Report - beacon.exe

Malicious Library PE File PE32
ScreenShot
Created 2021.09.04 14:12 Machine s1_win7_x6401
Filename beacon.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
6
Behavior Score
3.2
ZERO API file : malware
VT API (file) 57 detected (AIDetect, malware1, CozyDuke, trLC, malicious, high confidence, rCW@ILpZfAc, Unsafe, Save, Rozena, confidence, 100%, Diple, Eldorado, CobaltStrike, hpcmlv, HacktoolX, CLASSIC, R + ATK, Cobalt, Siggen2, Cometer, XPACK, Gen7, ASMalwS, kcloud, score, R329694, GenericRXMO, ai score=81, Hacktool, GenAsa, C5jzoNrl5s, Static AI, Malicious PE, susgen)
md5 8d8d168e25d41e2d4304c08cb3105d9b
sha256 669fcafcaf217a0ae7776d1c98b6cbb4fd75fb97b12965185136a09c7bfc0ef2
ssdeep 3072:KR15m+yOMvRli6eKU3jPmrOH4PXjel/51+YtwpxoqGZ21SQ1P9Kz:KR/z683jGoIjel/51+qmPD1SQJ9
imphash dc25ee78e2ef4d36faa0badf1e7461c9
impfuzzy 24:Q2kfiK1JlDzncLLb9Lezd5XGDZEkqkoDquQZn:gfiK1jcTtezdJGVEkqkoqz
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 57 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
185.156.73.37 RU Chelyshev Sergej Aleksandrovich 185.156.73.37 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x448138 CloseHandle
 0x44813c ConnectNamedPipe
 0x448140 CreateFileA
 0x448144 CreateNamedPipeA
 0x448148 CreateThread
 0x44814c DeleteCriticalSection
 0x448150 EnterCriticalSection
 0x448154 FreeLibrary
 0x448158 GetCurrentProcess
 0x44815c GetCurrentProcessId
 0x448160 GetCurrentThreadId
 0x448164 GetLastError
 0x448168 GetModuleHandleA
 0x44816c GetProcAddress
 0x448170 GetStartupInfoA
 0x448174 GetSystemTimeAsFileTime
 0x448178 GetTickCount
 0x44817c InitializeCriticalSection
 0x448180 LeaveCriticalSection
 0x448184 LoadLibraryA
 0x448188 LoadLibraryW
 0x44818c QueryPerformanceCounter
 0x448190 ReadFile
 0x448194 SetUnhandledExceptionFilter
 0x448198 Sleep
 0x44819c TerminateProcess
 0x4481a0 TlsGetValue
 0x4481a4 UnhandledExceptionFilter
 0x4481a8 VirtualAlloc
 0x4481ac VirtualProtect
 0x4481b0 VirtualQuery
 0x4481b4 WriteFile
msvcrt.dll
 0x4481bc __dllonexit
 0x4481c0 __getmainargs
 0x4481c4 __initenv
 0x4481c8 __lconv_init
 0x4481cc __set_app_type
 0x4481d0 __setusermatherr
 0x4481d4 _acmdln
 0x4481d8 _amsg_exit
 0x4481dc _cexit
 0x4481e0 _fmode
 0x4481e4 _initterm
 0x4481e8 _iob
 0x4481ec _lock
 0x4481f0 _onexit
 0x4481f4 _unlock
 0x4481f8 _winmajor
 0x4481fc abort
 0x448200 calloc
 0x448204 exit
 0x448208 fprintf
 0x44820c free
 0x448210 fwrite
 0x448214 malloc
 0x448218 memcpy
 0x44821c signal
 0x448220 sprintf
 0x448224 strlen
 0x448228 strncmp
 0x44822c vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure