Report - file.exe

UPX Malicious Library PE32 PE File
ScreenShot
Created 2021.07.29 09:55 Machine s1_win7_x6402
Filename file.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
7
Behavior Score
4.6
ZERO API file : clean
VT API (file) 54 detected (Inject3, GenericKD, Unsafe, Rozena, Save, malicious, Diple, Eldorado, Cobalt, CobaltStrike, horsiq, Gencirc, A + ATK, XPACK, Gen7, EVTS, Outbreak, ftawl, ai score=100, ASMalwS, score, R329694, TScope, CLASSIC, GenAsa, C5jzoNrl5s, Static AI, Malicious PE, confidence, 100%, HackTool, HxQB08cA)
md5 6cac30135f4d5639c81e29e7d32d95e0
sha256 18172c576df793d31efad7ab1623e2fcc15e8f744bc8381d1a8a63421963e3e6
ssdeep 192:A4H+DgGK83SxHn2OQ/dmBI4KBfTgir+xzWphagguzbqUqV/Qjo7AGa:AM+kGKqbOCdWIVBff+xzWv3fCXAn
imphash dc25ee78e2ef4d36faa0badf1e7461c9
impfuzzy 24:Q2kfiK1JlDzncLLb9Lezd5XGDZEkqkoDquQZn:gfiK1jcTtezdJGVEkqkoqz
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info Queries for the computername

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://45.140.17.74/cx NL Serverius Holding B.V. 45.140.17.74 clean
https://45.140.17.74/aPr9 NL Serverius Holding B.V. 45.140.17.74 clean
45.140.17.74 NL Serverius Holding B.V. 45.140.17.74 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x406138 CloseHandle
 0x40613c ConnectNamedPipe
 0x406140 CreateFileA
 0x406144 CreateNamedPipeA
 0x406148 CreateThread
 0x40614c DeleteCriticalSection
 0x406150 EnterCriticalSection
 0x406154 FreeLibrary
 0x406158 GetCurrentProcess
 0x40615c GetCurrentProcessId
 0x406160 GetCurrentThreadId
 0x406164 GetLastError
 0x406168 GetModuleHandleA
 0x40616c GetProcAddress
 0x406170 GetStartupInfoA
 0x406174 GetSystemTimeAsFileTime
 0x406178 GetTickCount
 0x40617c InitializeCriticalSection
 0x406180 LeaveCriticalSection
 0x406184 LoadLibraryA
 0x406188 LoadLibraryW
 0x40618c QueryPerformanceCounter
 0x406190 ReadFile
 0x406194 SetUnhandledExceptionFilter
 0x406198 Sleep
 0x40619c TerminateProcess
 0x4061a0 TlsGetValue
 0x4061a4 UnhandledExceptionFilter
 0x4061a8 VirtualAlloc
 0x4061ac VirtualProtect
 0x4061b0 VirtualQuery
 0x4061b4 WriteFile
msvcrt.dll
 0x4061bc __dllonexit
 0x4061c0 __getmainargs
 0x4061c4 __initenv
 0x4061c8 __lconv_init
 0x4061cc __set_app_type
 0x4061d0 __setusermatherr
 0x4061d4 _acmdln
 0x4061d8 _amsg_exit
 0x4061dc _cexit
 0x4061e0 _fmode
 0x4061e4 _initterm
 0x4061e8 _iob
 0x4061ec _lock
 0x4061f0 _onexit
 0x4061f4 _unlock
 0x4061f8 _winmajor
 0x4061fc abort
 0x406200 calloc
 0x406204 exit
 0x406208 fprintf
 0x40620c free
 0x406210 fwrite
 0x406214 malloc
 0x406218 memcpy
 0x40621c signal
 0x406220 sprintf
 0x406224 strlen
 0x406228 strncmp
 0x40622c vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure