popup

Report - n7duez.zip

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.03.30 09:24 Machine s1_win7_x6402
Filename n7duez.zip
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
5.6
ZERO API file : clean
VT API (file) 11 detected (malicious, high confidence, Unsafe, ZedlaF, xq4@aiZVwwg, Attribute, HighConfidence, Cridex, kcloud, score, GenericRXAA)
md5 44dcdfd1873198f50c5dd4dbb1fe8f44
sha256 ae3b7d160b7b7389b413ad2cc8787f5b92013627476a1cb2a3371712b07cd28e
ssdeep 6144:WbazNBbycfmKsyUlVkMdUFIk1KyHNwoATpFp5xM8C1h:NzeTlVk/7HNQp5W8Uh
imphash 10b339eba7ed6a12d0c67a18515a94ff
impfuzzy 48:catMS17Mbc+ppXm30AEQbJMeEUn6gF09/ZXUYsI:rtMS17Mbc+ppXq8XjsI
  Network IP location

Signature (15cnts)

Level Description
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch File has been identified by 11 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (8cnts)

Level Name Description Collection
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info HasDebugData DebugData Check binaries (upload)
info HasRichSignature Rich Signature Check binaries (upload)
info IsWindowsGUI (no description) binaries (upload)
info win_files_operation Affect private profile binaries (upload)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
whois
US GOOGLE 142.250.34.2 clean
https://update.googleapis.com/service/update2
whois
US GOOGLE 172.217.24.67 clean
https://update.googleapis.com/service/update2?cup2key=10:1063268346&cup2hreq=aeb1fd103607563a549a6ba2077d24749f8c33da6854c0de7ef1993f7b40cbea
whois
US GOOGLE 172.217.24.67 clean
https://210.65.244.176/
whois
TW Data Communication Business Group 210.65.244.176 598 mailcious
edgedl.gvt1.com
whois
US GOOGLE 142.250.34.2 clean
142.250.34.2
whois
US GOOGLE 142.250.34.2 clean
210.65.244.176
whois
TW Data Communication Business Group 210.65.244.176 mailcious

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

Similarity measure (PE file only) - Checking for service failure