popup

Report - crocin.exe

Themida Packer PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.29 09:13 Machine s1_win7_x6401
Filename crocin.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
6
 Behavior Score
2.8
ZERO API file : clean
VT API (file) 32 detected (malicious, high confidence, Razy, GenericRI, S22849637, Unsafe, Save, Eldorado, Themida, L suspicious, Scrop, CrypterX, Generic ML PUA, Wacatac, score, ClipBanker, ai score=85, Static AI, Suspicious PE, susgen, confidence)
md5 db030d5044011041bfb6d1a919337459
sha256 1d474be0d30da87fbbac1327ba1bd70441aa8d9d0454e15ca460968a2838a49c
ssdeep 98304:rOwU1jjLN0mjD0VIKHpEm0QAD85cQw5FX:o0K0bpEmAD85g5N
imphash 106f3d3e521ab0377bf478b03f3dd87b
impfuzzy 3:sUx2AEJt/M1KgK32bWmAgYbRA2yLMRMExAnmqMElB:nEJt/MN1bK19ycP3ED
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Tries to unhook Windows functions monitored by Cuckoo
notice Allocates read-write-execute memory (usually to unpack itself)
notice The binary likely contains encrypted or compressed data indicative of a packer
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (3cnts)

Level Name Description Collection
warning themida_packer themida packer binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x14002f108 GetModuleHandleA
USER32.dll
 0x14002f118 DefWindowProcW
SHELL32.dll
 0x14002f128 SHGetSpecialFolderPathW
ole32.dll
 0x14002f138 CoInitializeEx
OLEAUT32.dll
 0x14002f148 VariantInit

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure