Report - 9663.exe

PE64 PE File OS Processor Check
ScreenShot
Created 2021.07.13 09:54 Machine s1_win7_x6402
Filename 9663.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
1
Behavior Score
1.8
ZERO API file : clean
VT API (file) 30 detected (GenericKD, CobaltStrike, CozyDuke, malicious, DangerousSig, MalCert, Malware@#15uuwl0nkqgmh, Siggen14, VSNTG721, Artemis, S + Troj, BHJT, kcloud, Sabsik, Cobalt, PossibleThreat, confidence, 100%, HgEASX8A)
md5 de57b50ddeb32383574874af224b2a98
sha256 25e3873adf19d7e8ba42b472322dbafdfc21d55a2119b81ad9728d6e8e2b0e7b
ssdeep 24576:56SPF9sLegqTaCM1i/7umo6o3pRk11CvLs4pKyJUa1:5AeaCMySM1a
imphash 9d4e8e7b3c2ceb0885480bd38fe7b721
impfuzzy 24:R6hDW1mc02tMS1scpVWjBgGmlJBlub9roeHFZMv1GMcOpOovbOPZHu9J:R6EtMS1scpVwBgGMsbZLFZGq3I
  Network IP location

Signature (4cnts)

Level Description
danger File has been identified by 30 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (3cnts)

Level Name Description Collection
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

ole32.dll
 0x1400882d0 CoInitializeEx
USER32.dll
 0x1400882b8 GetMenu
 0x1400882c0 ShowWindow
KERNEL32.dll
 0x140088000 TlsAlloc
 0x140088008 WriteConsoleW
 0x140088010 CreateFileW
 0x140088018 HeapSize
 0x140088020 GetModuleHandleA
 0x140088028 GetProcAddress
 0x140088030 LoadResource
 0x140088038 LockResource
 0x140088040 SizeofResource
 0x140088048 LoadLibraryA
 0x140088050 FindResourceA
 0x140088058 RtlCaptureContext
 0x140088060 RtlLookupFunctionEntry
 0x140088068 RtlVirtualUnwind
 0x140088070 UnhandledExceptionFilter
 0x140088078 SetUnhandledExceptionFilter
 0x140088080 GetCurrentProcess
 0x140088088 TerminateProcess
 0x140088090 IsProcessorFeaturePresent
 0x140088098 QueryPerformanceCounter
 0x1400880a0 GetCurrentProcessId
 0x1400880a8 GetCurrentThreadId
 0x1400880b0 GetSystemTimeAsFileTime
 0x1400880b8 InitializeSListHead
 0x1400880c0 IsDebuggerPresent
 0x1400880c8 GetStartupInfoW
 0x1400880d0 GetModuleHandleW
 0x1400880d8 EnterCriticalSection
 0x1400880e0 LeaveCriticalSection
 0x1400880e8 InitializeCriticalSectionEx
 0x1400880f0 DeleteCriticalSection
 0x1400880f8 EncodePointer
 0x140088100 DecodePointer
 0x140088108 MultiByteToWideChar
 0x140088110 WideCharToMultiByte
 0x140088118 LCMapStringEx
 0x140088120 GetStringTypeW
 0x140088128 GetCPInfo
 0x140088130 HeapReAlloc
 0x140088138 RtlPcToFileHeader
 0x140088140 RaiseException
 0x140088148 RtlUnwindEx
 0x140088150 GetLastError
 0x140088158 SetLastError
 0x140088160 InitializeCriticalSectionAndSpinCount
 0x140088168 RtlUnwind
 0x140088170 TlsGetValue
 0x140088178 TlsSetValue
 0x140088180 TlsFree
 0x140088188 FreeLibrary
 0x140088190 LoadLibraryExW
 0x140088198 ExitProcess
 0x1400881a0 GetModuleHandleExW
 0x1400881a8 GetStdHandle
 0x1400881b0 WriteFile
 0x1400881b8 GetModuleFileNameW
 0x1400881c0 HeapFree
 0x1400881c8 HeapAlloc
 0x1400881d0 CompareStringW
 0x1400881d8 LCMapStringW
 0x1400881e0 GetLocaleInfoW
 0x1400881e8 IsValidLocale
 0x1400881f0 GetUserDefaultLCID
 0x1400881f8 EnumSystemLocalesW
 0x140088200 GetFileType
 0x140088208 FlushFileBuffers
 0x140088210 GetConsoleOutputCP
 0x140088218 GetConsoleMode
 0x140088220 GetFileSizeEx
 0x140088228 SetFilePointerEx
 0x140088230 ReadFile
 0x140088238 ReadConsoleW
 0x140088240 FindClose
 0x140088248 FindFirstFileExW
 0x140088250 FindNextFileW
 0x140088258 IsValidCodePage
 0x140088260 GetACP
 0x140088268 GetOEMCP
 0x140088270 GetCommandLineA
 0x140088278 GetCommandLineW
 0x140088280 GetEnvironmentStringsW
 0x140088288 FreeEnvironmentStringsW
 0x140088290 SetEnvironmentVariableW
 0x140088298 SetStdHandle
 0x1400882a0 GetProcessHeap
 0x1400882a8 CloseHandle

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure