popup

Report - bghost.exe

UPX PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.28 18:20 Machine s1_win7_x6403
Filename bghost.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
4.6
ZERO API file : clean
VT API (file) 38 detected (Artemis, Unsafe, Save, malicious, confidence, Coinminer, WinGo, Sysn, czoy, Trickbot, whnqe, ai score=86, ASBOL, GenericMC, Sabsik, score, Static AI, Suspicious PE)
md5 83754fa016cb31ea372d1b3f6c34708d
sha256 3a7e260aec294903b08eb34f2b9a985bd38bd66a409bbb7e58bd8f4e5c3a7806
ssdeep 98304:707adU1jSnaEeCa7TsW74NuCqO8W7W0O+:MadUZEeC2T574NK/Wq4
imphash 6ed4f5f04d62b18d96b26d6db7c18840
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch Detects the presence of Wine emulator
watch Installs itself for autorun at Windows startup
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://youbotter.click/stream.php
whois
US DIGITALOCEAN-ASN 167.71.28.113 clean
http://youbotter.click/
whois
US DIGITALOCEAN-ASN 167.71.28.113 clean
youbotter.click
whois
US DIGITALOCEAN-ASN 167.71.28.113 clean
167.71.28.113
whois
US DIGITALOCEAN-ASN 167.71.28.113 clean

Suricata ids

ET USER_AGENTS Go HTTP Client User-Agent

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0xe89028 LoadLibraryA
 0xe89030 ExitProcess
 0xe89038 GetProcAddress
 0xe89040 VirtualProtect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure