Report - 126808361.exe

PE File PE32
ScreenShot
Created 2021.10.28 11:17 Machine s1_win7_x6401
Filename 126808361.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
10
Behavior Score
6.2
ZERO API file : clean
VT API (file) 28 detected (malicious, high confidence, Fragtor, Unsafe, Save, Kryptik, HNCG, FileRepMalware, MultiPlug, BadFile, Generic ML PUA, ai score=81, kcloud, RedLine, score, Artemis, MachineLearning, Anomalous, 100%, Static AI, Malicious PE, ZexaF, 5KW@aSVbJHd, susgen)
md5 8c957f8e5cc91f649891254901d6293c
sha256 c420ffaab541b742acd48873edeabb1c6eb77da5d6f681a5b0cde5f8a05ca05f
ssdeep 12288:S9ZYr+ZqaSl92B8pIvJkKPGUiPe+TulJb8HycygMN8W7s1gEPcJkI09y//Ccemta:SX6iqrWkKeUiPekogN2s7fI09y//cmg
imphash 835da68f7e7e29ef9a08f899d20e0925
impfuzzy 24:8fCejrOov1lDIcLVr+X53XZxr9WNOqz2GMZO:8fCCaVc5KXlJeNOqz2GJ
  Network IP location

Signature (16cnts)

Level Description
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
65.108.14.118 US ALABANZA-BALT 65.108.14.118 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x744130 DeleteCriticalSection
 0x744134 EnterCriticalSection
 0x744138 ExitProcess
 0x74413c FindClose
 0x744140 FindFirstFileA
 0x744144 FindNextFileA
 0x744148 FreeLibrary
 0x74414c GetCommandLineA
 0x744150 GetLastError
 0x744154 GetModuleHandleA
 0x744158 GetProcAddress
 0x74415c InitializeCriticalSection
 0x744160 LeaveCriticalSection
 0x744164 LoadLibraryA
 0x744168 SetUnhandledExceptionFilter
 0x74416c TlsGetValue
 0x744170 VirtualProtect
 0x744174 VirtualQuery
msvcrt.dll
 0x74417c _strdup
 0x744180 _stricoll
msvcrt.dll
 0x744188 __getmainargs
 0x74418c __mb_cur_max
 0x744190 __p__environ
 0x744194 __p__fmode
 0x744198 __set_app_type
 0x74419c _cexit
 0x7441a0 _errno
 0x7441a4 _fmode
 0x7441a8 _fpreset
 0x7441ac _fullpath
 0x7441b0 _iob
 0x7441b4 _isctype
 0x7441b8 _onexit
 0x7441bc _pctype
 0x7441c0 _setmode
 0x7441c4 abort
 0x7441c8 atexit
 0x7441cc calloc
 0x7441d0 free
 0x7441d4 fwrite
 0x7441d8 malloc
 0x7441dc mbstowcs
 0x7441e0 memcpy
 0x7441e4 memset
 0x7441e8 realloc
 0x7441ec setlocale
 0x7441f0 signal
 0x7441f4 strcoll
 0x7441f8 strcpy
 0x7441fc strlen
 0x744200 tolower
 0x744204 vfprintf
 0x744208 wcstombs

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure