popup

Report - done.exe

Client SW User Data Stealer Emotet Gen1 browser info stealer EnigmaProtector Generic Malware Google Chrome User Data Downloader Malicious Library UPX Malicious Packer .NET framework(MSIL) Http API PWS Code injection Create Service Socket DGA ScreenShot Es
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.01.16 08:15 Machine s1_win7_x6401
Filename done.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
14.6
ZERO API file : malware
VT API (file) 37 detected (AIDetectMalware, malicious, high confidence, Dacic, Crifi, Ae9m, Attribute, HighConfidence, multiple detections, GenericRXMR, TrojanX, score, RisePro, CLOUD, AGEN, YXEAPZ, Generic ML PUA, awbz, Detected, DllInject, Redline, RiseProStealer, AAOF, Kryptik, Eldorado, PasswordStealer, Probably Heur, ExeHeaderL, Static AI, Malicious SFX, confidence)
md5 750730cacee06f5b29188ef5050ff7ab
sha256 13379a65ce202076bf26e92ef6da715754b740f5981a82cf5f9b0c2012eb9099
ssdeep 98304:J2Whm1JudM2fKSQkGr9kigOCfp9ueloHjZBG+nBYuEk9:J2ym1Ji5zQpsFo1BfBYu
imphash 646167cce332c1c252cdcb1839e0cf48
impfuzzy 48:mPkNSpUOU4iLzNXMuM9a08vTL5wtV6x9KEl4LTrzUp5aSvd59E5o+RXpNuAC8tGg:ikmUZ4iLBXMuMc08vTLhsNeGmdM
  Network IP location

Signature (32cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known multi-family ransomware file extension to files that have been encrypted
watch Communicates with host for which no DNS query was performed
watch Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic)
watch Installs itself for autorun at Windows startup
watch One or more non-whitelisted processes were created
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Starts servers listening
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (60cnts)

Level Name Description Collection
danger Client_SW_User_Data_Stealer Client_SW_User_Data_Stealer memory
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
warning EnigmaProtector_IN EnigmaProtector binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning infoStealer_browser_Zero browser info stealer memory
watch Chrome_User_Data_Check_Zero Google Chrome User Data Check memory
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice BitCoin Perform crypto currency mining memory
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice Persistence Install itself for autorun at Windows startup memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info CAB_file_format CAB archive file binaries (download)
info CAB_file_format CAB archive file binaries (upload)
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Virtual_currency_Zero Virtual currency memory
info vmdetect Possibly employs anti-virtualization techniques memory
info win_hook Affect hook table memory

Network (23cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://fbsbx.com/security/hsts-pixel.gif?c=5
whois
US FACEBOOK 157.240.215.35 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://www.facebook.com/favicon.ico
whois
US FACEBOOK 157.240.215.35 clean
https://connect.facebook.net/security/hsts-pixel.gif
whois
US FACEBOOK 157.240.215.14 clean
https://www.facebook.com/login
whois
US FACEBOOK 157.240.215.35 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
whois
US FACEBOOK 157.240.215.35 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yJ/l/0,cross/JtVgZ46o85N.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
whois
US FACEBOOK 157.240.215.35 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
whois
US FACEBOOK 157.240.215.14 clean
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14 clean
www.facebook.com
whois
US FACEBOOK 157.240.215.35 clean
fbsbx.com
whois
US FACEBOOK 157.240.215.35 clean
static.xx.fbcdn.net
whois
US FACEBOOK 157.240.215.14 clean
fbcdn.net
whois
US FACEBOOK 157.240.215.35 clean
connect.facebook.net
whois
US FACEBOOK 157.240.215.14 clean
facebook.com
whois
US FACEBOOK 157.240.215.35 clean
157.240.215.35
whois
US FACEBOOK 157.240.215.35 clean
157.240.215.14
whois
US FACEBOOK 157.240.215.14 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x40a000 GetTokenInformation
 0x40a004 RegDeleteValueA
 0x40a008 RegOpenKeyExA
 0x40a00c RegQueryInfoKeyA
 0x40a010 FreeSid
 0x40a014 OpenProcessToken
 0x40a018 RegSetValueExA
 0x40a01c RegCreateKeyExA
 0x40a020 LookupPrivilegeValueA
 0x40a024 AllocateAndInitializeSid
 0x40a028 RegQueryValueExA
 0x40a02c EqualSid
 0x40a030 RegCloseKey
 0x40a034 AdjustTokenPrivileges
KERNEL32.dll
 0x40a060 _lopen
 0x40a064 _llseek
 0x40a068 CompareStringA
 0x40a06c GetLastError
 0x40a070 GetFileAttributesA
 0x40a074 GetSystemDirectoryA
 0x40a078 LoadLibraryA
 0x40a07c DeleteFileA
 0x40a080 GlobalAlloc
 0x40a084 GlobalFree
 0x40a088 CloseHandle
 0x40a08c WritePrivateProfileStringA
 0x40a090 IsDBCSLeadByte
 0x40a094 GetWindowsDirectoryA
 0x40a098 SetFileAttributesA
 0x40a09c GetProcAddress
 0x40a0a0 GlobalLock
 0x40a0a4 LocalFree
 0x40a0a8 RemoveDirectoryA
 0x40a0ac FreeLibrary
 0x40a0b0 _lclose
 0x40a0b4 CreateDirectoryA
 0x40a0b8 GetPrivateProfileIntA
 0x40a0bc GetPrivateProfileStringA
 0x40a0c0 GlobalUnlock
 0x40a0c4 ReadFile
 0x40a0c8 SizeofResource
 0x40a0cc WriteFile
 0x40a0d0 GetDriveTypeA
 0x40a0d4 lstrcmpA
 0x40a0d8 SetFileTime
 0x40a0dc SetFilePointer
 0x40a0e0 FindResourceA
 0x40a0e4 CreateMutexA
 0x40a0e8 GetVolumeInformationA
 0x40a0ec ExpandEnvironmentStringsA
 0x40a0f0 GetCurrentDirectoryA
 0x40a0f4 FreeResource
 0x40a0f8 GetVersion
 0x40a0fc SetCurrentDirectoryA
 0x40a100 GetTempPathA
 0x40a104 LocalFileTimeToFileTime
 0x40a108 CreateFileA
 0x40a10c SetEvent
 0x40a110 TerminateThread
 0x40a114 GetVersionExA
 0x40a118 LockResource
 0x40a11c GetSystemInfo
 0x40a120 CreateThread
 0x40a124 ResetEvent
 0x40a128 LoadResource
 0x40a12c ExitProcess
 0x40a130 GetModuleHandleW
 0x40a134 CreateProcessA
 0x40a138 FormatMessageA
 0x40a13c GetTempFileNameA
 0x40a140 DosDateTimeToFileTime
 0x40a144 CreateEventA
 0x40a148 GetExitCodeProcess
 0x40a14c FindNextFileA
 0x40a150 LocalAlloc
 0x40a154 GetShortPathNameA
 0x40a158 MulDiv
 0x40a15c GetDiskFreeSpaceA
 0x40a160 EnumResourceLanguagesA
 0x40a164 GetTickCount
 0x40a168 GetSystemTimeAsFileTime
 0x40a16c GetCurrentThreadId
 0x40a170 GetCurrentProcessId
 0x40a174 QueryPerformanceCounter
 0x40a178 TerminateProcess
 0x40a17c SetUnhandledExceptionFilter
 0x40a180 UnhandledExceptionFilter
 0x40a184 GetStartupInfoW
 0x40a188 Sleep
 0x40a18c FindClose
 0x40a190 GetCurrentProcess
 0x40a194 FindFirstFileA
 0x40a198 WaitForSingleObject
 0x40a19c GetModuleFileNameA
 0x40a1a0 LoadLibraryExA
GDI32.dll
 0x40a058 GetDeviceCaps
USER32.dll
 0x40a1a8 SetWindowLongA
 0x40a1ac GetDlgItemTextA
 0x40a1b0 DialogBoxIndirectParamA
 0x40a1b4 ShowWindow
 0x40a1b8 MsgWaitForMultipleObjects
 0x40a1bc SetWindowPos
 0x40a1c0 GetDC
 0x40a1c4 GetWindowRect
 0x40a1c8 DispatchMessageA
 0x40a1cc GetDesktopWindow
 0x40a1d0 CharUpperA
 0x40a1d4 SetDlgItemTextA
 0x40a1d8 ExitWindowsEx
 0x40a1dc MessageBeep
 0x40a1e0 EndDialog
 0x40a1e4 CharPrevA
 0x40a1e8 LoadStringA
 0x40a1ec CharNextA
 0x40a1f0 EnableWindow
 0x40a1f4 ReleaseDC
 0x40a1f8 SetForegroundWindow
 0x40a1fc PeekMessageA
 0x40a200 GetDlgItem
 0x40a204 SendMessageA
 0x40a208 SendDlgItemMessageA
 0x40a20c MessageBoxA
 0x40a210 SetWindowTextA
 0x40a214 GetWindowLongA
 0x40a218 CallWindowProcA
 0x40a21c GetSystemMetrics
msvcrt.dll
 0x40a234 _controlfp
 0x40a238 ?terminate@@YAXXZ
 0x40a23c _acmdln
 0x40a240 _initterm
 0x40a244 __setusermatherr
 0x40a248 _except_handler4_common
 0x40a24c memcpy
 0x40a250 _ismbblead
 0x40a254 __p__fmode
 0x40a258 _cexit
 0x40a25c _exit
 0x40a260 exit
 0x40a264 __set_app_type
 0x40a268 __getmainargs
 0x40a26c _amsg_exit
 0x40a270 __p__commode
 0x40a274 _XcptFilter
 0x40a278 memcpy_s
 0x40a27c _vsnprintf
 0x40a280 memset
COMCTL32.dll
 0x40a03c None
Cabinet.dll
 0x40a044 None
 0x40a048 None
 0x40a04c None
 0x40a050 None
VERSION.dll
 0x40a224 GetFileVersionInfoA
 0x40a228 VerQueryValueA
 0x40a22c GetFileVersionInfoSizeA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure