Report - abb.exe

UPX Malicious Library OS Processor Check PE File PE32
ScreenShot
Created 2021.08.10 10:35 Machine s1_win7_x6401
Filename abb.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
Behavior Score
2.2
ZERO API file : malware
VT API (file) 35 detected (AIDetect, malware2, Malicious, high confidence, Siggen3, Unsafe, Save, Kryptik, ZexaF, tuZ@aqIFMXfi, Eldorado, Attribute, HighConfidence, HMAB, Noon, GenericFCA, Auto, Static AI, Suspicious PE, ai score=82, AgentTesla, 62GOCG, score, BScope, R002H0CH921, Outbreak, GenKryptik, FIBB, confidence, HwoCJ58A)
md5 51a9c62b973de53fb8cbe27ab7b6db9b
sha256 f86b8862461fc09be89a685b16b534a6ef231e2ec2f6da874eb2f4018c6700b1
ssdeep 6144:iokJIphWRmp2kYCeYPsZRaRQFqgYxgGN6Ep74aSETNLz:PkJLo3eRZARQgOY6M7UONf
imphash 8c9e2729b91e6cd98523a27cc78ab06c
impfuzzy 24:dyZ1OuMUnS1jtuhlJnc+pl3eDoLouXSOovHZiv4B4iXM19mSwxhGp:0Zw0S1jtu5c+ppXr54B4L9mVh8
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Terminates another process
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40f010 CloseHandle
 0x40f014 VirtualProtect
 0x40f018 CreateFileMappingW
 0x40f01c MapViewOfFile
 0x40f020 UnmapViewOfFile
 0x40f024 lstrcmpW
 0x40f028 GetFullPathNameW
 0x40f02c MultiByteToWideChar
 0x40f030 GetUserDefaultLCID
 0x40f034 DecodePointer
 0x40f038 WriteConsoleW
 0x40f03c GetFileSize
 0x40f040 CreateFileW
 0x40f044 lstrcatW
 0x40f048 GetCommandLineW
 0x40f04c SetFilePointerEx
 0x40f050 GetConsoleMode
 0x40f054 GetConsoleOutputCP
 0x40f058 FlushFileBuffers
 0x40f05c HeapReAlloc
 0x40f060 HeapSize
 0x40f064 GetProcessHeap
 0x40f068 QueryPerformanceCounter
 0x40f06c GetCurrentProcessId
 0x40f070 GetCurrentThreadId
 0x40f074 GetSystemTimeAsFileTime
 0x40f078 InitializeSListHead
 0x40f07c IsDebuggerPresent
 0x40f080 UnhandledExceptionFilter
 0x40f084 SetUnhandledExceptionFilter
 0x40f088 GetStartupInfoW
 0x40f08c IsProcessorFeaturePresent
 0x40f090 GetModuleHandleW
 0x40f094 GetCurrentProcess
 0x40f098 TerminateProcess
 0x40f09c RtlUnwind
 0x40f0a0 GetLastError
 0x40f0a4 SetLastError
 0x40f0a8 EnterCriticalSection
 0x40f0ac LeaveCriticalSection
 0x40f0b0 DeleteCriticalSection
 0x40f0b4 InitializeCriticalSectionAndSpinCount
 0x40f0b8 TlsAlloc
 0x40f0bc TlsGetValue
 0x40f0c0 TlsSetValue
 0x40f0c4 TlsFree
 0x40f0c8 FreeLibrary
 0x40f0cc GetProcAddress
 0x40f0d0 LoadLibraryExW
 0x40f0d4 GetStdHandle
 0x40f0d8 WriteFile
 0x40f0dc GetModuleFileNameW
 0x40f0e0 ExitProcess
 0x40f0e4 GetModuleHandleExW
 0x40f0e8 HeapFree
 0x40f0ec HeapAlloc
 0x40f0f0 FindClose
 0x40f0f4 FindFirstFileExW
 0x40f0f8 FindNextFileW
 0x40f0fc IsValidCodePage
 0x40f100 GetACP
 0x40f104 GetOEMCP
 0x40f108 GetCPInfo
 0x40f10c GetCommandLineA
 0x40f110 WideCharToMultiByte
 0x40f114 GetEnvironmentStringsW
 0x40f118 FreeEnvironmentStringsW
 0x40f11c SetStdHandle
 0x40f120 GetFileType
 0x40f124 GetStringTypeW
 0x40f128 LCMapStringW
 0x40f12c RaiseException
USER32.dll
 0x40f14c GetDC
 0x40f150 GrayStringW
ADVAPI32.dll
 0x40f000 RegOpenKeyW
 0x40f004 RegCloseKey
 0x40f008 RegQueryValueW
SHELL32.dll
 0x40f144 CommandLineToArgvW
ole32.dll
 0x40f158 CoInitialize
 0x40f15c CLSIDFromProgID
 0x40f160 CoUninitialize
 0x40f164 CoCreateInstance
OLEAUT32.dll
 0x40f134 LoadTypeLib
 0x40f138 SysFreeString
 0x40f13c SysAllocStringLen

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure