Report - bitiki.exe

PE File PE32
ScreenShot
Created 2021.08.06 07:50 Machine s1_win7_x6401
Filename bitiki.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
8
Behavior Score
7.4
ZERO API file : malware
VT API (file) 49 detected (CautusL, malicious, high confidence, Graftor, GenericRI, S20702303, GenericRXAA, Unsafe, Eldorado, Attribute, HighConfidence, ACBZ, Mikey, Solmyr, ixdyob, RATX, Siggen14, Static AI, Suspicious PE, ULPM, ai score=89, ASMalwS, ParalaxRat, 13NZCK2, score, Gencirc, mpJSPmzsnqA, susgen, GdSda, QVM11)
md5 8d3a5bd971302039d6c8c1feadbb2921
sha256 40ec98b570a94ad97200616b1bbb955d0aaa1f6edb5b26150ee73422c7d801f1
ssdeep 24576:undRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzGgSaLKT0sk2:IXDFBU2iIBb0xY/6sUYYbgj
imphash 6ed4f5f04d62b18d96b26d6db7c18840
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch A process attempted to delay the analysis task.
watch Creates a windows hook that monitors keyboard input (keylogger)
watch Installs an hook procedure to monitor for mouse events
watch Looks for the Windows Idle Time to determine the uptime
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Connects to a Dynamic DNS Domain
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
888myrat.duckdns.org TR Turk Telekom 78.189.177.240 clean
78.189.177.240 TR Turk Telekom 78.189.177.240 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x7e3028 LoadLibraryA
 0x7e302c ExitProcess
 0x7e3030 GetProcAddress
 0x7e3034 VirtualProtect

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure