popup

Report - imcr.exe

Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.29 12:45 Machine s1_win7_x6402
Filename imcr.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
2
 Behavior Score
11.0
ZERO API file : malware
VT API (file) 48 detected (AIDetect, malware1, Injuke, malicious, high confidence, DownLoader41, GenericKD, Unsafe, Save, ZexaF, tqW@aOGd6ChG, Kryptik, Eldorado, Attribute, HighConfidence, HMGI, TrojanX, Obscure, CLASSIC, HPGANDCRAB, SMONT2, Minerva, guifh, kcloud, Sabsik, Fragtor, 11V48EH, score, SmokeLoader, R439087, ai score=82, Hwwh, Static AI, Suspicious PE, HMFH, GdSda, confidence, 100%, susgen)
md5 99d398716a945554c09b46769502d375
sha256 c0103863a7a7aa59b13f4253a2575b02f00f29a53251a13132ba34b1987b8dfa
ssdeep 6144:OWu3joBbvuSDU09wAoRsO7v5fVxafPKeBl8SmdscSy:O3q7uSDTwAqpDZrGc9LSy
imphash a3712f5292e4f38ef3a6c28b5ac50fb0
impfuzzy 48:BJNtqzODt/Zdp+jJGXGORaE7ycftqDYSWYL6/f:Ddpp6GXGpE7ycftcYSRL6/f
  Network IP location

Signature (21cnts)

Level Description
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Installs itself for autorun at Windows startup
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Queries for the computername
info This executable has a PDB path

Rules (12cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (19cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://static.apiinformationsec.com/t
whois
US VOXEL-DOT-NET 63.251.106.25 clean
http://noone.contentmakersbyakamai.ru/t
whois
US STEADFAST 208.100.26.245 clean
http://mel.cloudcontentsmak.com/t
whois
DE 1&1 Ionos Se 87.106.18.122 clean
http://secure.jsc0nten1maker.com/t
whois
SG INTERNAP-BLK4 63.251.126.11 clean
smart.cloudnetwork.kz
whois
NL Scalaxy B.V. 37.1.207.157 mailcious
mel.cloudcontentsmak.com
whois
DE 1&1 Ionos Se 87.106.18.122 clean
nicru.supermicrotransapi.ru
whois
Unknown clean
static.apiinformation.kz
whois
Unknown clean
tel.jsapisettings.kz
whois
Unknown clean
secure.jsc0nten1maker.com
whois
SG INTERNAP-BLK4 63.251.126.11 clean
noone.contentmakersbyakamai.ru
whois
US STEADFAST 208.100.26.245 clean
static.apiinformationsec.com
whois
US VOXEL-DOT-NET 63.251.106.25 clean
secure.jscontentmaker.kz
whois
Unknown clean
js.securetopdevelopment.kz
whois
Unknown clean
63.251.106.25
whois
US VOXEL-DOT-NET 63.251.106.25 clean
63.251.126.11
whois
SG INTERNAP-BLK4 63.251.126.11 clean
87.106.18.122
whois
DE 1&1 Ionos Se 87.106.18.122 clean
208.100.26.245
whois
US STEADFAST 208.100.26.245 phishing
37.1.207.157
whois
NL Scalaxy B.V. 37.1.207.157 clean

Suricata ids

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x426000 GetThreadContext
 0x426004 EnumResourceNamesW
 0x426008 CreateMutexW
 0x42600c SetPriorityClass
 0x426010 GetNativeSystemInfo
 0x426014 FindFirstChangeNotificationW
 0x426018 lstrlenA
 0x42601c SetLocalTime
 0x426020 SetEndOfFile
 0x426024 GetQueuedCompletionStatus
 0x426028 GetSystemWindowsDirectoryW
 0x42602c GetNamedPipeHandleStateA
 0x426030 GetModuleHandleW
 0x426034 GetTickCount
 0x426038 GetConsoleAliasesLengthA
 0x42603c GetSystemTimeAsFileTime
 0x426040 GetPrivateProfileStringW
 0x426044 ReadConsoleW
 0x426048 WriteFile
 0x42604c SetCommState
 0x426050 GetCommandLineA
 0x426054 FindResourceExA
 0x426058 GetPrivateProfileIntA
 0x42605c LoadLibraryW
 0x426060 CopyFileW
 0x426064 GetConsoleAliasExesLengthW
 0x426068 SetConsoleMode
 0x42606c SetConsoleCursorPosition
 0x426070 IsDBCSLeadByte
 0x426074 GetOverlappedResult
 0x426078 GetStartupInfoW
 0x42607c GlobalUnlock
 0x426080 InterlockedExchange
 0x426084 GetFileSizeEx
 0x426088 SetCurrentDirectoryA
 0x42608c GetLastError
 0x426090 ReadConsoleOutputCharacterA
 0x426094 GetProcAddress
 0x426098 VirtualAlloc
 0x42609c WriteProfileSectionA
 0x4260a0 ResetEvent
 0x4260a4 LoadLibraryA
 0x4260a8 OpenMutexA
 0x4260ac CreateSemaphoreW
 0x4260b0 LocalAlloc
 0x4260b4 IsSystemResumeAutomatic
 0x4260b8 HeapWalk
 0x4260bc Process32NextW
 0x4260c0 FreeEnvironmentStringsW
 0x4260c4 EnumResourceNamesA
 0x4260c8 GetCurrentThreadId
 0x4260cc GetCPInfoExA
 0x4260d0 SetThreadAffinityMask
 0x4260d4 TlsAlloc
 0x4260d8 FindAtomW
 0x4260dc DeleteFileW
 0x4260e0 LCMapStringW
 0x4260e4 CopyFileExA
 0x4260e8 MultiByteToWideChar
 0x4260ec HeapValidate
 0x4260f0 IsBadReadPtr
 0x4260f4 RaiseException
 0x4260f8 Sleep
 0x4260fc InterlockedIncrement
 0x426100 InterlockedDecrement
 0x426104 ExitProcess
 0x426108 TlsGetValue
 0x42610c TlsSetValue
 0x426110 TlsFree
 0x426114 SetLastError
 0x426118 EnterCriticalSection
 0x42611c LeaveCriticalSection
 0x426120 TerminateProcess
 0x426124 GetCurrentProcess
 0x426128 UnhandledExceptionFilter
 0x42612c SetUnhandledExceptionFilter
 0x426130 IsDebuggerPresent
 0x426134 GetModuleFileNameW
 0x426138 SetHandleCount
 0x42613c GetStdHandle
 0x426140 GetFileType
 0x426144 GetStartupInfoA
 0x426148 DeleteCriticalSection
 0x42614c GetACP
 0x426150 GetOEMCP
 0x426154 GetCPInfo
 0x426158 IsValidCodePage
 0x42615c QueryPerformanceCounter
 0x426160 GetCurrentProcessId
 0x426164 GetEnvironmentStringsW
 0x426168 GetCommandLineW
 0x42616c HeapDestroy
 0x426170 HeapCreate
 0x426174 HeapFree
 0x426178 VirtualFree
 0x42617c GetModuleFileNameA
 0x426180 HeapAlloc
 0x426184 HeapSize
 0x426188 HeapReAlloc
 0x42618c RtlUnwind
 0x426190 InitializeCriticalSectionAndSpinCount
 0x426194 WideCharToMultiByte
 0x426198 DebugBreak
 0x42619c OutputDebugStringA
 0x4261a0 WriteConsoleW
 0x4261a4 OutputDebugStringW
 0x4261a8 LCMapStringA
 0x4261ac GetStringTypeA
 0x4261b0 GetStringTypeW
 0x4261b4 GetLocaleInfoA
 0x4261b8 SetFilePointer
 0x4261bc GetConsoleCP
 0x4261c0 GetConsoleMode
 0x4261c4 FlushFileBuffers
 0x4261c8 SetStdHandle
 0x4261cc WriteConsoleA
 0x4261d0 GetConsoleOutputCP
 0x4261d4 CloseHandle
 0x4261d8 CreateFileA
 0x4261dc GetModuleHandleA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure