popup

Report - redbutton.png

PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.04.30 09:41 Machine s1_win7_x6402
Filename redbutton.png
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
7.0
ZERO API file : clean
VT API (file)
md5 79f0f44a27a3d1bdc7cdd7e7c248fb29
sha256 f6f0b0eadcc57871cf048fd83e37fb5e37100b6e759ec3f93979e471fb369a66
ssdeep 6144:sH2eaP2q0qfSH69LcUgKqGLJ13yeeaz7LHCRiLj5AZPhPy4j:qOP2q0qfG69gNK71N77v/5kpy4j
imphash ccf0ab678aa913be3883b88932847ad2
impfuzzy 24:UeDbrv0kgQ+fcmGHOov9lqJ3JtxwHRnlyvkT4EjMZEZAhAx/B:Uyp+fcmGuZJtxUKkc+ZQAlB
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
info One or more processes crashed
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://103.54.41.193/tot90/TEST22-PC_W617601.F773CB1B97BB6C3311087FB95D3B54AB/5/kps/
whois
BD Md. Manzurul Haque Khan T/A THE NET HEADS 103.54.41.193 clean
103.54.41.193
whois
BD Md. Manzurul Haque Khan T/A THE NET HEADS 103.54.41.193 mailcious
103.66.72.217
whois
IN RailTel Corporation of India Ltd., Internet Service Provider, New Delhi 103.66.72.217 mailcious
154.79.245.158
whois
KE CKL1-ASN 154.79.245.158 mailcious
103.124.173.35
whois
IN Shirsty Internet Services Pvt Ltd 103.124.173.35 clean

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x416000 FreeLibrary
 0x416004 GetProcAddress
 0x416008 lstrlenW
 0x41600c lstrlenA
 0x416010 Sleep
 0x416014 SizeofResource
 0x416018 LoadResource
 0x41601c FindResourceW
 0x416020 VirtualAlloc
 0x416024 SetStdHandle
 0x416028 WriteConsoleW
 0x41602c LoadLibraryW
 0x416030 InterlockedIncrement
 0x416034 InterlockedDecrement
 0x416038 EncodePointer
 0x41603c DecodePointer
 0x416040 InitializeCriticalSection
 0x416044 DeleteCriticalSection
 0x416048 EnterCriticalSection
 0x41604c LeaveCriticalSection
 0x416050 RaiseException
 0x416054 RtlUnwind
 0x416058 GetCommandLineA
 0x41605c HeapSetInformation
 0x416060 GetStartupInfoW
 0x416064 GetLastError
 0x416068 HeapFree
 0x41606c WideCharToMultiByte
 0x416070 LCMapStringW
 0x416074 MultiByteToWideChar
 0x416078 GetCPInfo
 0x41607c HeapAlloc
 0x416080 TlsAlloc
 0x416084 TlsGetValue
 0x416088 TlsSetValue
 0x41608c TlsFree
 0x416090 GetModuleHandleW
 0x416094 SetLastError
 0x416098 GetCurrentThreadId
 0x41609c UnhandledExceptionFilter
 0x4160a0 SetUnhandledExceptionFilter
 0x4160a4 IsDebuggerPresent
 0x4160a8 TerminateProcess
 0x4160ac GetCurrentProcess
 0x4160b0 IsProcessorFeaturePresent
 0x4160b4 ExitProcess
 0x4160b8 WriteFile
 0x4160bc GetStdHandle
 0x4160c0 GetModuleFileNameW
 0x4160c4 GetModuleFileNameA
 0x4160c8 FreeEnvironmentStringsW
 0x4160cc GetEnvironmentStringsW
 0x4160d0 SetHandleCount
 0x4160d4 InitializeCriticalSectionAndSpinCount
 0x4160d8 GetFileType
 0x4160dc HeapCreate
 0x4160e0 QueryPerformanceCounter
 0x4160e4 GetTickCount
 0x4160e8 GetCurrentProcessId
 0x4160ec GetSystemTimeAsFileTime
 0x4160f0 GetLocaleInfoW
 0x4160f4 HeapSize
 0x4160f8 GetConsoleCP
 0x4160fc GetConsoleMode
 0x416100 FlushFileBuffers
 0x416104 ReadFile
 0x416108 SetFilePointer
 0x41610c CloseHandle
 0x416110 GetACP
 0x416114 GetOEMCP
 0x416118 IsValidCodePage
 0x41611c GetStringTypeW
 0x416120 HeapReAlloc
 0x416124 GetUserDefaultLCID
 0x416128 GetLocaleInfoA
 0x41612c EnumSystemLocalesA
 0x416130 IsValidLocale
 0x416134 CreateFileW
USER32.dll
 0x41613c SendMessageW
 0x416140 GetClassNameW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure