Windows Analysis Report
empudh9lY5

Overview

General Information

Sample Name: empudh9lY5 (renamed file extension from none to exe)
Analysis ID: 715067
MD5: 8f43b86f351db105a727e67e39459d78
SHA1: ad9b43ecbae064ddca1908c40999974bc28466ba
SHA256: 9830e0d007c07364bf97b2a3e0496b7a7f5811e7e71fcdd9dada104d29d1982c
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses 32bit PE files
Yara signature match
Found large amount of non-executed APIs
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found potential string decryption / allocating functions

Classification

AV Detection

barindex
Source: empudh9lY5.exe ReversingLabs: Detection: 21%
Source: empudh9lY5.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global traffic TCP traffic: 192.168.2.3:49702 -> 189.30.155.39:8080
Source: unknown DNS traffic detected: queries for: sherlock.servegame.com

System Summary

barindex
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects a malware sysdll.exe from the Rocket Kitten APT Author: Florian Roth
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTR Matched rule: Detects a malware sysdll.exe from the Rocket Kitten APT Author: Florian Roth
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTR Matched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: empudh9lY5.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CoreImpact_sysdll_exe author = Florian Roth, description = Detects a malware sysdll.exe from the Rocket Kitten APT, score = 27.12.2014, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = f89a4d4ae5cca6d69a5256c96111e707
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WoolenGoldfish_Generic_3 date = 2015/03/25, hash2 = e8dbcde49c7f760165ebb0cb3452e4f1c24981f5, author = Florian Roth, description = Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, score = 86222ef166474e53f1eb6d7e6701713834e6fee7, reference = http://goo.gl/NpJpVZ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTR Matched rule: CoreImpact_sysdll_exe author = Florian Roth, description = Detects a malware sysdll.exe from the Rocket Kitten APT, score = 27.12.2014, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = f89a4d4ae5cca6d69a5256c96111e707
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTR Matched rule: WoolenGoldfish_Generic_3 date = 2015/03/25, hash2 = e8dbcde49c7f760165ebb0cb3452e4f1c24981f5, author = Florian Roth, description = Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, score = 86222ef166474e53f1eb6d7e6701713834e6fee7, reference = http://goo.gl/NpJpVZ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: empudh9lY5.exe Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057492D 0_2_0057492D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574047 0_2_00574047
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574847 0_2_00574847
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573871 0_2_00573871
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574071 0_2_00574071
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00570861 0_2_00570861
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057403B 0_2_0057403B
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057402D 0_2_0057402D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005740C6 0_2_005740C6
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005740FD 0_2_005740FD
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005878ED 0_2_005878ED
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057408E 0_2_0057408E
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057288C 0_2_0057288C
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057488B 0_2_0057488B
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005738BF 0_2_005738BF
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005740A9 0_2_005740A9
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573962 0_2_00573962
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574169 0_2_00574169
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574115 0_2_00574115
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057390B 0_2_0057390B
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005741F0 0_2_005741F0
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005739E0 0_2_005739E0
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005741A6 0_2_005741A6
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574240 0_2_00574240
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573A67 0_2_00573A67
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573A1E 0_2_00573A1E
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574A0D 0_2_00574A0D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574A36 0_2_00574A36
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573AD7 0_2_00573AD7
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005742CA 0_2_005742CA
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005742E9 0_2_005742E9
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573A95 0_2_00573A95
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005742BD 0_2_005742BD
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573AA1 0_2_00573AA1
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573B56 0_2_00573B56
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573B44 0_2_00573B44
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574344 0_2_00574344
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573B76 0_2_00573B76
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573B7D 0_2_00573B7D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574361 0_2_00574361
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573B03 0_2_00573B03
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573B25 0_2_00573B25
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574320 0_2_00574320
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005743F1 0_2_005743F1
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573BFB 0_2_00573BFB
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574399 0_2_00574399
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573BBC 0_2_00573BBC
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005743B8 0_2_005743B8
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005743A2 0_2_005743A2
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574440 0_2_00574440
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574400 0_2_00574400
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573CD4 0_2_00573CD4
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573CDF 0_2_00573CDF
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573CFA 0_2_00573CFA
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574486 0_2_00574486
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057355C 0_2_0057355C
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574574 0_2_00574574
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057357D 0_2_0057357D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573563 0_2_00573563
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573D62 0_2_00573D62
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00587511 0_2_00587511
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573D04 0_2_00573D04
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573536 0_2_00573536
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573D30 0_2_00573D30
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573D25 0_2_00573D25
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057452D 0_2_0057452D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005735D4 0_2_005735D4
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005745F6 0_2_005745F6
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573DF5 0_2_00573DF5
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573595 0_2_00573595
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057158D 0_2_0057158D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573DA0 0_2_00573DA0
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057465B 0_2_0057465B
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574666 0_2_00574666
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573609 0_2_00573609
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573E08 0_2_00573E08
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00586E3F 0_2_00586E3F
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573628 0_2_00573628
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005736DC 0_2_005736DC
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573ED9 0_2_00573ED9
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005736CF 0_2_005736CF
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005746FF 0_2_005746FF
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005746E3 0_2_005746E3
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005736EE 0_2_005736EE
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573E93 0_2_00573E93
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573EA3 0_2_00573EA3
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573EAD 0_2_00573EAD
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057374B 0_2_0057374B
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00587F6A 0_2_00587F6A
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057476B 0_2_0057476B
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573719 0_2_00573719
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574709 0_2_00574709
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057373F 0_2_0057373F
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574726 0_2_00574726
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573F2D 0_2_00573F2D
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057372B 0_2_0057372B
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573FFC 0_2_00573FFC
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005737E1 0_2_005737E1
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00574797 0_2_00574797
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00573782 0_2_00573782
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057378F 0_2_0057378F
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: String function: 0057497C appears 190 times
Source: empudh9lY5.exe ReversingLabs: Detection: 21%
Source: empudh9lY5.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\empudh9lY5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal56.winEXE@1/0@3/1
Source: C:\Users\user\Desktop\empudh9lY5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\empudh9lY5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: empudh9lY5.exe Static file information: File size 1283072 > 1048576
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_005719B5 pushfd ; ret 0_2_005719B6
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_00571219 push 090000B4h; iretd 0_2_0057121E
Source: initial sample Static PE information: section name: .text entropy: 6.9280540298858515
Source: C:\Users\user\Desktop\empudh9lY5.exe API coverage: 7.8 %
Source: C:\Users\user\Desktop\empudh9lY5.exe Code function: 0_2_0057492D mov ebx, dword ptr fs:[00000030h] 0_2_0057492D
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs