugData DebugData Check binaries (download)
info HasDigitalSignature DigitalSignature Check binaries (download)
info HasModified_DOS_Message DOS Message Check binaries (download)
info HasOverlay Overlay Check binaries (download)
info HasRichSignature Rich Signature Check binaries (download)
info ImportTableIsBad ImportTable Check binaries (download)
info inject_thread Code injection with CreateRemoteThread in a remote process binaries (download)
info IsConsole (no description) binaries (download)
info IsNET_EXE (no description) binaries (upload)
info IsPacked Entropy Check binaries (download)
info IsSuspicious Might be PE Virus binaries (download)
info IsWindowsGUI (no description) binaries (download)
info IsWindowsGUI (no description) binaries (upload)
info keylogger Run a keylogger binaries (download)
info Microsoft_Office_Document_Zero Microsoft Office Document Signature Zero binaries (download)
info migrate_apc APC queue tasks migration binaries (download)
info network_dga Communication using dga binaries (download)
info network_dns Communications use DNS binaries (download)
info network_dropper File downloader/dropper binaries (download)
info network_ftp Communications over FTP binaries (download)
info network_http Communications over HTTP binaries (download)
info network_tcp_listen Listen for incoming communication binaries (download)
info network_tcp_socket Communications over RAW socket binaries (download)
info network_tor Communications over TOR network binaries (download)
info network_udp_sock Communications over UDP network binaries (download)
info rat_webcam Remote Administration toolkit using webcam binaries (download)
info screenshot Take screenshot binaries (download)
info sniff_audio Record Audio binaries (download)
info spreading_share Malware can spread east-west using share drive binaries (download)
info Str_Win32_Wininet_Library Match Windows Inet API library declaration binaries (download)
info Str_Win32_Winsock2_Library Match Winsock 2 API library declaration binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)
info win_files_operation Affect private profile binaries (download)
info win_mutex Create or check mutex binaries (download)
info win_private_profile Affect private profile binaries (download)
info win_registry Affect system registries binaries (download)
info win_token Affect system token binaries (download)

Network (46cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.yzxjgr.com/askhelp28/askinstall28.exe
whois
Unknown 103.155.92.70 clean
http://mytoolsprivacy.site/downloads/privacytools3.exe
whois
CH Private Layer INC 179.43.158.179 clean
http://www.fddnice.pw/
whois
Unknown 103.155.92.58 mailcious
http://103.124.106.203/cof4/inst.exe
whois
IN DEDIPATH-LLC 103.124.106.203 malware
http://www.cncode.pw/
whois
US AS-CHOOPA 144.202.76.47 mailcious
http://www.yzxjgr.com/askinstall28.exe
whois
Unknown 103.155.92.70 malware
http://whatitis.site/dlc/mixinte
whois
RU JSC The First 92.63.99.163 clean
http://aretywer.xyz/Corepad092.exe
whois
GB A.b Internet Solutions 45.144.30.78 clean
http://www.fjzbqb.com/Home/Index/lkdinl
whois
RU TimeWeb Ltd. 188.225.87.175 clean
http://file.ekkggr3.com/iuww/jvppp.exe
whois
US CLOUDFLARENET 172.67.162.110 malware
http://188.93.233.223/proxy1.exe
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.223 clean
https://iplogger.org/1Gbzj7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://iplogger.org/1ixtu7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://iplogger.org/1iPtu7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://pastebin.com/raw/mH2EJxkv
whois
US CLOUDFLARENET 104.23.99.190 clean
https://iplogger.org/1hVa87
whois
DE Hetzner Online GmbH 88.99.66.31 clean
aretywer.xyz
whois
GB A.b Internet Solutions 45.144.30.78 clean
digitalassets.ams3.digitaloceanspaces.com
whois
NL DIGITALOCEAN-ASN 5.101.110.225 malware
mytoolsprivacy.site
whois
CH Private Layer INC 179.43.158.179 clean
jg3.3uag.pw
whois
Unknown clean
whatitis.site
whois
RU JSC The First 92.63.99.163 clean
www.cncode.pw
whois
US AS-CHOOPA 144.202.76.47 mailcious
www.fddnice.pw
whois
Unknown 103.155.92.58 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 clean
d0wnl0ads.online
whois
Unknown clean
www.fjzbqb.com
whois
RU TimeWeb Ltd. 188.225.87.175 clean
pastebin.com
whois
US CLOUDFLARENET 104.23.99.190 mailcious
file.ekkggr3.com
whois
US CLOUDFLARENET 172.67.162.110 malware
msiamericas.com
whois
LT Vardas.lt, Uab 141.136.39.190 clean
www.yzxjgr.com
whois
Unknown 103.155.92.70 malware
www.investinae.com
whois
US UNIFIEDLAYER-AS-1 108.167.143.77 clean
103.155.92.70
whois
Unknown 103.155.92.70 malware
188.93.233.223
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 188.93.233.223 malware
103.124.106.203
whois
IN DEDIPATH-LLC 103.124.106.203 malware
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
141.136.39.190
whois
LT Vardas.lt, Uab 141.136.39.190 clean
104.23.99.190
whois
US CLOUDFLARENET 104.23.99.190 mailcious
179.43.158.179
whois
CH Private Layer INC 179.43.158.179 clean
45.144.30.78
whois
GB A.b Internet Solutions 45.144.30.78 clean
144.202.76.47
whois
US AS-CHOOPA 144.202.76.47 clean
188.225.87.175
whois
RU TimeWeb Ltd. 188.225.87.175 clean
5.101.110.225
whois
NL DIGITALOCEAN-ASN 5.101.110.225 malware
103.155.92.58
whois
Unknown 103.155.92.58 mailcious
104.21.66.169
whois
US CLOUDFLARENET 104.21.66.169 clean
91.200.41.57
whois
UA PE Konstantin Vladimirovich Kravchenko 91.200.41.57 clean
108.167.143.77
whois
US UNIFIEDLAYER-AS-1 108.167.143.77 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Packed Executable Download
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO HTTP Request to a *.pw domain

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure