popup

Report - 29.exe

Gen2 UPX Malicious Library PE32 PE File OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.30 20:49 Machine s1_win7_x6401
Filename 29.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
8.4
ZERO API file : malware
VT API (file) 43 detected (DownLoader40, Malicious, score, GenericKD, MalwareX, WHQN, Malware@#3ugxpsnpnbves, R002C0PGT21, cqkvi, kcloud, MigratedCloud, Phonzy, ai score=88, BScope, Wacatac, Unsafe, PossibleThreat, GdSda, HwcB3n8A)
md5 ab99e71c87f024b99c10c02f88b3e40b
sha256 ae23b1d2d4ab785d755af246d6d82fca9fab091dbb4f886ac136812805354efd
ssdeep 768:noyjFenzoDcTEZF2VtC7Nrcti/S/Lr1teel6+:nSkITZCOt2wrzl6+
imphash bf43a37a6ae0ed2852f82f44f0a6f32a
impfuzzy 24:FuDoku9y4vLxHOovux7JHlkiv8ERRv6ukdA/JzfcJKK6wxGTuE1Enk1EQDX:o4TxuhxYWEA/JzfcJKKtQOnFC
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 43 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
warning Uses WMI to create a new process
watch Creates or sets a registry key to a long series of bytes
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable uses a known packer

Rules (11cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)

Network (15cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ol.gamegame.info/report7.4.php
whois
US CLOUDFLARENET 104.21.21.221 1518 mailcious
http://ip-api.com/json/?fields=8198
whois
US TUT-AS 208.95.112.1 clean
http://by.dirfgame.com/report7.4.php
whois
US CLOUDFLARENET 104.21.78.28 2900 mailcious
https://live.goatgame.live/userf/dat/29/sqlite.dat
whois
US CLOUDFLARENET 172.67.222.125 clean
https://live.goatgame.live/userf/dat/sqlite.dll
whois
US CLOUDFLARENET 172.67.222.125 3376 malware
ol.gamegame.info
whois
US CLOUDFLARENET 172.67.200.215 mailcious
live.goatgame.live
whois
US CLOUDFLARENET 104.21.70.98 malware
google.vrthcobj.com
whois
US GOOGLE 34.97.69.225 mailcious
by.dirfgame.com
whois
US CLOUDFLARENET 172.67.215.92 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
104.21.21.221
whois
US CLOUDFLARENET 104.21.21.221 mailcious
34.97.69.225
whois
US GOOGLE 34.97.69.225 mailcious
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
104.21.78.28
whois
US CLOUDFLARENET 104.21.78.28 mailcious
172.67.222.125
whois
US CLOUDFLARENET 172.67.222.125 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x408000 lstrlenW
 0x408004 InterlockedDecrement
 0x408008 GetProcAddress
 0x40800c LoadLibraryA
 0x408010 CloseHandle
 0x408014 WriteFile
 0x408018 CreateFileW
 0x40801c GetEnvironmentVariableW
 0x408020 GetModuleFileNameW
 0x408024 RaiseException
 0x408028 LocalFree
 0x40802c lstrlenA
 0x408030 InterlockedIncrement
 0x408034 GetStringTypeW
 0x408038 GetStringTypeA
 0x40803c LCMapStringW
 0x408040 LCMapStringA
 0x408044 MultiByteToWideChar
 0x408048 GetOEMCP
 0x40804c RtlUnwind
 0x408050 GetCommandLineA
 0x408054 GetVersion
 0x408058 ExitProcess
 0x40805c GetCurrentThreadId
 0x408060 TlsSetValue
 0x408064 TlsAlloc
 0x408068 SetLastError
 0x40806c TlsGetValue
 0x408070 GetLastError
 0x408074 HeapFree
 0x408078 HeapAlloc
 0x40807c TerminateProcess
 0x408080 GetCurrentProcess
 0x408084 UnhandledExceptionFilter
 0x408088 GetModuleFileNameA
 0x40808c FreeEnvironmentStringsA
 0x408090 FreeEnvironmentStringsW
 0x408094 WideCharToMultiByte
 0x408098 GetEnvironmentStrings
 0x40809c GetEnvironmentStringsW
 0x4080a0 SetHandleCount
 0x4080a4 GetStdHandle
 0x4080a8 GetFileType
 0x4080ac GetStartupInfoA
 0x4080b0 GetModuleHandleA
 0x4080b4 GetEnvironmentVariableA
 0x4080b8 GetVersionExA
 0x4080bc HeapDestroy
 0x4080c0 HeapCreate
 0x4080c4 VirtualFree
 0x4080c8 SetUnhandledExceptionFilter
 0x4080cc IsBadReadPtr
 0x4080d0 IsBadWritePtr
 0x4080d4 IsBadCodePtr
 0x4080d8 InitializeCriticalSection
 0x4080dc EnterCriticalSection
 0x4080e0 LeaveCriticalSection
 0x4080e4 VirtualAlloc
 0x4080e8 HeapReAlloc
 0x4080ec GetCPInfo
 0x4080f0 GetACP
 0x4080f4 HeapSize
USER32.dll
 0x408134 ShowWindow
 0x408138 wsprintfW
ole32.dll
 0x408140 CoInitializeSecurity
 0x408144 CoUninitialize
 0x408148 CoInitialize
 0x40814c CoCreateInstance
 0x408150 CoSetProxyBlanket
OLEAUT32.dll
 0x4080fc VariantCopy
 0x408100 VariantInit
 0x408104 SafeArrayGetDim
 0x408108 SafeArrayGetLBound
 0x40810c SafeArrayGetUBound
 0x408110 SafeArrayAccessData
 0x408114 SafeArrayUnaccessData
 0x408118 SysStringLen
 0x40811c SysAllocStringLen
 0x408120 SysAllocString
 0x408124 VariantClear
 0x408128 SysFreeString
 0x40812c GetErrorInfo

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure