popup

Report - bear.jpg.exe

Generic Malware UPX Antivirus PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.28 02:59 Machine s1_win7_x6401
Filename bear.jpg.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
8
 Behavior Score
9.0
ZERO API file : malware
VT API (file) 55 detected (AIDetectVM, malware1, malicious, high confidence, GenericKD, Scrami, Unsafe, AutoIt, Eldorado, Attribute, HighConfidence, Povertel, Ebht, Malware@#342mw9fxiosud, AGEN, USMANLH20, TrojanAitInject, Score, ai score=87, Sysn, kcloud, Ymacco, R352573, Fuerboos, PSRunner, CLASSIC, susgen, confidence)
md5 1d9dcacc61aaacca64e3776e9bb06e94
sha256 2fb9d1f6c39bdd44d58fb6c896187dbb937a1c7350a137b24ff377cc29aa580a
ssdeep 6144:lof7DeNUSfGgHCU/2McdfoI/ZX0rYfCzuCCMQZN/OdnFQ8+uXNvxsCBpYu+6ZfOP:UYV6MorX7qzuC3QHO9FQgd5sCBlfOP
imphash 712f4a29c405ecb576101d367b2180fb
impfuzzy 12:ovKDHLdABZG/DzpM78r4B3ExjLAkcOaiTQQnd3mxCHH:HHLdC+DFM7PxExjLAkcOV2kn
  Network IP location

Signature (21cnts)

Level Description
danger File has been identified by 55 AntiVirus engines on VirusTotal as malicious
watch Creates a suspicious Powershell process
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch One or more non-whitelisted processes were created
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://paste.ee/r/5DfGL
whois
US CLOUDFLARENET 104.26.5.223 mailcious
https://paste.ee/r/nCYHY
whois
US CLOUDFLARENET 104.26.5.223 malware
paste.ee
whois
US CLOUDFLARENET 104.26.5.223 mailcious
104.26.5.223
whois
US CLOUDFLARENET 104.26.5.223 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x4e8af0 GetAce
COMCTL32.dll
 0x4e8af8 ImageList_Remove
COMDLG32.dll
 0x4e8b00 GetOpenFileNameW
GDI32.dll
 0x4e8b08 LineTo
IPHLPAPI.DLL
 0x4e8b10 IcmpSendEcho
KERNEL32.DLL
 0x4e8b18 LoadLibraryA
 0x4e8b1c ExitProcess
 0x4e8b20 GetProcAddress
 0x4e8b24 VirtualProtect
MPR.dll
 0x4e8b2c WNetUseConnectionW
ole32.dll
 0x4e8b34 CoGetObject
OLEAUT32.dll
 0x4e8b3c VariantInit
PSAPI.DLL
 0x4e8b44 GetProcessMemoryInfo
SHELL32.dll
 0x4e8b4c DragFinish
USER32.dll
 0x4e8b54 GetDC
USERENV.dll
 0x4e8b5c LoadUserProfileW
UxTheme.dll
 0x4e8b64 IsThemeActive
VERSION.dll
 0x4e8b6c VerQueryValueW
WININET.dll
 0x4e8b74 FtpOpenFileW
WINMM.dll
 0x4e8b7c timeGetTime
WSOCK32.dll
 0x4e8b84 connect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure