popup

Report - vmnet.exe

RAT Generic Malware Antivirus PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.15 09:42 Machine s1_win7_x6402
Filename vmnet.exe
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
AI Score
6
 Behavior Score
6.4
ZERO API file : malware
VT API (file) 39 detected (Bulz, malicious, high confidence, score, confidence, Seraph, Kryptik, ACTE, PWSX, Ahya, AGEN, Siggen15, Artemis, kcloud, Sabsik, ai score=84, Unsafe, Static AI, Malicious PE)
md5 e07ce1ac09be171289b93538009c471c
sha256 d6140622785d188975ff7d8886fc4bf675597d064c939efe0d391e3dec0610d8
ssdeep 24576:QDNgWUB2AkeR7nTXTQXKmZUXQbYlXJmTvx8:QBgWUB2AkeBnIXK0elXMT+
imphash
impfuzzy 3::
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 39 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch The process powershell.exe wrote an executable file to disk
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Executes one or more WMI queries
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (6cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
www.youtube.com
whois
US GOOGLE 172.217.161.46 clean
www.google.com
whois
US GOOGLE 142.250.196.100 clean
142.250.66.132
whois
US GOOGLE 142.250.66.132 clean
142.250.204.78
whois
US GOOGLE 142.250.204.78 clean

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure