Report - waads.bin

Malicious Library PE32 PE File

ScreenShot

Info
Location map


Created	2021.06.29 20:07	Machine	s1_win7_x6401
Filename	waads.bin
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score	Not founds	Behavior Score	2.6
ZERO API	file : malware
VT API (file)	59 detected (Gen:Variant.Fugrafa.858, Trojan.Win32.Generic!BT, Trojan.Fugrafa.858, Trojan.Win32.Inject3.horsiq, Trojan.Generic.ftawl, Malware.Win32.Gencirc.10ce3d9a, Gen:Variant.Fugrafa.858 (B), Malicious, Trojan:Win32/Cobaltstrike.MK!MTB, malicious (high confidence), Cobalt-EVTS!72E4F355907B, Trojan.Generic, HEUR:Trojan.Win32.CobaltStrike.gen, Trojan.Win32.Rozena, Trojan ( 005622831 ), TScope.Malware-Cryptor.SB, Trojan/Generic.ASMalwS.30BBA6D, TR/Crypt.XPACK.Gen7, Generic.mg.72e4f355907b6c91, Trojan.TR/Crypt.XPACK.Gen7, Trojan.Malware.300983.susgen, Trojan.Win32.Heur.oa!s1, W32/Diple.G.gen!Eldorado, Trj/GdSda.A, Trojan/W32.Agent.14336.WO, Trojan.Rozena.Win32.99309, Mal/Generic-R + ATK/Cobalt-A, Trojan.Win32.COBALT.SM, Trojan.Win32.Save.a, win/malicious_confidence_100% (W), W32/Generic.AP.118EACE!tr, Malicious (score: 100), Trojan:Win32/Rozena.605bb16b, Trojan.Inject3.2700, a variant of Win32/Rozena.AMZ, Trojan.Win32.Cobalt.14336.J, Win32:Trojan-gen, Trojan.Win32.Sheljector.trJD, Win.Trojan.CobaltStrike-7899872-1, W32.Trojan.Gen, Backdoor.Cobalt, Static AI - Malicious PE, generic.ml, Unsafe, malicious.5907b6, Trojan.GenAsa!/C5jzoNrl5s, Trojan/Win32.CobaltStrike.R329694, Backdoor.CobaltStrike!1.D049 (CLASSIC), malware (ai score=100), Trojan.CobaltStrike)
md5	72e4f355907b6c91e6f8508d102bd896
sha256	232a5fe454c9537ddea265d805d1daa8e016b1ed30cd2ebde7feb12f866f5608
ssdeep	192:AlH+DgGK83SxHn2OQ/dmBI4KBfTgir+xzARbqUqV/Qjo7AGa:A9+kGKqbOCdWIVBff+xz6fCXAn
imphash
impfuzzy

Network IP location

Signature (6cnts)

Level	Description
watch	Communicates with host for which no DNS query was performed
watch	Network activity contains more than one unique useragent
notice	A process attempted to delay the analysis task.
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info	Queries for the computername

Rules (3cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (3cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://45.227.253.66:443/cm whois		Global Layer B.V.	45.227.253.66	1321	mailcious
http://45.227.253.66:443/G1wm whois		Global Layer B.V.	45.227.253.66	1322	mailcious
45.227.253.66 whois		Global Layer B.V.	45.227.253.66		malware

Suricata ids

Similarity measure (PE file only) - Checking for service failure