popup

Report - 2022c578cf7429b85615d4819d161edc.exe

Gen2 PE File OS Processor Check PE32 DLL GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.25 09:38 Machine s1_win7_x6402
Filename 2022c578cf7429b85615d4819d161edc.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
8.8
ZERO API file : clean
VT API (file) 47 detected (malicious, high confidence, Inject4, GenericKD, Unsafe, Save, Zenlod, OAML, Attribute, HighConfidence, DropperX, Generic ML PUA, Malware@#1w0ix92xqhrt4, R06BC0WFL21, susgen, jwrep, ASMalwS, kcloud, Azorult, score, R426623, ai score=99, PossibleThreat)
md5 41c69a7f93fbe7edc44fd1b09795fa67
sha256 8b720f6963165f9aca1600e2e3efb04a7162014d0d738fb7f8b9872019f49bd5
ssdeep 12288:Umn1vBXNJl0P3ZbcCAjqH0d5i+qUH6wyZQMvvdgMiCiT:n1vJNJla39cGH0dg7sOlQCiT
imphash a044253673528dd98a9dd008f2a6b058
impfuzzy 24:V0DWMU1tMS1hGhlJnc+pl39boEOovbOuHhZHuQ4vNAKvwxA:3tMS1hG5c+ppFc3OqNAKcA
  Network IP location

Signature (20cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Creates or sets a registry key to a long series of bytes
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (8cnts)

Level Name Description Collection
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info Lnk_Format_Zero LNK Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ol.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 104.21.21.221 1518 mailcious
http://ip-api.com/json/?fields=8198
whois
US TUT-AS 208.95.112.1 clean
http://iw.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 104.21.21.221 1517 mailcious
email.yg9.me
whois
JP AS-CHOOPA 198.13.62.186 suspicious
iw.gamegame.info
whois
US CLOUDFLARENET 172.67.200.215 mailcious
ol.gamegame.info
whois
US CLOUDFLARENET 172.67.200.215 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
198.13.62.186
whois
JP AS-CHOOPA 198.13.62.186 suspicious
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
172.67.200.215
whois
US CLOUDFLARENET 172.67.200.215 clean

Suricata ids

ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40d000 LoadLibraryA
 0x40d004 GetProcAddress
 0x40d008 DecodePointer
 0x40d00c WriteConsoleW
 0x40d010 SetFilePointerEx
 0x40d014 GetConsoleMode
 0x40d018 GetConsoleCP
 0x40d01c UnhandledExceptionFilter
 0x40d020 SetUnhandledExceptionFilter
 0x40d024 GetCurrentProcess
 0x40d028 TerminateProcess
 0x40d02c IsProcessorFeaturePresent
 0x40d030 QueryPerformanceCounter
 0x40d034 GetCurrentProcessId
 0x40d038 GetCurrentThreadId
 0x40d03c GetSystemTimeAsFileTime
 0x40d040 InitializeSListHead
 0x40d044 IsDebuggerPresent
 0x40d048 GetStartupInfoW
 0x40d04c GetModuleHandleW
 0x40d050 RaiseException
 0x40d054 RtlUnwind
 0x40d058 GetLastError
 0x40d05c SetLastError
 0x40d060 EnterCriticalSection
 0x40d064 LeaveCriticalSection
 0x40d068 DeleteCriticalSection
 0x40d06c InitializeCriticalSectionAndSpinCount
 0x40d070 TlsAlloc
 0x40d074 TlsGetValue
 0x40d078 TlsSetValue
 0x40d07c TlsFree
 0x40d080 FreeLibrary
 0x40d084 LoadLibraryExW
 0x40d088 GetStdHandle
 0x40d08c WriteFile
 0x40d090 GetModuleFileNameA
 0x40d094 MultiByteToWideChar
 0x40d098 WideCharToMultiByte
 0x40d09c ExitProcess
 0x40d0a0 GetModuleHandleExW
 0x40d0a4 GetCommandLineA
 0x40d0a8 GetCommandLineW
 0x40d0ac GetACP
 0x40d0b0 HeapFree
 0x40d0b4 HeapAlloc
 0x40d0b8 CloseHandle
 0x40d0bc FindClose
 0x40d0c0 FindFirstFileExA
 0x40d0c4 FindNextFileA
 0x40d0c8 IsValidCodePage
 0x40d0cc GetOEMCP
 0x40d0d0 GetCPInfo
 0x40d0d4 GetEnvironmentStringsW
 0x40d0d8 FreeEnvironmentStringsW
 0x40d0dc SetEnvironmentVariableA
 0x40d0e0 CompareStringW
 0x40d0e4 LCMapStringW
 0x40d0e8 SetStdHandle
 0x40d0ec GetFileType
 0x40d0f0 GetStringTypeW
 0x40d0f4 GetProcessHeap
 0x40d0f8 HeapSize
 0x40d0fc HeapReAlloc
 0x40d100 FlushFileBuffers
 0x40d104 CreateFileW
USER32.dll
 0x40d10c wsprintfW
ole32.dll
 0x40d114 CoInitialize
 0x40d118 CoUninitialize
 0x40d11c CoCreateInstance

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure