popup

Report - pat.exe

VMProtect PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.02 18:33 Machine s1_win7_x6402
Filename pat.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
8.0
ZERO API file : malware
VT API (file) 28 detected (AIDetect, malware1, malicious, high confidence, Artemis, Unsafe, Save, confidence, Attribute, HighConfidence, VMProtect, HashCity, R + Mal, VMProtBad, XPACK, PSWTroj, kcloud, Tnega, score, R426616, ZexaF, @BW@auesfFi, Generic@ML, RDML, ozipnu8w60GHoLYNBO6C6w, Static AI, Malicious PE, susgen, QVM19)
md5 571d311fc434e77de22206602a9131d3
sha256 04a3b0f970d1689d6c1d6859c81ef3f41f1a503baf4275188e848548b2669950
ssdeep 98304:u+F4gz3TK6AWl/7COZo5Bx66vH/6V/wsmgxBrEw1lhDJX6SWE9n4GT9xEr2Rh+e:u+FMWlzCD5npIhmaAUIJE9BTTGK+e
imphash b0a3c6817c3bc91463a81826e090915c
impfuzzy 12:DBLkFCXbL4MQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:9LkSYMQ58QtXJHc9NDI5Q8
  Network IP location

Signature (18cnts)

Level Description
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Communicates with host for which no DNS query was performed
watch Disables proxy possibly for traffic interception
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (3cnts)

Level Name Description Collection
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://antimalwarebyte.xyz/collect.php
whois
RU LLC Baxet 185.22.155.64 2494 mailcious
antimalwarebyte.xyz
whois
RU LLC Baxet 185.22.155.64 mailcious
185.22.155.64
whois
RU LLC Baxet 185.22.155.64 mailcious
99.86.144.82
whois
US AMAZON-02 99.86.144.82 clean
35.244.181.201
whois
US GOOGLE 35.244.181.201 clean

Suricata ids

ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0xd51000 GetVersionExA
USER32.dll
 0xd51008 GetDC
GDI32.dll
 0xd51010 DeleteObject
SHLWAPI.dll
 0xd51018 PathFindExtensionW
gdiplus.dll
 0xd51020 GdipSaveImageToFile
WININET.dll
 0xd51028 InternetWriteFile
WTSAPI32.dll
 0xd51030 WTSSendMessageW
KERNEL32.dll
 0xd51038 VirtualQuery
USER32.dll
 0xd51040 GetProcessWindowStation
KERNEL32.dll
 0xd51048 LocalAlloc
 0xd5104c LocalFree
 0xd51050 GetModuleFileNameW
 0xd51054 GetProcessAffinityMask
 0xd51058 SetProcessAffinityMask
 0xd5105c SetThreadAffinityMask
 0xd51060 Sleep
 0xd51064 ExitProcess
 0xd51068 FreeLibrary
 0xd5106c LoadLibraryA
 0xd51070 GetModuleHandleA
 0xd51074 GetProcAddress
USER32.dll
 0xd5107c GetProcessWindowStation
 0xd51080 GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure