Sample Name: | important invoice presentation nov 2021.pif (renamed file extension from pif to exe) |
Analysis ID: | 523630 |
MD5: | 1364844e0bfb349272c5050fb0e677e3 |
SHA1: | ffc57ad66c9a3764a88a2b2c3ec1f0f19042c77a |
SHA256: | 004f011b37e4446fa04b76aae537cc00f6588c0705839152ae2d8a837ef2b730 |
Infos: | |
Most interesting Screenshot: |
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Score: | 46 |
Range: | 0 - 100 |
AV Detection: |
---|
Found malware configuration |
Source: |
Malware Configuration Extractor: |
Antivirus or Machine Learning detection for unpacked file |
Source: |
Avira: |
||
Source: |
Avira: |
Cryptography: |
---|
Uses Microsoft's Enhanced Cryptographic Provider |
Source: |
Code function: |
14_2_0040C4B7 | |
Source: |
Code function: |
14_2_0040E511 | |
Source: |
Code function: |
14_2_0040EDD6 | |
Source: |
Code function: |
14_2_0040D290 | |
Source: |
Code function: |
30_2_0040C4B7 | |
Source: |
Code function: |
30_2_0040E511 | |
Source: |
Code function: |
30_2_0040EDD6 | |
Source: |
Code function: |
30_2_0040D290 |
Compliance: |
---|
Uses 32bit PE files |
Source: |
Static PE information: |
PE / OLE file has a valid certificate |
Source: |
Static PE information: |
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Source: |
Static PE information: |
Source: |
Code function: |
13_2_00BD655F | |
Source: |
Code function: |
14_2_00406453 | |
Source: |
Code function: |
14_2_0040680D | |
Source: |
Code function: |
14_2_0040753D | |
Source: |
Code function: |
14_2_00413A85 | |
Source: |
Code function: |
14_2_0040DB1C | |
Source: |
Code function: |
14_2_00406F83 | |
Source: |
Code function: |
14_2_00406390 | |
Source: |
Code function: |
30_2_00406453 | |
Source: |
Code function: |
30_2_0040680D | |
Source: |
Code function: |
30_2_0040753D | |
Source: |
Code function: |
30_2_00413A85 | |
Source: |
Code function: |
30_2_0040DB1C | |
Source: |
Code function: |
30_2_00406F83 | |
Source: |
Code function: |
30_2_00406390 |
Source: |
Code function: |
14_2_00406084 |
Networking: |
---|
C2 URLs / IPs found in malware configuration |
Source: |
URLs: |
Internet Provider seen in connection with other malware |
Source: |
ASN Name: |
IP address seen in connection with other malware |
Source: |
IP Address: |
Detected TCP or UDP traffic on non-standard ports |
Source: |
TCP traffic: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
DNS traffic detected: |
Source: |
Code function: |
14_2_00405FBE |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Contains functionality to log keystrokes |
Source: |
Code function: |
14_2_00409953 | |
Source: |
Code function: |
30_2_00409953 |
Contains functionality to record screenshots |
Source: |
Code function: |
14_2_00411D8C |
Potential key logger detected (key state polling based) |
Source: |
Code function: |
13_2_00BBA38E | |
Source: |
Code function: |
14_2_00409953 | |
Source: |
Code function: |
30_2_00409953 |
Contains functionality to retrieve information about pressed keystrokes |
Source: |
Code function: |
13_2_00BF8181 |
System Summary: |
---|
Malicious sample detected (through community Yara rule) |
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Initial sample is a PE file and has a suspicious name |
Source: |
Static PE information: |
Uses 32bit PE files |
Source: |
Static PE information: |
Yara signature match |
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Detected potential crypto function |
Source: |
Code function: |
13_2_00B9E230 | |
Source: |
Code function: |
13_2_00BBAA7C | |
Source: |
Code function: |
13_2_00BE106A | |
Source: |
Code function: |
14_2_00403047 | |
Source: |
Code function: |
14_2_0041D049 | |
Source: |
Code function: |
14_2_00419463 | |
Source: |
Code function: |
14_2_00415079 | |
Source: |
Code function: |
14_2_00420420 | |
Source: |
Code function: |
14_2_004208C0 | |
Source: |
Code function: |
14_2_004034D3 | |
Source: |
Code function: |
14_2_00414976 | |
Source: |
Code function: |
14_2_00402E68 | |
Source: |
Code function: |
14_2_00416619 | |
Source: |
Code function: |
14_2_0040AEC6 | |
Source: |
Code function: |
14_2_00402AFC | |
Source: |
Code function: |
14_2_00415ABF | |
Source: |
Code function: |
14_2_00420F40 | |
Source: |
Code function: |
14_2_0041FF50 | |
Source: |
Code function: |
14_2_0040A728 | |
Source: |
Code function: |
30_2_00403047 | |
Source: |
Code function: |
30_2_0041D049 | |
Source: |
Code function: |
30_2_00419463 | |
Source: |
Code function: |
30_2_00415079 | |
Source: |
Code function: |
30_2_00420420 | |
Source: |
Code function: |
30_2_004208C0 | |
Source: |
Code function: |
30_2_004034D3 | |
Source: |
Code function: |
30_2_00414976 | |
Source: |
Code function: |
30_2_00402E68 | |
Source: |
Code function: |
30_2_00416619 | |
Source: |
Code function: |
30_2_0040AEC6 | |
Source: |
Code function: |
30_2_00402AFC | |
Source: |
Code function: |
30_2_00415ABF | |
Source: |
Code function: |
30_2_00420F40 | |
Source: |
Code function: |
30_2_0041FF50 | |
Source: |
Code function: |
30_2_0040A728 |
Found potential string decryption / allocating functions |
Contains functionality to call native functions |
Source: |
Code function: |
14_2_00CC161A | |
Source: |
Code function: |
30_2_00CC161A |
Abnormal high CPU Usage |
Source: |
Process Stats: |
||
Source: |
Process Stats: |
Sample file is different than original file name gathered from version info |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
PE file contains strange resources |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Key opened: |
Jump to behavior |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Source: |
Classification label: |
Source: |
Code function: |
13_2_00C00C4D |
Source: |
Code function: |
14_2_00406084 |
Source: |
Code function: |
14_2_00402570 |
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
Source: |
Code function: |
13_2_00BAC0F7 |
Source: |
File created: |
Jump to behavior |
Source: |
File read: |
Jump to behavior | ||
Source: |
File read: |
Jump to behavior |
Source: |
Window detected: |
Source: |
Static PE information: |
Source: |
Static file information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Data Obfuscation: |
---|
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
13_2_00D5A20E | |
Source: |
Code function: |
13_2_00BB0620 | |
Source: |
Code function: |
13_2_00BB060C | |
Source: |
Code function: |
13_2_00BB073E | |
Source: |
Code function: |
13_2_00BB0707 | |
Source: |
Code function: |
14_2_0040DD9F | |
Source: |
Code function: |
14_2_0040DDD9 | |
Source: |
Code function: |
14_2_0040DDF7 | |
Source: |
Code function: |
14_2_0040E394 | |
Source: |
Code function: |
14_2_0040A543 | |
Source: |
Code function: |
14_2_00409980 | |
Source: |
Code function: |
14_2_0040998D | |
Source: |
Code function: |
14_2_00412058 | |
Source: |
Code function: |
14_2_00409FDE | |
Source: |
Code function: |
14_2_00406E69 | |
Source: |
Code function: |
14_2_004027C8 | |
Source: |
Code function: |
14_2_00402815 | |
Source: |
Code function: |
14_2_004029B2 | |
Source: |
Code function: |
14_2_0041470B | |
Source: |
Code function: |
14_2_004097B9 | |
Source: |
Code function: |
30_2_0040DD9F | |
Source: |
Code function: |
30_2_0040DDD9 | |
Source: |
Code function: |
30_2_0040DDF7 | |
Source: |
Code function: |
30_2_0040E394 | |
Source: |
Code function: |
30_2_0040A543 | |
Source: |
Code function: |
30_2_00409980 | |
Source: |
Code function: |
30_2_0040998D | |
Source: |
Code function: |
30_2_00412058 | |
Source: |
Code function: |
30_2_00409FDE | |
Source: |
Code function: |
30_2_00406E69 | |
Source: |
Code function: |
30_2_004027C8 |
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
14_2_00408417 |
Persistence and Installation Behavior: |
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules |
Source: |
Process created: |
Hooking and other Techniques for Hiding and Protection: |
---|
Overwrites code with unconditional jumps - possibly settings hooks in foreign process |
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior |
Contains functionality to check if a window is minimized (may be used to check if an application is visible) |
Source: |
Code function: |
13_2_00BE6783 |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
---|
Found evasive API chain (may stop execution after checking mutex) |
Source: |
Evasive API call chain: |
||
Source: |
Evasive API call chain: |
Found stalling execution ending in API Sleep call |
Source: |
Stalling execution: |
Found decision node followed by non-executed suspicious APIs |
Source: |
Decision node followed by non-executed suspicious API: |
Sample execution stops while process was sleeping (likely an evasion) |
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
Found evasive API chain (may stop execution after accessing registry keys) |
Source: |
Evasive API call chain: |
Found large amount of non-executed APIs |
Source: |
API coverage: |
||
Source: |
API coverage: |
Source: |
Process information queried: |
Jump to behavior |
Source: |
Code function: |
13_2_00D7216B |
Source: |
Code function: |
13_2_00BD655F | |
Source: |
Code function: |
14_2_00406453 | |
Source: |
Code function: |
14_2_0040680D | |
Source: |
Code function: |
14_2_0040753D | |
Source: |
Code function: |
14_2_00413A85 | |
Source: |
Code function: |
14_2_0040DB1C | |
Source: |
Code function: |
14_2_00406F83 | |
Source: |
Code function: |
14_2_00406390 | |
Source: |
Code function: |
30_2_00406453 | |
Source: |
Code function: |
30_2_0040680D | |
Source: |
Code function: |
30_2_0040753D | |
Source: |
Code function: |
30_2_00413A85 | |
Source: |
Code function: |
30_2_0040DB1C | |
Source: |
Code function: |
30_2_00406F83 | |
Source: |
Code function: |
30_2_00406390 |
Source: |
Code function: |
14_2_00406084 |
Source: |
API call chain: |
||
Source: |
API call chain: |
||
Source: |
API call chain: |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Anti Debugging: |
---|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Source: |
Code function: |
13_2_00D680C8 |
Contains functionality to create guard pages, often used to hinder reverse usering and debugging |
Source: |
Code function: |
13_2_00D7216B |
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError) |
Source: |
Code function: |
13_2_00BAACF6 |
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
14_2_00408417 |
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Source: |
Code function: |
13_2_00BC23F6 |
Contains functionality to read the PEB |
Source: |
Code function: |
13_2_00D9085C |
Source: |
Code function: |
13_2_00D680C8 | |
Source: |
Code function: |
13_2_00D5A5D4 |
HIPS / PFW / Operating System Protection Evasion: |
---|
Maps a DLL or memory area into another process |
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior |
Writes to foreign memory regions |
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior |
Allocates memory in foreign processes |
Source: |
Memory allocated: |
Jump to behavior | ||
Source: |
Memory allocated: |
Jump to behavior |
Contains functionality to simulate keystroke presses |
Source: |
Code function: |
14_2_004121C0 |
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Contains functionality to simulate mouse events |
Source: |
Code function: |
14_2_004121EF |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query CPU information (cpuid) |
Source: |
Code function: |
13_2_00D5A3F4 |
Source: |
Code function: |
13_2_00D5A7D1 |
Source: |
Code function: |
13_2_00BE3003 |
Source: |
Code function: |
14_2_004130E8 |
Remote Access Functionality: |
---|
Yara detected NetWire RAT |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
51.195.57.233 | calibare5454.pro | France | 16276 | OVHFR | true |
Name | IP | Active |
---|---|---|
calibare5454.pro | 51.195.57.233 | true |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
|
unknown |