popup

Report - clapp.exe

Malicious Library UPX AntiDebug AntiVM PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.01 11:10 Machine s1_win7_x6401
Filename clapp.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
10.8
ZERO API file : clean
VT API (file) 32 detected (AIDetect, malware1, malicious, high confidence, Fragtor, Artemis, Unsafe, Save, Hacktool, ZexaF, qu0@a09KQhiG, Kryptik, Eldorado, ET#98%, RDMK, cmRtazoRi3ADv7SS0urz, npR3KnQ, A + Troj, Krypt, Static AI, Malicious PE, ai score=80, Sabsik, score, confidence, 100%, susgen)
md5 41160c159e96fe0d09c15781bd7584c4
sha256 72edd23e253d4ed4363dbb87bee25cffc5fbaa54b810f2cf49c41bfca33034dd
ssdeep 6144:HF0IFkOPIaMvYUfB8Xro7PGW5LQHDGxhaYwG:HhkOwamYUpIrIQAhaYp
imphash 1210cf02f8d064f4badb4fa45c342472
impfuzzy 24:/u9Eq+fmkX+ZGIIFDSInZj1OovAdlmIlyv9fcjtulgJ3ISVGSUjMy7Tn:FF+MOtJK9fcjtue7kSMT
  Network IP location

Signature (25cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (13cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
185.215.113.29
whois
Unknown 185.215.113.29 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 25

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x433000 HeapReAlloc
 0x433004 FindVolumeClose
 0x433008 FindFirstChangeNotificationW
 0x43300c FindResourceExW
 0x433010 HeapAlloc
 0x433014 EndUpdateResourceW
 0x433018 SetEnvironmentVariableW
 0x43301c GetEnvironmentStringsW
 0x433020 SetConsoleScreenBufferSize
 0x433024 AddConsoleAliasW
 0x433028 SetEvent
 0x43302c SleepEx
 0x433030 GetTickCount
 0x433034 GetProcessHeap
 0x433038 FindActCtxSectionStringA
 0x43303c GlobalAlloc
 0x433040 InitAtomTable
 0x433044 FindNextVolumeW
 0x433048 GetTapePosition
 0x43304c WriteConsoleW
 0x433050 GetMailslotInfo
 0x433054 GetModuleFileNameW
 0x433058 CreateActCtxA
 0x43305c BindIoCompletionCallback
 0x433060 GetProcAddress
 0x433064 VirtualAlloc
 0x433068 BeginUpdateResourceW
 0x43306c GetAtomNameA
 0x433070 LoadLibraryA
 0x433074 GetModuleFileNameA
 0x433078 GetProcessAffinityMask
 0x43307c TlsFree
 0x433080 lstrcpyA
 0x433084 CreateFileW
 0x433088 ReadFile
 0x43308c DecodePointer
 0x433090 EncodePointer
 0x433094 GetCommandLineA
 0x433098 HeapSetInformation
 0x43309c GetStartupInfoW
 0x4330a0 RaiseException
 0x4330a4 GetLastError
 0x4330a8 HeapFree
 0x4330ac IsProcessorFeaturePresent
 0x4330b0 WideCharToMultiByte
 0x4330b4 SetHandleCount
 0x4330b8 GetStdHandle
 0x4330bc InitializeCriticalSectionAndSpinCount
 0x4330c0 GetFileType
 0x4330c4 DeleteCriticalSection
 0x4330c8 EnterCriticalSection
 0x4330cc LeaveCriticalSection
 0x4330d0 UnhandledExceptionFilter
 0x4330d4 SetUnhandledExceptionFilter
 0x4330d8 IsDebuggerPresent
 0x4330dc TerminateProcess
 0x4330e0 GetCurrentProcess
 0x4330e4 RtlUnwind
 0x4330e8 SetFilePointer
 0x4330ec TlsAlloc
 0x4330f0 TlsGetValue
 0x4330f4 TlsSetValue
 0x4330f8 InterlockedIncrement
 0x4330fc GetModuleHandleW
 0x433100 SetLastError
 0x433104 GetCurrentThreadId
 0x433108 InterlockedDecrement
 0x43310c CloseHandle
 0x433110 ExitProcess
 0x433114 WriteFile
 0x433118 FreeEnvironmentStringsW
 0x43311c HeapCreate
 0x433120 QueryPerformanceCounter
 0x433124 GetCurrentProcessId
 0x433128 GetSystemTimeAsFileTime
 0x43312c GetConsoleCP
 0x433130 GetConsoleMode
 0x433134 GetCPInfo
 0x433138 GetACP
 0x43313c GetOEMCP
 0x433140 IsValidCodePage
 0x433144 Sleep
 0x433148 CreateFileA
 0x43314c SetStdHandle
 0x433150 FlushFileBuffers
 0x433154 HeapSize
 0x433158 LoadLibraryW
 0x43315c MultiByteToWideChar
 0x433160 LCMapStringW
 0x433164 GetStringTypeW
 0x433168 SetEndOfFile
USER32.dll
 0x433170 SetCursorPos

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure