Report - 1170423485.exe

Malicious Packer PE File PE32
ScreenShot
Created 2021.10.14 09:53 Machine s1_win7_x6402
Filename 1170423485.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
Behavior Score
8.4
ZERO API file : malware
VT API (file) 34 detected (malicious, high confidence, GenericKD, Save, confidence, ZexaF, 8CW@aqtVWZci, GenKryptik, FLWV, FileRepMalware, VirRansom, R + Mal, EncPk, Static AI, Malicious PE, Kryptik, ealnm, ai score=87, KVMH008, kcloud, Sabsik, score, Artemis, Krypt)
md5 7171b247521e630152953ce57aa6908e
sha256 484989aa0548d25d524e8dcbea3e5117e31ec143d8b77aec8945e392ce7c72c8
ssdeep 12288:Li7NzBBOb8tjHQ/is1NyoyAXtogMAAZ9ZjZ4JpK6xpmG:OBBW8tjCiSyAugUHE
imphash 9c27955c0fd954648a90f6dace0af4f9
impfuzzy 12:mDoAPqTEa8QWw9Qoix+7x2X7xd1CQRBB3KH:mDov7WwX2tjCH
  Network IP location

Signature (21cnts)

Level Description
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (3cnts)

Level Name Description Collection
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://f.komaiasowu.ru/ RU JSC RTComm.RU 81.177.141.85 clean
f.komaiasowu.ru RU JSC RTComm.RU 81.177.141.85 clean
139.99.118.252 CA OVH SAS 139.99.118.252 clean
81.177.141.85 RU JSC RTComm.RU 81.177.141.85 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x496a00 GetProcAddress
 0x496a04 LoadLibraryA
 0x496a08 VirtualAlloc
 0x496a0c VirtualProtect
 0x496a10 GetCurrentThread
ole32.dll
 0x496a20 CoFileTimeNow
 0x496a24 CoGetCurrentLogicalThreadId
 0x496a28 CoCreateGuid
 0x496a2c CoFreeUnusedLibraries
 0x496a30 OleInitialize
 0x496a34 CoGetCurrentProcess
 0x496a38 OleUninitialize
 0x496a3c CoGetContextToken
 0x496a40 HICON_UserFree
 0x496a44 OleBuildVersion
msimg32.dll
 0x496a18 vSetDdrawflag
winmm.dll
 0x496a4c midiStreamStop

EAT(Export Address Table) Library

0x4555f6 CreatePaint


Similarity measure (PE file only) - Checking for service failure