popup

Report - temp.exe

PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.21 12:55 Machine s1_win7_x6402
Filename temp.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
8.8
ZERO API file : malware
VT API (file) 47 detected (malicious, high confidence, GenericKD, Artemis, Unsafe, Rozena, Shelma, MYRZ, Wstw, sdjwo, DownLoader39, R011C0WF821, Gravity, susgen, ASBOL, Encoded, Glupteba, score, ai score=88, 1U+6LbCbUgU, confidence)
md5 d89c813bf46d01f144a20592d371f0cc
sha256 984265f2a1df743a585b3ed1aa138080dbc0e27c66d2472d10a66c916739556c
ssdeep 98304:T1yVjqcy7Vr5Xvdy3FBtCNG7Kmvh6BD1HRx2ZrCluDWtmf:ZyiTXY3mpmbpDYm
imphash 6ed4f5f04d62b18d96b26d6db7c18840
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
watch BITSAdmin Tool has been invoked to download a file
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Uses suspicious command line tools or Windows utilities
watch Uses Sysinternals tools in order to add additional command line functionality
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
notice Uses Windows utilities for basic Windows functionality
info Queries for the computername

Rules (2cnts)

Level Name Description Collection
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://61.135.169.121/
whois
CN China Unicom Beijing Province Network 61.135.169.121 clean
http://date-flash.com/temp.exe
whois
JP IPTELECOM Global 103.209.101.233 clean
https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w
whois
JP IPTELECOM Global 103.72.4.166 clean
https://103.72.4.166:8443/images/logo_max.png
whois
JP IPTELECOM Global 103.72.4.166 clean
https://103.72.4.166:8443/images/logo.png
whois
JP IPTELECOM Global 103.72.4.166 clean
date-flash.com
whois
JP IPTELECOM Global 103.209.101.233 malware
103.72.4.166
whois
JP IPTELECOM Global 103.72.4.166 clean
103.209.101.233
whois
JP IPTELECOM Global 103.209.101.233 malware
61.135.169.121
whois
CN China Unicom Beijing Province Network 61.135.169.121 clean

Suricata ids

ET USER_AGENTS Go HTTP Client User-Agent
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0xa6d028 LoadLibraryA
 0xa6d030 ExitProcess
 0xa6d038 GetProcAddress
 0xa6d040 VirtualProtect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure