Report - Server_se.exe

UPX Malicious Library Anti_VM Downloader Malicious Packer PE32 OS Processor Check PE File
ScreenShot
Created 2022.10.10 19:27 Machine s1_win7_x6401
Filename Server_se.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
Behavior Score
9.0
ZERO API file : malware
VT API (file) 55 detected (AIDetect, malware1, lIx9, Symmi, Unsafe, Save, NoobyProtect, malicious, ABRisk, YHQG, Attribute, HighConfidence, high confidence, M suspicious, score, Farfli, cejj, jsxwrl, MalwareX, Osmw, Amtar, KNB@4wlm66, Siggen2, R002C0DJ722, high, Generic ML PUA, Static AI, Malicious PE, AGEN, ai score=85, ASBOL, kcloud, Tnega, Detected, R514498, TpoaHBHYiZI, ZexaF, 3uW@aiSjXkej, confidence, 100%)
md5 53460de37325b4979177f832ae51f9de
sha256 bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1
ssdeep 24576:7stUx5NK+HjoSIIJ2thqogNSNOKt5apf7xesN7:gtIS+dJgRkSNO0Qpow
imphash 320ffb3ead7d13ea9d4a4b7814c6523f
impfuzzy 3:sU9KTXz5NAHWbW6LlKKySoMfAE/yVcJUNQZn23S/KnA1MJuE9SX1Atd9CA:HGDTLb+ZSZoEa2WWZn2yILe1IqA
  Network IP location

Signature (18cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 55 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a service
notice Creates executable files on the filesystem
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (8cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://47.93.60.63:8000/exploror.exe CN Hangzhou Alibaba Advertising Co.,Ltd. 47.93.60.63 malware
106.52.15.123 CN Shenzhen Tencent Computer Systems Company Limited 106.52.15.123 malware
121.4.98.100 Unknown 121.4.98.100 malware
47.93.60.63 CN Hangzhou Alibaba Advertising Co.,Ltd. 47.93.60.63 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x526196 GetProcAddress
SHELL32.dll
 0x5261a2 ShellExecuteA
urlmon.dll
 0x5261ae URLDownloadToFileA
MSVCRT.dll
 0x5261ba strncpy
IPHLPAPI.DLL
 0x5261c6 GetInterfaceInfo
PSAPI.DLL
 0x5261d2 GetMappedFileNameW
USER32.dll
 0x5261de GetWindow
ADVAPI32.dll
 0x5261ea RegDeleteKeyA

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure