popup

Report - build.exe

Malicious Packer VMProtect Malicious Library PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.28 17:58 Machine s1_win7_x6403
Filename build.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
5.0
ZERO API file : clean
VT API (file) 40 detected (Inject4, GenericKD, Unsafe, Save, malicious, VMProtect, Donut, MdeClass, susgen, Redcap, zgabd, ai score=85, Casdet, score, Artemis, Dzjv, Static AI, Malicious PE, Behavior, confidence)
md5 819b826a61cbd9a90c575078f2247468
sha256 838c7b29f0b0bb5d3e5f30742c29152db74f80b78a18eca46d82b28bb5ebe051
ssdeep 98304:g4ahOMDVLhQyFd6cLSDqYXVXSDLKLjtHApPM3yt1UvVwmEIcrT:SVKyFd6cG2OSkjl+PqcV
imphash 1646e9ecb30081fbb2ba264e7396624b
impfuzzy 12:EmtE6nwfP9qZGoQtXJxZGb9AJcDfA5kLfP9m:XtE6waQtXJHc9NDI5Q8
  Network IP location

Signature (10cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Manipulates memory of a non-child process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://raw.githubusercontent.com/UnamSanctam/SilentETHMiner/master/SilentETHMiner/Resources/ethminer.zip
whois
US FASTLY 185.199.108.133 malware
https://github.com/UnamSanctam/SilentETHMiner/raw/master/SilentETHMiner/Resources/ethminer.zip
whois
KR AMAZON-02 52.78.231.108 2610 mailcious
github.com
whois
KR AMAZON-02 52.78.231.108 mailcious
raw.githubusercontent.com
whois
US FASTLY 185.199.110.133 malware
sanctam.net
whois
Unknown mailcious
52.78.231.108
whois
KR AMAZON-02 52.78.231.108 malware
185.199.108.133
whois
US FASTLY 185.199.108.133 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0xa70000 strlen
kernel32.dll
 0xa70010 Sleep
ntdll.dll
 0xa70020 NtAllocateVirtualMemory
WTSAPI32.dll
 0xa70030 WTSSendMessageW
kernel32.dll
 0xa70040 GetSystemTimeAsFileTime
USER32.dll
 0xa70050 GetUserObjectInformationW
kernel32.dll
 0xa70060 LocalAlloc
 0xa70068 LocalFree
 0xa70070 GetModuleFileNameW
 0xa70078 GetProcessAffinityMask
 0xa70080 SetProcessAffinityMask
 0xa70088 SetThreadAffinityMask
 0xa70090 Sleep
 0xa70098 ExitProcess
 0xa700a0 FreeLibrary
 0xa700a8 LoadLibraryA
 0xa700b0 GetModuleHandleA
 0xa700b8 GetProcAddress
USER32.dll
 0xa700c8 GetProcessWindowStation
 0xa700d0 GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure