popup

Report - ll.exe

VMProtect PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.04 22:50 Machine s1_win7_x6402
Filename ll.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
3.0
ZERO API file : clean
VT API (file) 41 detected (AIDetect, malware2, GenericKD, Artemis, Unsafe, malicious, Attribute, HighConfidence, HackTool, Hucline, YzY0OjRX0sf5hpHa, Malware@#kjcnbwyvnow, AGEN, ai score=83, ASMalwS, kcloud, Htran, score, ZexaF, eG0@aWxzAbbi, R002H0CES21, Swbm, Static AI, Malicious PE, confidence)
md5 5b3ed99a5ef7ee49436e38a6fc7bf50d
sha256 e774b7f932285699d9694b975994d5bc9de742d16ae5b3e9ea5ef90516b17191
ssdeep 1536:04dWMRqsQZ15VggWGDbnBLKDZzrN6hF3UkdyXjR16EfYbeZx2+RO9yKMB:dQGqs4qgWGDTBLMZV0UN16EQiRO9I
imphash 1b95cdaa4c3b1b95239c5d3a0dc57514
impfuzzy 3:oCsYhszsSWmsO7Sx2AEZsS9KTXzhAXwEQaxRegRWD3n:T9huv4ERGDzyRzwD3
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info Command line console output was observed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (3cnts)

Level Name Description Collection
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

WS2_32.dll
 0x435071 getpeername
KERNEL32.dll
 0x434b59 GetStdHandle
KERNEL32.dll
 0x434f18 GetModuleHandleA
 0x434f1c GetProcAddress
 0x434f20 VirtualProtect
user32.dll
 0x42519a MessageBoxA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure