popup

Report - SmartPDF.exe

Generic Malware PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.07 08:33 Machine s1_win7_x6402
Filename SmartPDF.exe
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
AI Score
8
 Behavior Score
6.6
ZERO API file : malware
VT API (file) 37 detected (malicious, high confidence, GenericKD, Artemis, Unsafe, AgentTesla, confidence, Kryptik, ACHI, CoinminerX, Dxwv, PackedNET, Static AI, Malicious PE, Score, AGEN, ai score=100, Krypt, susgen, GenKryptik, FHLO)
md5 194566000b641a6a1df824c6dbf3d7b7
sha256 daa1deb5163bb455bb9fbc7fb6c080de489730a18a51275881b95905c2d0f37a
ssdeep 384:p40uooW1k05USnmLHL2CMq2JFEsN244HD:SLoo/dSnmLLcnJ3+D
imphash
impfuzzy 3::
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://bitbucket.org/Sanctam/sanctam/raw/6886fdce0f0a2bb81eece107d8acbd20b349ca2f/includes/ethminer
whois
US ATLASSIAN PTY LTD 104.192.141.1 4430 malware
sanctam.net
whois
SE 31173 Services AB 185.65.135.234 mailcious
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
185.65.135.234
whois
SE 31173 Services AB 185.65.135.234 clean
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure