Report - 6666.exe

NPKI UPX Malicious Library PE64 PE File
ScreenShot
Created 2021.10.15 18:01 Machine s1_win7_x6402
Filename 6666.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
Behavior Score
1.6
ZERO API file : malware
VT API (file) 21 detected (GenericKD, Save, Eldorado, Malicious, Donut, FileRepMalware, Ramnit, Coinminer, E0LE8Y, Sabsik, score, Artemis, ai score=87, Static AI, Suspicious PE, Unsafe, Behavior, susgen)
md5 f95a35e8c3f3f57b3f347bd6c8180bee
sha256 369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca
ssdeep 98304:O/0W35kaNtSgmTCNK0pjI5mEL7GDDfPuuGqrrb+OWOkisXb2Da/dqcx2vCNM/:O8SVNtc0KE0oCGfnuI5Kixy26NM
imphash 929562f2e79c9b7ae727e708b0a946bb
impfuzzy 12:sJqGMY58E6PXJfZGoQtXJxZGb9AJcDfA5kLfP9m:oqGJ54VQtXJHc9NDI5Q8
  Network IP location

Signature (4cnts)

Level Description
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
notice The binary likely contains encrypted or compressed data indicative of a packer
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (5cnts)

Level Name Description Collection
danger NPKI_Zero File included NPKI binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
pool.hashvault.pro SG PhoenixNAP 131.153.76.130 mailcious
125.253.92.50 AU FireNet Pty Ltd 125.253.92.50 clean

Suricata ids

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0xb4b000 malloc
 0xb4b008 memset
 0xb4b010 _get_pgmptr
 0xb4b018 getenv
 0xb4b020 sprintf
 0xb4b028 __argc
 0xb4b030 __argv
 0xb4b038 _environ
 0xb4b040 _XcptFilter
 0xb4b048 __set_app_type
 0xb4b050 _controlfp
 0xb4b058 __getmainargs
 0xb4b060 exit
kernel32.dll
 0xb4b070 Sleep
 0xb4b078 CreateProcessA
 0xb4b080 SetUnhandledExceptionFilter
kernel32.dll
 0xb4b090 LocalAlloc
 0xb4b098 LocalFree
 0xb4b0a0 GetModuleFileNameW
 0xb4b0a8 GetProcessAffinityMask
 0xb4b0b0 SetProcessAffinityMask
 0xb4b0b8 SetThreadAffinityMask
 0xb4b0c0 Sleep
 0xb4b0c8 ExitProcess
 0xb4b0d0 FreeLibrary
 0xb4b0d8 LoadLibraryA
 0xb4b0e0 GetModuleHandleA
 0xb4b0e8 GetProcAddress
USER32.dll
 0xb4b0f8 GetProcessWindowStation
 0xb4b100 GetUserObjectInformationW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure