popup

Report - merit.php

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.03.25 07:52 Machine s1_win7_x6401
Filename merit.php
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
6.4
ZERO API file : clean
VT API (file) 13 detected (AIDetect, malware2, malicious, high confidence, Unsafe, confidence, ZedlaF, Bq4@auN33ze, Attribute, HighConfidence, FileRepMalware, score, Trickster, ET#78%, RDMK, cmRtazoHyqnMVXOV8, VcnBQcEboS)
md5 2ae20b49ac0c8f59eaca5e08a319892c
sha256 c777a87756b14abbe4745957c7705a76c7a944419447dd7e7a6e34a44ab25f34
ssdeep 12288:3xblFMZyAI7oJfGqdbmWOKJVP3D/PNkKE8:3xoO7Meqlm3wxDuKE8
imphash 7d35c86f856a368dd81109da3be969b9
impfuzzy 3:DyWA9XbXRWD3zxl:UjwDDxl
  Network IP location

Signature (13cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch File has been identified by 13 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (6cnts)

Level Name Description Collection
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info HasDebugData DebugData Check binaries (upload)
info HasRichSignature Rich Signature Check binaries (upload)
info IsWindowsGUI (no description) binaries (upload)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://98.6.253.142/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/
whois
US TWC-11427-TEXAS 98.6.253.142 clean
70.119.220.241
whois
US TWC-11427-TEXAS 70.119.220.241 clean
67.212.241.127
whois
US TWIN-LAKES 67.212.241.127 clean
67.79.117.70
whois
US TWC-11427-TEXAS 67.79.117.70 clean
173.219.76.169
whois
US SUDDENLINK-COMMUNICATIONS 173.219.76.169 clean
98.6.253.142
whois
US TWC-11427-TEXAS 98.6.253.142 clean
72.164.254.204
whois
US CENTURYLINK-US-LEGACY-QWEST 72.164.254.204 clean
174.105.236.140
whois
US TWC-10796-MIDWEST 174.105.236.140 clean

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

Similarity measure (PE file only) - Checking for service failure