Report - a

Malicious Library PE File PE32
ScreenShot
Created 2021.06.07 09:50 Machine s1_win7_x6402
Filename a
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
6
Behavior Score
3.2
ZERO API file : clean
VT API (file) 52 detected (AIDetect, malware1, malicious, high confidence, Siggen2, rCW@IDYVMll, Unsafe, Save, Diple, Eldorado, Cobalt, Rozena, HacktoolX, CobaltStrike, hpcmlv, Gencirc, A + ATK, Cometer, Score, XPACK, Gen7, ASMalwS, R329694, GenericRXMO, ai score=88, CLASSIC, GenAsa, C5jzoNrl5s, Static AI, Malicious PE, susgen, confidence)
md5 b1ce868636e96a555f1076d7224b3083
sha256 2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102
ssdeep 6144:DRlvlnmPG9j7RoTcqZ2SV4wVg2w9HJoV3jzrLBC:D7tn/p4cqZ2SyrHJodjzf4
imphash dc25ee78e2ef4d36faa0badf1e7461c9
impfuzzy 24:Q2kfiK1JlDzncLLb9Lezd5XGDZEkqkoDquQZn:gfiK1jcTtezdJGVEkqkoqz
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 52 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://121.4.243.112:8089/activity Unknown 121.4.243.112 clean
121.4.243.112 Unknown 121.4.243.112 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x448138 CloseHandle
 0x44813c ConnectNamedPipe
 0x448140 CreateFileA
 0x448144 CreateNamedPipeA
 0x448148 CreateThread
 0x44814c DeleteCriticalSection
 0x448150 EnterCriticalSection
 0x448154 FreeLibrary
 0x448158 GetCurrentProcess
 0x44815c GetCurrentProcessId
 0x448160 GetCurrentThreadId
 0x448164 GetLastError
 0x448168 GetModuleHandleA
 0x44816c GetProcAddress
 0x448170 GetStartupInfoA
 0x448174 GetSystemTimeAsFileTime
 0x448178 GetTickCount
 0x44817c InitializeCriticalSection
 0x448180 LeaveCriticalSection
 0x448184 LoadLibraryA
 0x448188 LoadLibraryW
 0x44818c QueryPerformanceCounter
 0x448190 ReadFile
 0x448194 SetUnhandledExceptionFilter
 0x448198 Sleep
 0x44819c TerminateProcess
 0x4481a0 TlsGetValue
 0x4481a4 UnhandledExceptionFilter
 0x4481a8 VirtualAlloc
 0x4481ac VirtualProtect
 0x4481b0 VirtualQuery
 0x4481b4 WriteFile
msvcrt.dll
 0x4481bc __dllonexit
 0x4481c0 __getmainargs
 0x4481c4 __initenv
 0x4481c8 __lconv_init
 0x4481cc __set_app_type
 0x4481d0 __setusermatherr
 0x4481d4 _acmdln
 0x4481d8 _amsg_exit
 0x4481dc _cexit
 0x4481e0 _fmode
 0x4481e4 _initterm
 0x4481e8 _iob
 0x4481ec _lock
 0x4481f0 _onexit
 0x4481f4 _unlock
 0x4481f8 _winmajor
 0x4481fc abort
 0x448200 calloc
 0x448204 exit
 0x448208 fprintf
 0x44820c free
 0x448210 fwrite
 0x448214 malloc
 0x448218 memcpy
 0x44821c signal
 0x448220 sprintf
 0x448224 strlen
 0x448228 strncmp
 0x44822c vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure