Report - winsys.exe

UPX Malicious Library PE File PE64

ScreenShot

Info
Location map


Created	2021.06.24 20:07	Machine	s1_win7_x6401
Filename	winsys.exe
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
AI Score	2	Behavior Score	3.2
ZERO API	file : clean
VT API (file)	48 detected (malicious, high confidence, GenericKD, Unsafe, Ymacco, TrojanPSW, BroPass, RYFH, a variant of WinGo, iuhycu, qqpass, Qqrob, R007C0WDK21, Trickbot, zoohd, score, Artemis, ai score=89, CLOUD, ZrfqZPo7xPk, Static AI, Suspicious PE, confidence, 100%)
md5	0d72c4f5d4b2dac75fc4eae84317b64d
sha256	3554975f4212b9bdae2e57cc3d713ad8e6e43ad02bbe8cc6890eca1fdfb1b0a4
ssdeep	49152:acvwYuHpVMvyff3CK5j3gwlkJWSe2nWQkbZCjX:Jvw7pVEQv95j3giwWP2nd4
imphash	9aebf3da4677af9275c461261e5abde3
impfuzzy	3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGUq:dBJAEoZ/OEGDzyRs

Network IP location

Signature (6cnts)

Level	Description
danger	File has been identified by 48 AntiVirus engines on VirusTotal as malicious
watch	Detects the presence of Wine emulator
notice	Steals private information from local Internet browsers
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
info	Command line console output was observed

Rules (4cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE64	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
0xa5e03c LoadLibraryA
0xa5e044 ExitProcess
0xa5e04c GetProcAddress
0xa5e054 VirtualProtect
msvcrt.dll
0xa5e064 exit

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure