popup

Report - hfs.exe

Generic Malware PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.02 12:54 Machine s1_win7_x6402
Filename hfs.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
7.2
ZERO API file : clean
VT API (file) 46 detected (AIDetect, malware1, malicious, high confidence, Zusy, Farfli, GenericRXAA, Unsafe, Save, ZexaF, uq0@a0Pur9hb, Attribute, HighConfidence, CJVZ, jcgarw, Kryptik, CLASSIC, Magania, F@7jjkv4, ZEGOST, SMAL02, Artemis, Static AI, Malicious PE, xgpce, ai score=88, ASMalwS, score, BScope, Gencirc, 01N01P9nhGc, BNZS, GdSda, confidence)
md5 759e5f4dbc7432a87a19bcff1ae50ab7
sha256 680e418e349d611812a6afd357c39fa4fe3baf32cd95012f9b0632a364f2f349
ssdeep 3072:4bTIIignViP0xBjOhkWJZCpphe70tnIIfP6F2UIHTuDaim722TZ:4bGs9ihkWTIt382rfim722T
imphash 176ae228fdbb9c32a42193217973b3dd
impfuzzy 24:ecl5t2JPJI9hbDk3CIgOYiB+5T0v+GdWX3Te2sF6FPpP6cD9ta90Dfj7sOosONeh:e65IJI7k3/+x02GIXDgUeW9QlO3Osj
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
watch Expresses interest in specific running processes
watch Installs itself for autorun at Windows startup
watch Ramnit malware indicators found
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a service
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
info Checks amount of memory in system
info One or more processes crashed
info The executable uses a known packer

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
google.com
whois
US GOOGLE 142.250.196.142 clean
caiyundf.cn
whois
CN CHINANET Liaoning province Dalian MAN network 103.45.185.68 clean
fget-career.com
whois
NL VOXEL-DOT-NET 72.26.218.70 mailcious
142.250.204.46
whois
US GOOGLE 142.250.204.46 clean
72.26.218.70
whois
NL VOXEL-DOT-NET 72.26.218.70 clean
103.45.185.68
whois
CN CHINANET Liaoning province Dalian MAN network 103.45.185.68 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

MFC42.DLL
 0x40409c None
 0x4040a0 None
 0x4040a4 None
 0x4040a8 None
 0x4040ac None
 0x4040b0 None
 0x4040b4 None
 0x4040b8 None
 0x4040bc None
 0x4040c0 None
 0x4040c4 None
 0x4040c8 None
 0x4040cc None
 0x4040d0 None
 0x4040d4 None
 0x4040d8 None
 0x4040dc None
 0x4040e0 None
 0x4040e4 None
 0x4040e8 None
 0x4040ec None
 0x4040f0 None
 0x4040f4 None
 0x4040f8 None
 0x4040fc None
 0x404100 None
 0x404104 None
 0x404108 None
 0x40410c None
 0x404110 None
 0x404114 None
 0x404118 None
 0x40411c None
 0x404120 None
 0x404124 None
 0x404128 None
 0x40412c None
 0x404130 None
 0x404134 None
 0x404138 None
 0x40413c None
 0x404140 None
 0x404144 None
 0x404148 None
 0x40414c None
 0x404150 None
 0x404154 None
 0x404158 None
 0x40415c None
 0x404160 None
 0x404164 None
MSVCRT.dll
 0x40416c _controlfp
 0x404170 _except_handler3
 0x404174 __set_app_type
 0x404178 __p__fmode
 0x40417c __p__commode
 0x404180 _adjust_fdiv
 0x404184 __setusermatherr
 0x404188 _initterm
 0x40418c __getmainargs
 0x404190 _acmdln
 0x404194 exit
 0x404198 _XcptFilter
 0x40419c _exit
 0x4041a0 ??1type_info@@UAE@XZ
 0x4041a4 __dllonexit
 0x4041a8 _CxxThrowException
 0x4041ac __CxxFrameHandler
 0x4041b0 _onexit
KERNEL32.dll
 0x404000 ClearCommError
 0x404004 ClearCommBreak
 0x404008 SetCommBreak
 0x40400c SetCommConfig
 0x404010 GetCommConfig
 0x404014 TransmitCommChar
 0x404018 GetOverlappedResult
 0x40401c WriteFile
 0x404020 ReadFile
 0x404024 CloseHandle
 0x404028 CreateFileA
 0x40402c CreateEventA
 0x404030 FormatMessageA
 0x404034 lstrcpynA
 0x404038 LocalFree
 0x40403c GetLastError
 0x404040 FreeLibrary
 0x404044 LoadLibraryA
 0x404048 GetProcAddress
 0x40404c WaitForSingleObject
 0x404050 GetCommState
 0x404054 SetCommState
 0x404058 EscapeCommFunction
 0x40405c GetCommProperties
 0x404060 GetCommModemStatus
 0x404064 SetCommMask
 0x404068 GetCommMask
 0x40406c FlushFileBuffers
 0x404070 PurgeComm
 0x404074 SetupComm
 0x404078 SetCommTimeouts
 0x40407c GetCommTimeouts
 0x404080 WaitCommEvent
 0x404084 VirtualAlloc
 0x404088 VirtualFree
 0x40408c GetModuleHandleA
 0x404090 GetStartupInfoA
 0x404094 GetDefaultCommConfigA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure