popup

Report - gjfkd.exe

NPKI Generic Malware Malicious Packer UPX Malicious Library PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.30 10:59 Machine s1_win7_x6401
Filename gjfkd.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
4
 Behavior Score
4.8
ZERO API file : malware
VT API (file) 41 detected (malicious, high confidence, GenericKD, Unsafe, confidence, a variant of WinGo, GoCLR, Bulz, tetqqn, R002C0WGR21, TrojanVeil, CobaltStrike, Score, 100%, ai score=86, MigratedCloud, Skeeyah, R426638, Artemis, HackTool, CLASSIC, H8oAzBwB)
md5 0c81dd2088368b16444a770d8e76ecf8
sha256 53265a502e4f4f70abcb422a8b2960c654be15f0b65e4b7b17269857a05953e2
ssdeep 49152:F9eGepgtCWIxe/h55YTVEduGEJfoi6HmHBhuJl1jaYSsldKYjCVhg6er5HcocPK4:FgpgtN/f
imphash 4035d2883e01d64f3e7a9dccb1d63af5
impfuzzy 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6UP:K5O+VAXOmGx0nP
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
watch Detects the presence of Wine emulator
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (7cnts)

Level Name Description Collection
danger NPKI_Zero File included NPKI binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://2no.co/SVK43
whois
DE Hetzner Online GmbH 88.99.66.31 clean
2no.co
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x9ec020 WriteFile
 0x9ec028 WriteConsoleW
 0x9ec030 WaitForMultipleObjects
 0x9ec038 WaitForSingleObject
 0x9ec040 VirtualQuery
 0x9ec048 VirtualFree
 0x9ec050 VirtualAlloc
 0x9ec058 SwitchToThread
 0x9ec060 SuspendThread
 0x9ec068 Sleep
 0x9ec070 SetWaitableTimer
 0x9ec078 SetUnhandledExceptionFilter
 0x9ec080 SetProcessPriorityBoost
 0x9ec088 SetEvent
 0x9ec090 SetErrorMode
 0x9ec098 SetConsoleCtrlHandler
 0x9ec0a0 ResumeThread
 0x9ec0a8 PostQueuedCompletionStatus
 0x9ec0b0 LoadLibraryA
 0x9ec0b8 LoadLibraryW
 0x9ec0c0 SetThreadContext
 0x9ec0c8 GetThreadContext
 0x9ec0d0 GetSystemInfo
 0x9ec0d8 GetSystemDirectoryA
 0x9ec0e0 GetStdHandle
 0x9ec0e8 GetQueuedCompletionStatusEx
 0x9ec0f0 GetProcessAffinityMask
 0x9ec0f8 GetProcAddress
 0x9ec100 GetEnvironmentStringsW
 0x9ec108 GetConsoleMode
 0x9ec110 FreeEnvironmentStringsW
 0x9ec118 ExitProcess
 0x9ec120 DuplicateHandle
 0x9ec128 CreateWaitableTimerExW
 0x9ec130 CreateThread
 0x9ec138 CreateIoCompletionPort
 0x9ec140 CreateEventA
 0x9ec148 CloseHandle
 0x9ec150 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure