popup

Report - razzia.exe

Themida Packer PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.01 10:41 Machine s1_win7_x6403
Filename razzia.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
6
 Behavior Score
3.0
ZERO API file : clean
VT API (file) 42 detected (Agentb, trtl, malicious, high confidence, Razy, GenericRI, S22849637, Artemis, Unsafe, Save, Scrop, Eldorado, Themida, L suspicious, CrypterX, Score, qzoyc, kcloud, Phonzy, ClipBanker, ai score=87, R002H0CJU21, Static AI, Malicious PE, susgen)
md5 9b27bb9d633040a01a964d12b40b144f
sha256 b464b774eb8a0f033ded0b5d0765f526cfbb4c38452c13e096f03dc7c8025094
ssdeep 49152:R9z8+aDmD+909PsxiNh1cOvthtWSOgylB2PaQDvZZ0EIp769z6jttfp8g:4ms6sKylAzDvz6Z5p8g
imphash 106f3d3e521ab0377bf478b03f3dd87b
impfuzzy 3:sUx2AEJt/M1KgK32bWmAgYbRA2yLMRMExAnmqMElB:nEJt/MN1bK19ycP3ED
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 42 AntiVirus engines on VirusTotal as malicious
watch Tries to unhook Windows functions monitored by Cuckoo
notice Allocates read-write-execute memory (usually to unpack itself)
notice The binary likely contains encrypted or compressed data indicative of a packer
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (3cnts)

Level Name Description Collection
warning themida_packer themida packer binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x14002f108 GetModuleHandleA
USER32.dll
 0x14002f118 DefWindowProcW
SHELL32.dll
 0x14002f128 SHGetSpecialFolderPathW
ole32.dll
 0x14002f138 CoInitializeEx
OLEAUT32.dll
 0x14002f148 VariantInit

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure