popup

Report - a.exe

Worm Phorpiex Malicious Packer UPX Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.15 12:52 Machine s1_win7_x6401
Filename a.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
9.2
ZERO API file : malware
VT API (file) 44 detected (malicious, high confidence, DownLoader41, GenericKD, HwcBQD8A, Mint, Zard, Unsafe, Save, XPACK, ZexaF, auW@aGHFmWdi, Attribute, HighConfidence, a variant of Generik, ENSYFDJ, Generic@ML, RDMK, pENf5AL3BElD7ufUbstsaw, Static AI, Malicious PE, ai score=100, kcloud, Sabsik, score, R002H0CHD21, Wncx, PossibleThreat, GdSda, confidence, 100%)
md5 627fc88e4e32885ef3eb655f353d3d73
sha256 789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69
ssdeep 96:1mCmaBINl1oulwdFf4kYyPtboynuVYCt:1GliuOdJ4kYyP1oyn0L
imphash 3760cba9c6dec902936614042cf8fcf5
impfuzzy 12:DGX5vBX4Gy+GXRzGy5gbw6LV3Ok9CmEsy2ugL:aX5vBby+GdW3OR/2jL
  Network IP location

Signature (21cnts)

Level Description
danger File has been identified by 44 AntiVirus engines on VirusTotal as malicious
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Operates on local firewall's policies and settings
notice A process created a hidden window
notice An executable file was downloaded by the process a.exe
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Command line console output was observed
info The executable uses a known packer
info This executable has a PDB path

Rules (9cnts)

Level Name Description Collection
danger Win_Worm_Phorpiex a worm which spreads via removable drives and network drives. binaries (download)
danger Win_Worm_Phorpiex a worm which spreads via removable drives and network drives. binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.22/456.exe
whois
Unknown 185.215.113.22 clean
stun.jabbim.cz
whois
CZ SuperNetwork s.r.o. 88.86.102.51 clean
79.141.72.156
whois
RU OOO Network of data-centers Selectel 79.141.72.156 clean
185.215.113.22
whois
Unknown 185.215.113.22 malware
88.86.102.52
whois
CZ SuperNetwork s.r.o. 88.86.102.52 clean
88.86.102.51
whois
CZ SuperNetwork s.r.o. 88.86.102.51 clean
79.141.72.138
whois
RU OOO Network of data-centers Selectel 79.141.72.138 clean
79.141.72.52
whois
RU OOO Network of data-centers Selectel 79.141.72.52 clean

Suricata ids

ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

MSVCRT.dll
 0x40202c __p__fmode
 0x402030 __set_app_type
 0x402034 _except_handler3
 0x402038 __p__commode
 0x40203c _controlfp
 0x402040 _adjust_fdiv
 0x402044 __setusermatherr
 0x402048 _initterm
 0x40204c __getmainargs
 0x402050 _acmdln
 0x402054 exit
 0x402058 _XcptFilter
 0x40205c _exit
 0x402060 srand
 0x402064 memset
WININET.dll
 0x402074 InternetOpenW
 0x402078 InternetOpenUrlW
 0x40207c InternetReadFile
 0x402080 InternetCloseHandle
KERNEL32.dll
 0x402000 GetTickCount
 0x402004 CloseHandle
 0x402008 DeleteFileW
 0x40200c Sleep
 0x402010 CreateProcessW
 0x402014 GetModuleHandleA
 0x402018 GetStartupInfoA
 0x40201c CreateFileW
 0x402020 ExpandEnvironmentStringsW
 0x402024 WriteFile
USER32.dll
 0x40206c wsprintfW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure