Report - 5t6yujh.exe

NPKI Generic Malware Malicious Packer UPX Malicious Library Antivirus PE64 PE File PE32 .NET DLL DLL
ScreenShot
Created 2021.10.11 10:26 Machine s1_win7_x6401
Filename 5t6yujh.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
Behavior Score
8.6
ZERO API file : malware
VT API (file) 40 detected (malicious, high confidence, PowerShell, GenericKDZ, Artemis, Unsafe, Save, GoCLR, a variant of WinGo, Bulz, WinGo, gzxxe, Score, 100%, Redcap, ikbih, kcloud, Wacatac, R442164, ai score=81, R002C0WJ921, HackTool, CLASSIC, Static AI, Suspicious PE, confidence)
md5 211ca7c8d5fd20f7dcaebdbe354662be
sha256 aefb4a2472f0517d58cae7e5e0c9c51b4e36b39f6096dbffc6b8cc18d0be7175
ssdeep 49152:sr/U2Wrb/T/vO90dL3BmAFd4A64nsfJ1gBO55+1TEf1q7NOVuZnsm/QBrkdL+DLk:srDnOOWmAQQQQQQQQQQQQQ
imphash c7269d59926fa4252270f407e4dab043
impfuzzy 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6tP:K5O+VAXOmGx0oP
  Network IP location

Signature (20cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
watch Creates a suspicious Powershell process
watch Deletes executed files from disk
watch Detects the presence of Wine emulator
watch One or more non-whitelisted processes were created
watch The process powershell.exe wrote an executable file to disk
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Uses Windows APIs to generate a cryptographic key

Rules (14cnts)

Level Name Description Collection
danger NPKI_Zero File included NPKI binaries (download)
danger NPKI_Zero File included NPKI binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info Is_DotNET_DLL (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x97e020 WriteFile
 0x97e028 WriteConsoleW
 0x97e030 WaitForMultipleObjects
 0x97e038 WaitForSingleObject
 0x97e040 VirtualQuery
 0x97e048 VirtualFree
 0x97e050 VirtualAlloc
 0x97e058 SwitchToThread
 0x97e060 SuspendThread
 0x97e068 Sleep
 0x97e070 SetWaitableTimer
 0x97e078 SetUnhandledExceptionFilter
 0x97e080 SetProcessPriorityBoost
 0x97e088 SetEvent
 0x97e090 SetErrorMode
 0x97e098 SetConsoleCtrlHandler
 0x97e0a0 ResumeThread
 0x97e0a8 PostQueuedCompletionStatus
 0x97e0b0 LoadLibraryA
 0x97e0b8 LoadLibraryW
 0x97e0c0 SetThreadContext
 0x97e0c8 GetThreadContext
 0x97e0d0 GetSystemInfo
 0x97e0d8 GetSystemDirectoryA
 0x97e0e0 GetStdHandle
 0x97e0e8 GetQueuedCompletionStatusEx
 0x97e0f0 GetProcessAffinityMask
 0x97e0f8 GetProcAddress
 0x97e100 GetEnvironmentStringsW
 0x97e108 GetConsoleMode
 0x97e110 FreeEnvironmentStringsW
 0x97e118 ExitProcess
 0x97e120 DuplicateHandle
 0x97e128 CreateWaitableTimerExW
 0x97e130 CreateThread
 0x97e138 CreateIoCompletionPort
 0x97e140 CreateFileA
 0x97e148 CreateEventA
 0x97e150 CloseHandle
 0x97e158 AddVectoredExceptionHandler

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure