popup

Report - BS.exe

Malicious Packer UPX Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.05 10:02 Machine s1_win7_x6402
Filename BS.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
5.4
ZERO API file : malware
VT API (file) 35 detected (Crysan, malicious, high confidence, score, Bulz, confidence, 100%, Attribute, HighConfidence, FileRepMalware, UMal, obnrr@0, KillProc2, Outbreak, kcloud, Sabsik, NetWiredRC, Artemis, ai score=100, Unsafe, R002H07J421, Static AI, Malicious PE, ZevbaF, Am3@aq@kpuei)
md5 4589e8f916643c5d21b413d5ddaa0105
sha256 9b41bf8f85747590a77dcb1f08634cc250eec349b6b3f25d640fb4cf0c69713f
ssdeep 3072:pwAM4NjvB4vMdq5hs5Uz/nVu4wLT+4aHBgMwYX7aVKiEgjeSTsxCatgfVapBXt:pc4vq5hs5I/nc4w0oVKiEgKaratgMZ
imphash 4443ba86c457722dd58af4e4410113ef
impfuzzy 12:nTdPWwPh9cAU1s7c/uA4DSoTY1n9anUaICTKTp9MR0lR9labG9GSwO:n5Pos7xm6nLaTp9MObTAQj
  Network IP location

Signature (10cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Performs some HTTP requests
info One or more processes crashed

Rules (10cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://go.microsoft.com/fwlink?linkid=30219&locale=ko-KR&clientType=VISTA_GAMES&clientVersion=6.1.2
whois
US Akamai International B.V. 104.75.21.121 clean
movie.metaservices.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 65.55.186.113 clean
65.55.186.115
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 65.55.186.115 clean
104.75.21.121
whois
US Akamai International B.V. 104.75.21.121 clean

Suricata ids

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
 0x401000 None
 0x401004 None
 0x401008 None
 0x40100c None
 0x401010 MethCallEngine
 0x401014 None
 0x401018 None
 0x40101c None
 0x401020 None
 0x401024 None
 0x401028 None
 0x40102c None
 0x401030 None
 0x401034 None
 0x401038 None
 0x40103c None
 0x401040 None
 0x401044 None
 0x401048 None
 0x40104c None
 0x401050 None
 0x401054 None
 0x401058 None
 0x40105c None
 0x401060 None
 0x401064 None
 0x401068 EVENT_SINK_AddRef
 0x40106c None
 0x401070 None
 0x401074 None
 0x401078 DllFunctionCall
 0x40107c EVENT_SINK_Release
 0x401080 EVENT_SINK_QueryInterface
 0x401084 __vbaExceptHandler
 0x401088 None
 0x40108c None
 0x401090 None
 0x401094 None
 0x401098 None
 0x40109c None
 0x4010a0 None
 0x4010a4 None
 0x4010a8 None
 0x4010ac ProcCallEngine
 0x4010b0 None
 0x4010b4 None
 0x4010b8 None
 0x4010bc None
 0x4010c0 None
 0x4010c4 None
 0x4010c8 None
 0x4010cc None
 0x4010d0 None
 0x4010d4 None
 0x4010d8 None
 0x4010dc None
 0x4010e0 None
 0x4010e4 None
 0x4010e8 None
 0x4010ec None
 0x4010f0 None

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure