Report - heliocentrically.db

Generic Malware Malicious Packer UPX Malicious Library Escalate priviledges AntiDebug AntiVM PE File OS Processor Check PE32
ScreenShot
Created 2021.08.04 12:20 Machine s1_win7_x6401
Filename heliocentrically.db
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
Behavior Score
3.8
ZERO API file : clean
VT API (file) 26 detected (Artemis, Unsafe, Save, DropperX, Zusy, Eldorado, ADBL, Malicious, score, gzxaj, ai score=86, Wacatac, R002H0CH321, ZexaF, jtW@au@OqQk)
md5 106b947aa2e8101bff6e3ff0f82bfe95
sha256 88689636f4b2287701b63f42c12e7e2387bf4c3ecc45eeb8a61ea707126bad9b
ssdeep 49152:yNUPRS5YfeBi35enfGiSpQQ17dWRsnVQLKaCTpdNu:d/+I7mwFTpf
imphash 15b4976be317dca18eab234bf54db422
impfuzzy 48:YHb9YWJcjrXhaW209cgJxtH1jthpp9YcgBL:YHbiWJcjrXEW20ugJxtH1jthpp9YR
  Network IP location

Signature (6cnts)

Level Description
danger Executed a process and injected code into it
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Yara rule detected in process memory

Rules (16cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice Escalate_priviledges Escalate priviledges memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

ntdll.dll
 0x719188 NtCancelIoFileEx
 0x71918c RtlCaptureContext
 0x719190 NtDeviceIoControlFile
 0x719194 RtlNtStatusToDosError
 0x719198 RtlUnwind
ADVAPI32.dll
 0x719000 SystemFunction036
KERNEL32.dll
 0x719008 SetFilePointerEx
 0x71900c CreateFileW
 0x719010 DecodePointer
 0x719014 GetTickCount
 0x719018 GetEnvironmentStrings
 0x71901c GetCurrentProcess
 0x719020 GetCommandLineA
 0x719024 GetLastError
 0x719028 GetVersion
 0x71902c GetProcessHeap
 0x719030 HeapAlloc
 0x719034 HeapFree
 0x719038 HeapReAlloc
 0x71903c AcquireSRWLockExclusive
 0x719040 EnterCriticalSection
 0x719044 LeaveCriticalSection
 0x719048 ReleaseSRWLockExclusive
 0x71904c AddVectoredExceptionHandler
 0x719050 SetThreadStackGuarantee
 0x719054 CloseHandle
 0x719058 GetSystemInfo
 0x71905c VirtualAlloc
 0x719060 SetLastError
 0x719064 GetFinalPathNameByHandleW
 0x719068 GetQueuedCompletionStatusEx
 0x71906c Sleep
 0x719070 TlsSetValue
 0x719074 GetModuleHandleA
 0x719078 GetProcAddress
 0x71907c TlsGetValue
 0x719080 AcquireSRWLockShared
 0x719084 ReleaseSRWLockShared
 0x719088 GetEnvironmentVariableW
 0x71908c GetStdHandle
 0x719090 GetConsoleMode
 0x719094 WriteFile
 0x719098 WriteConsoleW
 0x71909c GetCurrentDirectoryW
 0x7190a0 GetCurrentThread
 0x7190a4 ReleaseMutex
 0x7190a8 WaitForSingleObjectEx
 0x7190ac LoadLibraryA
 0x7190b0 CreateMutexA
 0x7190b4 TlsAlloc
 0x7190b8 GetModuleHandleW
 0x7190bc FormatMessageW
 0x7190c0 InitializeCriticalSection
 0x7190c4 TryEnterCriticalSection
 0x7190c8 QueryPerformanceCounter
 0x7190cc QueryPerformanceFrequency
 0x7190d0 PostQueuedCompletionStatus
 0x7190d4 CreateThread
 0x7190d8 WaitForSingleObject
 0x7190dc CreateIoCompletionPort
 0x7190e0 SwitchToThread
 0x7190e4 FlushFileBuffers
 0x7190e8 GetCurrentProcessId
 0x7190ec GetCurrentThreadId
 0x7190f0 GetSystemTimeAsFileTime
 0x7190f4 InitializeSListHead
 0x7190f8 IsDebuggerPresent
 0x7190fc UnhandledExceptionFilter
 0x719100 SetUnhandledExceptionFilter
 0x719104 GetStartupInfoW
 0x719108 IsProcessorFeaturePresent
 0x71910c TerminateProcess
 0x719110 DeleteCriticalSection
 0x719114 InitializeCriticalSectionAndSpinCount
 0x719118 TlsFree
 0x71911c FreeLibrary
 0x719120 LoadLibraryExW
 0x719124 RaiseException
 0x719128 GetModuleFileNameW
 0x71912c ExitProcess
 0x719130 GetModuleHandleExW
 0x719134 GetCommandLineW
 0x719138 FindClose
 0x71913c FindFirstFileExW
 0x719140 FindNextFileW
 0x719144 IsValidCodePage
 0x719148 GetACP
 0x71914c GetOEMCP
 0x719150 GetCPInfo
 0x719154 MultiByteToWideChar
 0x719158 WideCharToMultiByte
 0x71915c GetEnvironmentStringsW
 0x719160 FreeEnvironmentStringsW
 0x719164 SetEnvironmentVariableW
 0x719168 SetStdHandle
 0x71916c GetFileType
 0x719170 GetStringTypeW
 0x719174 CompareStringW
 0x719178 LCMapStringW
 0x71917c HeapSize
 0x719180 GetConsoleCP

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure