popup

Report - QTL076213000008.exe

RAT Generic Malware Antivirus PE File PE32 .NET EXE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.08 11:39 Machine s1_win7_x6401
Filename QTL076213000008.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
6
 Behavior Score
5.8
ZERO API file : malware
VT API (file) 16 detected (malicious, high confidence, score, MCrypt, confidence, Kryptik, Eldorado, FCZZ, AGEN, kcloud, Sabsik, Unsafe, Static AI, Malicious PE, ZemsilCO, cm0@aSQordn)
md5 70eeaeae5a9624ca4fbaaef91d2adfdb
sha256 e2974131c2b7d7c62379556b860db19f2dd28dbd77eddf01bd0dba673c5cd6b8
ssdeep 384:/i4USCeTm1uMxjzXK9byEvb9sPESkV/7ijV/tasUW6fFQ+l:/intWm1BxjzXK9hvb9ssSc/OjTJ6F
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (16cnts)

Level Description
watch File has been identified by 16 AntiVirus engines on VirusTotal as malicious
watch The process powershell.exe wrote an executable file to disk
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (7cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
KR Korea Telecom 119.207.65.153 clean
apps.identrust.com
whois
KR Korea Telecom 119.207.65.137 clean
store2.gofile.io
whois
Unknown 31.14.69.10 mailcious
31.14.69.10
whois
Unknown 31.14.69.10 mailcious
121.254.136.57
whois
KR LG DACOM Corporation 121.254.136.57 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure