Report - artifact.exe

Malicious Library PE64 PE File
ScreenShot
Created 2021.10.04 10:15 Machine s1_win7_x6402
Filename artifact.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
8
Behavior Score
3.6
ZERO API file : malware
VT API (file) 53 detected (CobaltStrike, malicious, high confidence, Meterpreter, CobaltStr, S17675256, confidence, 100%, Cobalt, Eldorado, gen1, Artifact, score, CozyDuke, jclyeh, HacktoolX, Hacktool, A + ATK, COBEACON, fsici, AGEN, ai score=100, ASMalwS, kcloud, R356638, FSXF, Unsafe, CLASSIC, GenAsa, ZICJWVi3Ujg, Static AI, Malicious PE)
md5 c354ad2705debb7a270777acf1574597
sha256 080c2647fb26ac8576014a21591465eba5b0ee03475f70e95bc3a4caa8d3642e
ssdeep 6144:aC9f3P6j+F2CwCwVXvGB+WifjQutFchhd9uhz6BEw:Tfiuj/kWiMut4h39BE
imphash 17b461a082950fc6332228572138b80c
impfuzzy 24:Q2kfg1JlDzncLb9aa0mezlMC95XGDZ8k1koDquQZn:gfg1jc/bezlzJGV8k1koqz
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 53 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice The binary likely contains encrypted or compressed data indicative of a packer
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://142.4.123.147:2087/api/3 US PEGTECHINC 142.4.123.147 clean
142.4.123.147 US PEGTECHINC 142.4.123.147 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x44b244 CloseHandle
 0x44b24c ConnectNamedPipe
 0x44b254 CreateFileA
 0x44b25c CreateNamedPipeA
 0x44b264 CreateThread
 0x44b26c DeleteCriticalSection
 0x44b274 EnterCriticalSection
 0x44b27c GetCurrentProcess
 0x44b284 GetCurrentProcessId
 0x44b28c GetCurrentThreadId
 0x44b294 GetLastError
 0x44b29c GetModuleHandleA
 0x44b2a4 GetProcAddress
 0x44b2ac GetStartupInfoA
 0x44b2b4 GetSystemTimeAsFileTime
 0x44b2bc GetTickCount
 0x44b2c4 InitializeCriticalSection
 0x44b2cc LeaveCriticalSection
 0x44b2d4 LoadLibraryW
 0x44b2dc QueryPerformanceCounter
 0x44b2e4 ReadFile
 0x44b2ec RtlAddFunctionTable
 0x44b2f4 RtlCaptureContext
 0x44b2fc RtlLookupFunctionEntry
 0x44b304 RtlVirtualUnwind
 0x44b30c SetUnhandledExceptionFilter
 0x44b314 Sleep
 0x44b31c TerminateProcess
 0x44b324 TlsGetValue
 0x44b32c UnhandledExceptionFilter
 0x44b334 VirtualAlloc
 0x44b33c VirtualProtect
 0x44b344 VirtualQuery
 0x44b34c WriteFile
msvcrt.dll
 0x44b35c __C_specific_handler
 0x44b364 __dllonexit
 0x44b36c __getmainargs
 0x44b374 __initenv
 0x44b37c __iob_func
 0x44b384 __lconv_init
 0x44b38c __set_app_type
 0x44b394 __setusermatherr
 0x44b39c _acmdln
 0x44b3a4 _amsg_exit
 0x44b3ac _cexit
 0x44b3b4 _fmode
 0x44b3bc _initterm
 0x44b3c4 _lock
 0x44b3cc _onexit
 0x44b3d4 _unlock
 0x44b3dc abort
 0x44b3e4 calloc
 0x44b3ec exit
 0x44b3f4 fprintf
 0x44b3fc free
 0x44b404 fwrite
 0x44b40c malloc
 0x44b414 memcpy
 0x44b41c signal
 0x44b424 sprintf
 0x44b42c strlen
 0x44b434 strncmp
 0x44b43c vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure