popup

Report - Get-Variable.exe

VMProtect UPX Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.15 12:18 Machine s1_win7_x6403
Filename Get-Variable.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
7
 Behavior Score
6.4
ZERO API file : clean
VT API (file) 23 detected (malicious, high confidence, Artemis, Unsafe, Wacapew, ZexaF, @VX@aaTg2Vm, Attribute, HighConfidence, SpyEyes, bour, FileRepMetagen, AGEN, Tnega, score, InvalidSig, susgen, confidence)
md5 0e78df69265dc57c37673bdee540ce2f
sha256 6b74dc043f9a12823ed98d704e4c8543c9b5d8b9240e65e9d31d2303ab914906
ssdeep 196608:zfija2TcwZTDVO2Z6+CTV69Vd8hhWTGPr4uDt7T:GDOMCTQ4hhuE4uDxT
imphash 898d2213a85b483d34c574804fb124bd
impfuzzy 12:oHQZpQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:YmpQ58QtXJHc9NDI5Q8
  Network IP location

Signature (15cnts)

Level Description
warning File has been identified by 23 AntiVirus engines on VirusTotal as malicious
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Uses Sysinternals tools in order to add additional command line functionality
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Uses Windows utilities for basic Windows functionality
info Checks if process is being debugged by a debugger
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://94.103.80.169/gate.php?type=update&uid=14F63AB901393115137325
whois
NL Hosting technology LTD 94.103.80.169 clean
http://94.103.80.169/gate.php?type=check&uid=14F63AB901393115137325
whois
NL Hosting technology LTD 94.103.80.169 clean
http://94.103.80.169/gate.php?type=ping&uid=14F63AB901393115137325
whois
NL Hosting technology LTD 94.103.80.169 clean
94.103.80.169
whois
NL Hosting technology LTD 94.103.80.169 mailcious

Suricata ids

ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
ET MALWARE WIN32/KOVTER.B Checkin

PE API

IAT(Import Address Table) Library

ADVAPI32.DLL
 0x12ae000 GetUserNameW
KERNEL32.dll
 0x12ae008 CreateThread
msvcrt.dll
 0x12ae010 _strdup
msvcrt.dll
 0x12ae018 __getmainargs
USER32.dll
 0x12ae020 BeginPaint
WTSAPI32.dll
 0x12ae028 WTSSendMessageW
KERNEL32.dll
 0x12ae030 VirtualQuery
USER32.dll
 0x12ae038 GetProcessWindowStation
KERNEL32.dll
 0x12ae040 LocalAlloc
 0x12ae044 LocalFree
 0x12ae048 GetModuleFileNameW
 0x12ae04c GetProcessAffinityMask
 0x12ae050 SetProcessAffinityMask
 0x12ae054 SetThreadAffinityMask
 0x12ae058 Sleep
 0x12ae05c ExitProcess
 0x12ae060 FreeLibrary
 0x12ae064 LoadLibraryA
 0x12ae068 GetModuleHandleA
 0x12ae06c GetProcAddress
USER32.dll
 0x12ae074 GetProcessWindowStation
 0x12ae078 GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure