popup

Report - 27364cdfec04f571117b8425e851343b.exe

Generic Malware PE File OS Processor Check PE32 PE64 DLL GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.18 16:20 Machine s1_win7_x6401
Filename 27364cdfec04f571117b8425e851343b.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
8.4
ZERO API file : malware
VT API (file) 37 detected (AIDetect, malware1, malicious, high confidence, Cerbu, Unsafe, Attribute, HighConfidence, GenKryptik, FFGP, Inject4, Artemis, Outbreak, mjdpy, kcloud, Sabsik, score, ai score=82, R002H0DEH21, CLOUD, confidence)
md5 a1acc4e7065d4eb28cdf9e85973cba16
sha256 816da93bc5b57be3ec3177df62c6bac9c3d12b6c7446acada5f9b74b4a6bac33
ssdeep 12288:R6vFoy4L9GtrB6svl9Wldt9lKD0sDxtv/S20NNEMQq:RgkL2dHqpHM0sqpyY
imphash 62f768540236a83c83fcc280f2976ac9
impfuzzy 24:mDovBu9pOovuiiv8ERRv07JHXuklElfcU9qiK4wx5:HhiW0qlfcUIiK/5
  Network IP location

Signature (20cnts)

Level Description
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Creates or sets a registry key to a long series of bytes
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info The executable uses a known packer

Rules (11cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ol.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 104.21.21.221 clean
http://ip-api.com/json/?fields=8198
whois
US TUT-AS 208.95.112.1 clean
http://iw.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 172.67.200.215 clean
email.yg9.me
whois
JP AS-CHOOPA 198.13.62.186 clean
iw.gamegame.info
whois
US CLOUDFLARENET 172.67.200.215 clean
ol.gamegame.info
whois
US CLOUDFLARENET 104.21.21.221 clean
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
198.13.62.186
whois
JP AS-CHOOPA 198.13.62.186 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
104.21.21.221
whois
US CLOUDFLARENET 104.21.21.221 clean
172.67.200.215
whois
US CLOUDFLARENET 172.67.200.215 clean

Suricata ids

ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x406000 GetProcAddress
 0x406004 LoadLibraryA
 0x406008 CloseHandle
 0x40600c WriteFile
 0x406010 CreateFileW
 0x406014 GetModuleFileNameW
 0x406018 GetConsoleWindow
 0x40601c GetEnvironmentVariableW
 0x406020 GetCommandLineA
 0x406024 GetVersion
 0x406028 ExitProcess
 0x40602c HeapAlloc
 0x406030 TerminateProcess
 0x406034 GetCurrentProcess
 0x406038 UnhandledExceptionFilter
 0x40603c GetModuleFileNameA
 0x406040 FreeEnvironmentStringsA
 0x406044 FreeEnvironmentStringsW
 0x406048 WideCharToMultiByte
 0x40604c GetEnvironmentStrings
 0x406050 GetEnvironmentStringsW
 0x406054 SetHandleCount
 0x406058 GetStdHandle
 0x40605c GetFileType
 0x406060 GetStartupInfoA
 0x406064 GetCurrentThreadId
 0x406068 TlsSetValue
 0x40606c TlsAlloc
 0x406070 SetLastError
 0x406074 TlsGetValue
 0x406078 GetLastError
 0x40607c GetModuleHandleA
 0x406080 GetEnvironmentVariableA
 0x406084 GetVersionExA
 0x406088 HeapDestroy
 0x40608c HeapCreate
 0x406090 VirtualFree
 0x406094 HeapFree
 0x406098 RtlUnwind
 0x40609c VirtualAlloc
 0x4060a0 HeapReAlloc
 0x4060a4 InitializeCriticalSection
 0x4060a8 EnterCriticalSection
 0x4060ac LeaveCriticalSection
 0x4060b0 GetCPInfo
 0x4060b4 GetACP
 0x4060b8 GetOEMCP
 0x4060bc MultiByteToWideChar
 0x4060c0 LCMapStringA
 0x4060c4 LCMapStringW
 0x4060c8 GetStringTypeA
 0x4060cc GetStringTypeW
 0x4060d0 InterlockedDecrement
 0x4060d4 InterlockedIncrement
USER32.dll
 0x4060dc MoveWindow
 0x4060e0 wsprintfW
ole32.dll
 0x4060e8 CoUninitialize
 0x4060ec CoCreateInstance
 0x4060f0 CoInitialize

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure