popup

Report - PianoScrap.exe

NPKI North Korea Gen1 Gen2 Emotet Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM Antivirus VMProtect Http API AntiDebug AntiVM PE File PE32 DLL OS Processor Check .NET DLL MSOffice File PNG Format GIF Format PE64 .NET EXE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.24 20:21 Machine s1_win7_x6402
Filename PianoScrap.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score
5
 Behavior Score
27.6
ZERO API file : clean
VT API (file) 29 detected (AIDetect, malware1, malicious, high confidence, KillFiles, Strictor, GenericRI, S14805165, Unsafe, Save, Eldorado, score, Generic ML PUA, Static AI, Malicious PE, ai score=84, ASMalwS, Tnega, R343616)
md5 2e765a8048bcd67f293f11db938e77c3
sha256 5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5
ssdeep 1536:lTViOcRUBWC2jZP2ITQX5+e7ZnbHJNvgKWEJ4AZD6nm3ZjayurLT:lTUOPWC/IUJtZnbHJGc4w6m3ZjayILT
imphash 378c4792225854c10b4a5f5d67ecdbd2
impfuzzy 48:hpBbLkVScJrOLeA+tAt8tz4eObGLlla/7rEFpV74dT+0Q6U095/1xyAC8L5lSvXG:nBHkVScJrye/q7ygCrXM
  Network IP location

Signature (57cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning File has been identified by 29 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Appends a known multi-family ransomware file extension to files that have been encrypted
watch Attempts to modify browser security settings
watch Checks the CPU name from registry
watch Checks the presence of IDE drives in the registry
watch Communicates with host for which no DNS query was performed
watch Connects to an IRC server
watch Creates or sets a registry key to a long series of bytes
watch Detects Virtual Machines through their custom firmware
watch Detects VirtualBox through the presence of a device
watch Detects VirtualBox through the presence of a file
watch Detects VirtualBox through the presence of a registry key
watch Detects VMWare through the in instruction feature
watch Disables proxy possibly for traffic interception
watch Enumerates services
watch Expresses interest in specific running processes
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Network communications indicative of possible code injection originated from the process explorer.exe
watch Queries information on disks
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Tries to detect VirtualPC
watch Zeus P2P (Banking Trojan)
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for known Chinese AV sofware registry keys
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a service
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Reads the systems User Agent and subsequently performs requests
notice Repeatedly searches for a not-found process
notice Resolves a suspicious Top Level Domain (TLD)
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (33cnts)

Level Name Description Collection
danger NorthKorea_Zero Maybe it's North Korea File binaries (download)
danger NPKI_Zero File included NPKI binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch VMProtect_Zero VMProtect packed file binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Str_Win32_Http_API Match Windows Http API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_DLL (no description) binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (128cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://kl.hnayg.com/zkactive/ctl/v2/qinfo.html?uid=74a6032aa894c3a537de6d362f685c90
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 59.110.159.69 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS3J2uI8vbMMQdZCObew1G35NkGWUaxY/rEhS0OVoP9qkuI3l6VXz7nvGHW5yib/KwA%3D%3D
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://report.uchiha.ltd/
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.93.117.198 clean
http://mxreport.whooyan.com/
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 101.200.147.119 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS8VsD0RJ%2BB/azLdXTIBJEaZEgoZX6k3g9qcj6f1izDRQaHEbdKVMY0KnIblHwcjmrg%3D%3D
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://g.zapi.binghuokeji.cn/?r=/v3/pp/lf&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://down.wdmuz.com/wy/wyp1.dat
whois
KR Korea Telecom 119.206.200.181 clean
http://union.juzizm.com/api/count/setup2
whois
CN CHINANET Guangdong province network 106.75.135.138 clean
http://dl.binghuokeji.cn/d/imgs/syyng.png
whois
KR Korea Telecom 119.206.200.180 clean
http://down.gametoplist.top/60b5f24b88583/IMedia-553.exe
whois
CN CHINA UNICOM China169 Backbone 218.12.76.151 clean
http://tj.rxgif.cn/api/logs
whois
CN CHINANET Guangdong province network 106.75.135.138 clean
http://tj.rxgif.cn/api/live/server
whois
CN CHINANET Guangdong province network 106.75.135.138 clean
http://down.wdmuz.com/wy/wyp1.dat?48507900
whois
KR Korea Telecom 119.206.200.181 clean
http://g.zapi.binghuokeji.cn/microtime/
whois
KR Korea Telecom 119.206.200.181 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r1
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://shdl.wdmuz.com/bjlc/87cbca115561d04afe4c965dd803098a.cdd?rand=85070
whois
KR Korea Telecom 119.206.200.180 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/popup/p1
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i5
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/t&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://down1.abckantu.com/11a9df7ff83a058afaadb5a09da594ae.data
whois
CN CHINA UNICOM China169 Backbone 42.56.79.236 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i6
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://down.rxgif.cn/ddxm/Setup_10011.exe
whois
KR Korea Telecom 119.206.200.180 clean
http://download.52pcfree.com/k52zip/k52zip20210520-220-21.exe
whois
CN Quanzhou 125.77.167.184 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i2
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://g.zapi.binghuokeji.cn/?r=/v3/pp/l&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg
whois
KR Korea Telecom 119.206.200.181 clean
http://config.i.duba.net/rcmdsoft/11/1/sencecfg.dat
whois
CN Chinanet 180.97.251.192 clean
http://down1.thorzip.muxin.fun/report/queryinfo.xml
whois
CN CHINA UNICOM China169 Backbone 119.6.229.137 clean
http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.json
whois
CN CHINA UNICOM China169 Backbone 119.39.80.117 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/i&p=SxInsX/RJYZFLz7ztyfMIDL%2BGa9IB3Wjc0bUqn3/WR3cqUoBQ1fPqp/GqBYrObWp/4LvN/YAJhMOXv%2BfLeFo3w%3D%3D
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://down1.thorzip.muxin.fun/logo/v1.0.0.2/ShellExtStrategyDll64.gif
whois
CN CHINA UNICOM China169 Backbone 119.6.229.137 clean
http://tj.wdmuz.com/lc-spbj.php?uid=262f2de5d68b2fac5ccaac65dbf7853f&qid=null&softname=bangong&softid=shanzip&softver=
whois
CN China Unicom Beijing Province Network 106.75.31.186 clean
http://config.i.duba.net/rcmdsoft/db/kzip_install_pushdb02.zip
whois
CN Chinanet 180.97.251.192 clean
http://down.rxgif.cn/DBlink/LnockRarsly.exe
whois
KR Korea Telecom 119.206.200.180 clean
http://cdn-office.lanshan.com/package/tui/downloadtool/office/OfficeDownloaderInstall_0_100016_lanshan.exe
whois
CN CHINA UNICOM China169 Backbone 211.91.160.215 clean
http://xz.8dashi.com/qd/mastercfgoo.ini?v2021062544904
whois
KR Korea Telecom 119.206.200.180 clean
http://down2.thorzip.muxin.fun/60fffd6d5d24aa987a843c4d3a0980b4.data
whois
CN CHINA UNICOM China169 Backbone 211.91.160.215 clean
http://down.rxgif.cn/ddcfg/ddcfgs.ini
whois
KR Korea Telecom 119.206.200.180 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/l2
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://infoc0.duba.net/nep/v1/
whois
CN Shenzhen Tencent Computer Systems Company Limited 193.112.235.183 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/c&p=PHOja0XI6Hpo1VJzU/gs6k0Ptg8TIvoCwg%2Bx8C0Vu7iDJfI9mnwYtk%2BKuGb/ttx2TQpoRsLAIagyRsjWT58KK4i1X1%2BYNCfaVA3ifMdOA48%3D
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://tj.wdmuz.com/pipil.php
whois
CN China Unicom Beijing Province Network 106.75.31.186 clean
http://infoc2.duba.net/c/
whois
CN Shenzhen Tencent Computer Systems Company Limited 193.112.235.183 clean
http://union.infoc.duba.net/nep/v1/
whois
CN Shenzhen Tencent Computer Systems Company Limited 119.29.47.96 clean
http://down1.abckantu.com/shouheng_1/abckantu_2722097895_shouheng_001.exe
whois
CN CHINA UNICOM China169 Backbone 14.204.144.133 clean
http://dl.binghuokeji.cn/img/mtcf.png
whois
KR Korea Telecom 119.206.200.180 clean
http://s.syzs.qq.com/channel/6/17100/syzs03_1000219144.exe
whois
CN Tencent Building, Kejizhongyi Avenue 203.205.157.59 clean
http://download.52pcfree.com/fastpdf/Fastpdf_setup_ver21042017.420.1.1.1.exe
whois
CN Quanzhou 125.77.167.183 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r2
whois
KR Korea Telecom 119.206.200.181 clean
http://dl.binghuokeji.cn/FlashZip/tsk_bjrj
whois
KR Korea Telecom 119.206.200.180 clean
http://dn.earpan.com/store/pic_soft45181.exe
whois
CN China Telecom (Group) 61.172.205.219 clean
http://dl.binghuokeji.cn/d/ghwuxPEi/FlashZip_2710.exe
whois
KR Korea Telecom 119.206.200.180 clean
http://g.zapi.binghuokeji.cn/?r=/v3/pp/tl&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
whois
KR Korea Telecom 119.206.200.181 clean
http://down2.thorzip.muxin.fun/tiangua_2/leishenzip_247915520_tiangua_001.exe
whois
CN CHINA UNICOM China169 Backbone 119.36.226.151 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s4
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s3
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s1
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://info.52pcfree.com/c/
whois
CN Shenzhen Tencent Computer Systems Company Limited 139.199.214.236 clean
http://tj.rxgif.cn/api/down/dd
whois
CN CHINANET Guangdong province network 106.75.135.138 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS4JsN/4dJva6ouBTswyspvZHobJcEPjUq0ampBCtF858ClIqSQQ5jhcq7JuelnnYNQ%3D%3D
whois
KR Korea Telecom 119.206.200.181 clean
http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.md5
whois
CN CHINA UNICOM China169 Backbone 119.6.229.137 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17
whois
KR Korea Telecom 119.206.200.181 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/r&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
whois
KR Korea Telecom 119.206.200.181 clean
http://down1.thorzip.muxin.fun/shell2.json
whois
CN CHINA UNICOM China169 Backbone 36.248.43.220 clean
http://g.zapi.binghuokeji.cn/?r=/v3/cp/u&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17
whois
KR Korea Telecom 119.206.200.181 clean
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/pkg/l1
whois
HK QUANTILNETWORKS 163.171.198.117 clean
http://dbsu.cmcm.com/uv?t=1624564187
whois
CN Shenzhen Tencent Computer Systems Company Limited 111.230.160.42 clean
http://dl.binghuokeji.cn/img/tbmsc.jpg
whois
KR Korea Telecom 119.206.200.180 clean
shdl.wdmuz.com
whois
KR Korea Telecom 119.206.200.180 clean
g.zapi.binghuokeji.cn
whois
HK QUANTILNETWORKS 163.171.198.117 clean
union.infoc.duba.net
whois
CN Shenzhen Tencent Computer Systems Company Limited 193.112.235.183 clean
report.thorzip.muxin.fun
whois
Unknown clean
dl.binghuokeji.cn
whois
KR Korea Telecom 119.206.200.180 clean
down1.thorzip.muxin.fun
whois
CN CHINA UNICOM China169 Backbone 119.39.80.117 clean
download.52pcfree.com
whois
CN Quanzhou 125.77.167.184 clean
dbsu.cmcm.com
whois
CN Shenzhen Tencent Computer Systems Company Limited 111.230.160.42 clean
mxreport.whooyan.com
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 101.200.147.119 clean
dn.earpan.com
whois
CN China Telecom (Group) 61.172.205.219 clean
down.wdmuz.com
whois
KR Korea Telecom 119.206.200.181 clean
down1.abckantu.com
whois
CN CHINA UNICOM China169 Backbone 42.56.79.236 clean
u-d-office.lanshan.com
whois
CN Shenzhen Tencent Computer Systems Company Limited 49.233.242.159 clean
cdn-office.lanshan.com
whois
CN CHINA UNICOM China169 Backbone 14.204.144.133 clean
tj.wdmuz.com
whois
CN China Unicom Beijing Province Network 106.75.31.186 clean
p.zapi.binghuokeji.cn
whois
HK QUANTILNETWORKS 163.171.198.117 clean
www.baidu.com
whois
JP Baidu, Inc. 119.63.197.139 clean
info.52pcfree.com
whois
CN Shenzhen Tencent Computer Systems Company Limited 139.199.214.236 clean
s.syzs.qq.com
whois
CN Tencent Building, Kejizhongyi Avenue 211.152.132.122 clean
union.juzizm.com
whois
CN CHINANET Guangdong province network 106.75.135.138 clean
down.rxgif.cn
whois
KR Korea Telecom 119.206.200.180 clean
api.mxgcat.wang
whois
CN CHINA UNICOM China169 Backbone 42.56.79.236 clean
report.uchiha.ltd
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.95.193.173 clean
config.i.duba.net
whois
CN Chinanet 180.97.251.192 clean
infoc0.duba.net
whois
CN Shenzhen Tencent Computer Systems Company Limited 119.29.47.96 clean
xz.8dashi.com
whois
KR Korea Telecom 119.206.200.180 clean
tj.rxgif.cn
whois
CN CHINANET Guangdong province network 106.75.135.138 clean
down.gametoplist.top
whois
CN CHINA UNICOM China169 Backbone 218.12.76.151 clean
kl.hnayg.com
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 59.110.159.69 clean
down2.thorzip.muxin.fun
whois
CN CHINA UNICOM China169 Backbone 119.36.226.154 clean
infoc2.duba.net
whois
CN Shenzhen Tencent Computer Systems Company Limited 111.230.117.40 clean
47.95.193.173
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.95.193.173 clean
202.122.145.86
whois
MY Binariang Berhad 202.122.145.86 clean
111.230.160.42
whois
CN Shenzhen Tencent Computer Systems Company Limited 111.230.160.42 clean
59.110.159.69
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 59.110.159.69 clean
119.206.200.180
whois
KR Korea Telecom 119.206.200.180 malware
111.230.117.40
whois
CN Shenzhen Tencent Computer Systems Company Limited 111.230.117.40 clean
139.199.214.236
whois
CN Shenzhen Tencent Computer Systems Company Limited 139.199.214.236 clean
42.56.79.236
whois
CN CHINA UNICOM China169 Backbone 42.56.79.236 clean
119.6.229.138
whois
CN CHINA UNICOM China169 Backbone 119.6.229.138 malware
211.159.130.115
whois
CN Shenzhen Tencent Computer Systems Company Limited 211.159.130.115 clean
106.75.31.186
whois
CN China Unicom Beijing Province Network 106.75.31.186 clean
119.36.33.98
whois
CN CHINA UNICOM China169 Backbone 119.36.33.98 clean
49.233.242.159
whois
CN Shenzhen Tencent Computer Systems Company Limited 49.233.242.159 clean
119.39.80.117
whois
CN CHINA UNICOM China169 Backbone 119.39.80.117 malware
125.77.167.183
whois
CN Quanzhou 125.77.167.183 clean
123.57.234.67
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 123.57.234.67 clean
36.248.43.220
whois
CN CHINA UNICOM China169 Backbone 36.248.43.220 malware
119.36.226.154
whois
CN CHINA UNICOM China169 Backbone 119.36.226.154 clean
211.91.160.215
whois
CN CHINA UNICOM China169 Backbone 211.91.160.215 malware
61.172.205.219
whois
CN China Telecom (Group) 61.172.205.219 malware
163.171.198.117
whois
HK QUANTILNETWORKS 163.171.198.117 clean
119.206.200.181
whois
KR Korea Telecom 119.206.200.181 malware
123.56.69.34
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 123.56.69.34 clean
211.159.130.100
whois
CN Shenzhen Tencent Computer Systems Company Limited 211.159.130.100 clean
106.75.135.138
whois
CN CHINANET Guangdong province network 106.75.135.138 clean
211.152.132.122
whois
CN Tencent Building, Kejizhongyi Avenue 211.152.132.122 clean
119.63.197.151
whois
JP Baidu, Inc. 119.63.197.151 clean
180.97.251.192
whois
CN Chinanet 180.97.251.192 clean
120.52.95.242
whois
CN China Unicom IP network 120.52.95.242 malware

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET MALWARE Suspicious Download Setup_ exe
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40805c GlobalLock
 0x408060 GlobalAlloc
 0x408064 CloseHandle
 0x408068 SetFileTime
 0x40806c CompareFileTime
 0x408070 SearchPathA
 0x408074 GetShortPathNameA
 0x408078 GetFullPathNameA
 0x40807c MoveFileA
 0x408080 SetCurrentDirectoryA
 0x408084 GetFileAttributesA
 0x408088 GetLastError
 0x40808c CreateDirectoryA
 0x408090 SetFileAttributesA
 0x408094 Sleep
 0x408098 GetTickCount
 0x40809c GetFileSize
 0x4080a0 GetModuleFileNameA
 0x4080a4 GetCurrentProcess
 0x4080a8 CopyFileA
 0x4080ac ExitProcess
 0x4080b0 GlobalUnlock
 0x4080b4 GetTempPathA
 0x4080b8 GetCommandLineA
 0x4080bc SetErrorMode
 0x4080c0 lstrcpyA
 0x4080c4 lstrcpynA
 0x4080c8 lstrcatA
 0x4080cc LoadLibraryA
 0x4080d0 lstrlenA
 0x4080d4 WideCharToMultiByte
 0x4080d8 VirtualAlloc
 0x4080dc VirtualProtect
 0x4080e0 GetDiskFreeSpaceA
 0x4080e4 CreateThread
 0x4080e8 CreateProcessA
 0x4080ec RemoveDirectoryA
 0x4080f0 CreateFileA
 0x4080f4 GetTempFileNameA
 0x4080f8 GetSystemDirectoryA
 0x4080fc GetVersion
 0x408100 lstrcmpiA
 0x408104 lstrcmpA
 0x408108 ExpandEnvironmentStringsA
 0x40810c GlobalFree
 0x408110 WaitForSingleObject
 0x408114 GetExitCodeProcess
 0x408118 GetModuleHandleA
 0x40811c LoadLibraryExA
 0x408120 GetProcAddress
 0x408124 FreeLibrary
 0x408128 MulDiv
 0x40812c MultiByteToWideChar
 0x408130 WritePrivateProfileStringA
 0x408134 GetPrivateProfileStringA
 0x408138 WriteFile
 0x40813c ReadFile
 0x408140 SetFilePointer
 0x408144 FindClose
 0x408148 FindNextFileA
 0x40814c FindFirstFileA
 0x408150 DeleteFileA
 0x408154 GlobalSize
 0x408158 GetWindowsDirectoryA
USER32.dll
 0x40817c SetClassLongA
 0x408180 IsWindowEnabled
 0x408184 GetSysColor
 0x408188 GetWindowLongA
 0x40818c SetCursor
 0x408190 LoadCursorA
 0x408194 CheckDlgButton
 0x408198 GetMessagePos
 0x40819c LoadBitmapA
 0x4081a0 CallWindowProcA
 0x4081a4 IsWindowVisible
 0x4081a8 CloseClipboard
 0x4081ac SetClipboardData
 0x4081b0 EmptyClipboard
 0x4081b4 OpenClipboard
 0x4081b8 TrackPopupMenu
 0x4081bc GetSystemMenu
 0x4081c0 CreatePopupMenu
 0x4081c4 GetSystemMetrics
 0x4081c8 SetDlgItemTextA
 0x4081cc GetDlgItemTextA
 0x4081d0 MessageBoxIndirectA
 0x4081d4 CharPrevA
 0x4081d8 DispatchMessageA
 0x4081dc PeekMessageA
 0x4081e0 RegisterClassA
 0x4081e4 DialogBoxParamA
 0x4081e8 CharNextA
 0x4081ec ExitWindowsEx
 0x4081f0 DestroyWindow
 0x4081f4 CreateDialogParamA
 0x4081f8 SetTimer
 0x4081fc SetWindowTextA
 0x408200 EnableMenuItem
 0x408204 GetWindowRect
 0x408208 ScreenToClient
 0x40820c SetWindowPos
 0x408210 EndDialog
 0x408214 AppendMenuA
 0x408218 GetClassInfoA
 0x40821c PostQuitMessage
 0x408220 SetForegroundWindow
 0x408224 ShowWindow
 0x408228 wsprintfA
 0x40822c FindWindowExA
 0x408230 IsWindow
 0x408234 GetDlgItem
 0x408238 SetWindowLongA
 0x40823c GetClientRect
 0x408240 LoadImageA
 0x408244 GetDC
 0x408248 EnableWindow
 0x40824c InvalidateRect
 0x408250 SendMessageA
 0x408254 SendMessageTimeoutA
GDI32.dll
 0x40803c SetBkMode
 0x408040 SetBkColor
 0x408044 CreateBrushIndirect
 0x408048 DeleteObject
 0x40804c GetDeviceCaps
 0x408050 SetTextColor
 0x408054 CreateFontIndirectA
SHELL32.dll
 0x408160 SHGetPathFromIDListA
 0x408164 SHBrowseForFolderA
 0x408168 SHGetFileInfoA
 0x40816c ShellExecuteA
 0x408170 SHFileOperationA
 0x408174 SHGetSpecialFolderLocation
ADVAPI32.dll
 0x408000 RegSetValueExA
 0x408004 RegCreateKeyExA
 0x408008 RegQueryValueExA
 0x40800c RegEnumKeyA
 0x408010 RegOpenKeyExA
 0x408014 RegDeleteKeyA
 0x408018 RegDeleteValueA
 0x40801c RegEnumValueA
 0x408020 RegCloseKey
COMCTL32.dll
 0x408028 ImageList_AddMasked
 0x40802c ImageList_Destroy
 0x408030 None
 0x408034 ImageList_Create
ole32.dll
 0x40826c CLSIDFromString
 0x408270 OleInitialize
 0x408274 OleUninitialize
 0x408278 CoTaskMemFree
 0x40827c StringFromGUID2
 0x408280 CoCreateInstance
VERSION.dll
 0x40825c GetFileVersionInfoA
 0x408260 VerQueryValueA
 0x408264 GetFileVersionInfoSizeA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure