popup

Report - note866.exe

Malicious Library UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.26 14:41 Machine s1_win7_x6401
Filename note866.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
AI Score
3
 Behavior Score
6.2
ZERO API file : clean
VT API (file) 37 detected (Passteal, GenericKD, Artemis, Unsafe, TrojanPSW, malicious, Eldorado, Attribute, HighConfidence, DownLoader43, ai score=84, Sabsik, score, R445505, ZexaF, ck0aaSLsSZl, PasswordStealer, GdSda, R002H0DJO21, PWSX)
md5 77294635b863561ecd6267711c5222a2
sha256 b1dd835c2d5caae422469d55c05823f95f649829db8ed2dddc3a4f3e5a228b28
ssdeep 49152:ASXSNLA7IvAVurnKd1MZLGSUs0f/i+94vR0NN:ASD0YVurnKd1MZrUHfK+UR
imphash 09d0478591d4f788cb3e5ea416c25237
impfuzzy 3:swBJAEPwS9KTXzhAXwEBJJ67EGVn:dBJAEHGDymVn
  Network IP location

Signature (14cnts)

Level Description
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch Disables proxy possibly for traffic interception
notice Allocates read-write-execute memory (usually to unpack itself)
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info One or more processes crashed
info The executable uses a known packer
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://186.2.171.3/seemorebty/il.php?e=note866
whois
Unknown 186.2.171.3 4715 mailcious
https://iplogger.org/ZdUWq
whois
DE Hetzner Online GmbH 88.99.66.31 clean
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
186.2.171.3
whois
Unknown 186.2.171.3 mailcious
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x9621f0 LoadLibraryA
 0x9621f4 GetProcAddress
 0x9621f8 VirtualAlloc
 0x9621fc VirtualFree

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure