Report - 08.jpg.exe

hancitor PE32 OS Processor Check PE File
ScreenShot
Created 2021.07.09 18:12 Machine s1_win7_x6401
Filename 08.jpg.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
Behavior Score
4.6
ZERO API file : clean
VT API (file) 20 detected (Pack, Emotet, Artemis, ZexaF, Uu0@aO44wCdi, Malicious, Krypt, Wacapew, score, ai score=86, Static AI, Suspicious PE, QVM20)
md5 ed1921467f6784af6bdca40a06a541b5
sha256 3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6
ssdeep 12288:4AbvaOTfFGikmS6jd2QML8HXWp8KEwbHBkm9jjgbFHLViv0dC2x0uTadTaUk7u:vbvJfFGikmS0pXfw7Bkm9j088PlTaDj
imphash 5a2e77913b081a443f9195818466685a
impfuzzy 48:c3G3Qd1ZmQ1Xc+CM6tMSTMvUiAEkDCxqQ59v3099l4zHAOFEK3zveK0svkea:r3Q5dXc+CBtMSTMc5tYmK0Sy
  Network IP location

Signature (11cnts)

Level Description
warning File has been identified by 20 AntiVirus engines on VirusTotal as malicious
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info Queries for the computername
info This executable has a PDB path

Rules (3cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://api.ipify.org/ US AMAZON-AES 50.16.246.238 clean
http://sudepallon.com/8/forum.php RU SpaceWeb Ltd 77.222.42.67 2599 clean
sudepallon.com RU SpaceWeb Ltd 77.222.42.67 clean
api.ipify.org US AMAZON-AES 50.16.218.217 clean
50.16.246.238 US AMAZON-AES 50.16.246.238 clean
77.222.42.67 RU SpaceWeb Ltd 77.222.42.67 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x1078074 GetOEMCP
 0x1078078 GetCommandLineA
 0x107807c GetCommandLineW
 0x1078080 GetEnvironmentStringsW
 0x1078084 GetACP
 0x1078088 IsValidCodePage
 0x107808c FindNextFileW
 0x1078090 FindFirstFileExW
 0x1078094 FindClose
 0x1078098 OutputDebugStringW
 0x107809c FreeEnvironmentStringsW
 0x10780a0 SetEnvironmentVariableW
 0x10780a4 SetStdHandle
 0x10780a8 GetProcessHeap
 0x10780ac GetFileSizeEx
 0x10780b0 SetFilePointerEx
 0x10780b4 HeapSize
 0x10780b8 FlushFileBuffers
 0x10780bc GetConsoleCP
 0x10780c0 GetConsoleMode
 0x10780c4 ReadFile
 0x10780c8 ReadConsoleW
 0x10780cc CloseHandle
 0x10780d0 CreateFileW
 0x10780d4 CreateProcessW
 0x10780d8 SetConsoleCP
 0x10780dc GetCurrentDirectoryW
 0x10780e0 GetSystemDirectoryW
 0x10780e4 GetCurrentThreadId
 0x10780e8 GetTempPathW
 0x10780ec RemoveDirectoryW
 0x10780f0 GetDiskFreeSpaceW
 0x10780f4 VirtualProtect
 0x10780f8 GetTimeZoneInformation
 0x10780fc SetConsoleCtrlHandler
 0x1078100 HeapReAlloc
 0x1078104 EnumSystemLocalesW
 0x1078108 GetUserDefaultLCID
 0x107810c IsValidLocale
 0x1078110 GetTimeFormatW
 0x1078114 GetDateFormatW
 0x1078118 HeapAlloc
 0x107811c HeapFree
 0x1078120 GetCurrentThread
 0x1078124 GetFileType
 0x1078128 GetModuleHandleExW
 0x107812c ExitProcess
 0x1078130 GetModuleFileNameW
 0x1078134 WriteFile
 0x1078138 GetStdHandle
 0x107813c EncodePointer
 0x1078140 DecodePointer
 0x1078144 EnterCriticalSection
 0x1078148 LeaveCriticalSection
 0x107814c DeleteCriticalSection
 0x1078150 WideCharToMultiByte
 0x1078154 SetLastError
 0x1078158 InitializeCriticalSectionAndSpinCount
 0x107815c CreateEventW
 0x1078160 SwitchToThread
 0x1078164 TlsAlloc
 0x1078168 TlsGetValue
 0x107816c TlsSetValue
 0x1078170 TlsFree
 0x1078174 GetSystemTimeAsFileTime
 0x1078178 GetTickCount
 0x107817c GetModuleHandleW
 0x1078180 GetProcAddress
 0x1078184 MultiByteToWideChar
 0x1078188 GetStringTypeW
 0x107818c CompareStringW
 0x1078190 LCMapStringW
 0x1078194 GetLocaleInfoW
 0x1078198 GetCPInfo
 0x107819c UnhandledExceptionFilter
 0x10781a0 SetUnhandledExceptionFilter
 0x10781a4 GetCurrentProcess
 0x10781a8 TerminateProcess
 0x10781ac IsProcessorFeaturePresent
 0x10781b0 QueryPerformanceCounter
 0x10781b4 GetCurrentProcessId
 0x10781b8 InitializeSListHead
 0x10781bc IsDebuggerPresent
 0x10781c0 GetStartupInfoW
 0x10781c4 RtlUnwind
 0x10781c8 RaiseException
 0x10781cc InterlockedPushEntrySList
 0x10781d0 InterlockedFlushSList
 0x10781d4 GetLastError
 0x10781d8 FreeLibrary
 0x10781dc LoadLibraryExW
 0x10781e0 WriteConsoleW
USER32.dll
 0x10781e8 GetWindowTextW
 0x10781ec GetCursorPos
 0x10781f0 UpdateWindow
 0x10781f4 GetClassInfoExA
 0x10781f8 AppendMenuW
 0x10781fc GetClassNameW
 0x1078200 FindWindowW
 0x1078204 SetFocus
 0x1078208 GetAsyncKeyState
 0x107820c RegisterClassExW
 0x1078210 EnumChildWindows
 0x1078214 SetWindowPos
 0x1078218 GetDC
 0x107821c GetFocus
 0x1078220 CallWindowProcW
 0x1078224 GetMessagePos
 0x1078228 GetMessageW
 0x107822c GetWindowTextLengthW
GDI32.dll
 0x107805c CreateCompatibleBitmap
 0x1078060 SetPixel
 0x1078064 PatBlt
 0x1078068 StretchBlt
 0x107806c GetTextExtentPoint32W
ole32.dll
 0x1078278 OleInitialize
 0x107827c OleSetContainedObject
 0x1078280 OleUninitialize
ADVAPI32.dll
 0x1078000 RegisterServiceCtrlHandlerW
 0x1078004 LookupPrivilegeValueW
 0x1078008 RegCloseKey
 0x107800c RegEnumKeyW
 0x1078010 QueryServiceStatus
 0x1078014 OpenSCManagerW
 0x1078018 RegDeleteKeyW
 0x107801c AllocateAndInitializeSid
 0x1078020 SetEntriesInAclW
 0x1078024 RegCreateKeyExW
 0x1078028 DeleteService
 0x107802c GetTokenInformation
 0x1078030 RegSetValueExW
 0x1078034 OpenProcessToken
 0x1078038 FreeSid
 0x107803c InitializeSecurityDescriptor
 0x1078040 RegOpenKeyExW
 0x1078044 StartServiceCtrlDispatcherW
 0x1078048 OpenServiceW
 0x107804c OpenThreadToken
 0x1078050 RegOpenKeyW
 0x1078054 RegQueryValueExW
VERSION.dll
 0x1078248 GetFileVersionInfoW
 0x107824c GetFileVersionInfoSizeW
 0x1078250 VerQueryValueW
WS2_32.dll
 0x1078258 socket
 0x107825c WSAStartup
 0x1078260 closesocket
 0x1078264 ind
 0x1078268 accept
 0x107826c WSACleanup
 0x1078270 connect
UxTheme.dll
 0x1078234 GetThemeBackgroundRegion
 0x1078238 CloseThemeData
 0x107823c GetThemeTextExtent
 0x1078240 GetThemeFont

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure