popup

Report - xy_cjz_37658_315d8b4zbmga.exe

PE File PE32 PNG Format GIF Format JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.09 22:21 Machine s1_win7_x6401
Filename xy_cjz_37658_315d8b4zbmga.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
8.0
ZERO API file : clean
VT API (file) 42 detected (Hyperborea, Artemis, Unsafe, qwiard, malicious, confidence, 100%, Jacard, fmxctm, Malware@#1156om7dcxn0d, 0NA103JU20, Generic ML PUA, cqiu, qckcf, Score, ASMalwS, HackTool, AutoKMS, ai score=100, susgen)
md5 f99d0fc489a7258c29ec765cf1e2624a
sha256 194c31cd0d620ef3c2772030924e28afb54f0a087d4b6c1c73c57f3de8f09222
ssdeep 49152:ENVJk7WTiwEqg9OlppXsZuXiO9ztg15s/DwfxCro2lhf8QHx8etJOHrIgl:+VJk6DEq9p9WuXiKzq15skpCU2HPR50L
imphash 09a2e2c06ba2d6163c72d330b716ac6c
impfuzzy 12:mDzjAb6w1qwDDMgTQFjhnbAWg0sgypcMsXuqXz8cSx:mDnDw1qw3KdUgsgM2Vz8c4
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 42 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
watch Disables proxy possibly for traffic interception
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Foreign language identified in PE resource
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (5cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.xy.com/lander/cjz?adkey=39216&appname=xy_cjz_37658_315d8b4zbmga
whois
CN Shenzhen Tencent Computer Systems Company Limited 118.25.169.187 clean
cjz.static.xyimg.net
whois
Unknown clean
www.xy.com
whois
CN Shenzhen Tencent Computer Systems Company Limited 118.25.169.187 clean
118.25.169.187
whois
CN Shenzhen Tencent Computer Systems Company Limited 118.25.169.187 clean
66.154.113.12
whois
US ASN-QUADRANET-GLOBAL 66.154.113.12 clean

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x9d0f5c GetProcAddress
 0x9d0f60 GetModuleHandleA
 0x9d0f64 LoadLibraryA
oleaut32.dll
 0x9d1214 SysFreeString
advapi32.dll
 0x9d121c RegQueryValueExW
user32.dll
 0x9d1224 MessageBoxA
user32.dll
 0x9d122c SetClassLongW
gdi32.dll
 0x9d1234 WidenPath
version.dll
 0x9d123c VerQueryValueW
advapi32.dll
 0x9d1244 RegUnLoadKeyW
oleaut32.dll
 0x9d124c SafeArrayPtrOfIndex
oleaut32.dll
 0x9d1254 CreateErrorInfo
ole32.dll
 0x9d125c CreateStreamOnHGlobal
comctl32.dll
 0x9d1264 InitializeFlatSB
user32.dll
 0x9d126c EnumDisplayMonitors
msvcrt.dll
 0x9d1274 memset
shell32.dll
 0x9d127c ShellExecuteW
shell32.dll
 0x9d1284 SHGetSpecialFolderLocation
winspool.drv
 0x9d128c OpenPrinterW
winspool.drv
 0x9d1294 GetDefaultPrinterW
gdiplus.dll
 0x9d129c GdipEmfToWmfBits

EAT(Export Address Table) Library

0x462eec TMethodImplementationIntercept

Similarity measure (PE file only) - Checking for service failure