popup

Report - %E9%80%A0%E5%B0%8F%E4%BA%BA.exe

VMProtect Malicious Library PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.02 09:12 Machine s1_win7_x6401
Filename %E9%80%A0%E5%B0%8F%E4%BA%BA.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
8
 Behavior Score
3.6
ZERO API file : malware
VT API (file) 32 detected (AIDetect, malware2, malicious, high confidence, Ursu, Unsafe, VMProtect, Generic ML PUA, Static AI, Malicious PE, Black, Gen2, Tnega, score, ai score=85, TScope, Generic@ML, RDML, eEmGNJUlBmVtXjLIv5In6A, susgen, ZexaF, 3YW@aWEn0Bmb, confidence, HxMBItIA)
md5 21614cd641f1b0564630a4dffe6c54e2
sha256 eb60897607eb5872e6ed502463d4cdcc888bce8df09352d6708c69d18b3e0005
ssdeep 49152:TjJbync8SbRnTYSCePIWcQMcdAdGPq1a3EcFdR8GTkCHV/zj8JX6x/Bco7HN:TNOc8mnTqelzC4HXF7NkYrj8t6xKMt
imphash 41d2505f208cfce31eb439578f9e7272
impfuzzy 12:o9T/4BLr6Vu5A3d/XAsQA8O1G2qQGoQtXJxZGiJa9AJcDT6ZG28RpG:QT/ILyg0BL9V1VQtXJHla9NDT64ZQ
  Network IP location

Signature (8cnts)

Level Description
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Foreign language identified in PE resource
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
47.96.15.92
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.96.15.92 clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.DLL
 0xae6000 CryptAcquireContextA
COMCTL32.DLL
 0xae6008 ImageList_Add
COMDLG32.DLL
 0xae6010 GetOpenFileNameA
GDI32.dll
 0xae6018 AngleArc
KERNEL32.dll
 0xae6020 Beep
msvcrt.dll
 0xae6028 _strdup
MSIMG32.DLL
 0xae6030 AlphaBlend
msvcrt.dll
 0xae6038 __dllonexit
OLEAUT32.DLL
 0xae6040 SysAllocStringLen
USER32.dll
 0xae6048 AppendMenuA
WS2_32.dll
 0xae6050 WSAAsyncSelect
WTSAPI32.dll
 0xae6058 WTSSendMessageW
KERNEL32.dll
 0xae6060 GetCurrentProcess
USER32.dll
 0xae6068 CharUpperBuffW
ADVAPI32.DLL
 0xae6070 RegQueryValueExA
KERNEL32.dll
 0xae6078 LocalAlloc
 0xae607c GetCurrentProcess
 0xae6080 GetCurrentThread
 0xae6084 LocalFree
 0xae6088 GetModuleFileNameW
 0xae608c GetProcessAffinityMask
 0xae6090 SetProcessAffinityMask
 0xae6094 SetThreadAffinityMask
 0xae6098 Sleep
 0xae609c ExitProcess
 0xae60a0 GetLastError
 0xae60a4 FreeLibrary
 0xae60a8 LoadLibraryA
 0xae60ac GetModuleHandleA
 0xae60b0 GetProcAddress
ADVAPI32.DLL
 0xae60b8 OpenSCManagerW
 0xae60bc EnumServicesStatusExW
 0xae60c0 OpenServiceW
 0xae60c4 QueryServiceConfigW
 0xae60c8 CloseServiceHandle

EAT(Export Address Table) Library

0x41b8e0 getOnePacket
0x41b580 strcatPacket

Similarity measure (PE file only) - Checking for service failure