Report - INV.exe

Malicious Library UPX PE32 PE File
ScreenShot
Created 2023.01.28 23:42 Machine s1_win7_x6403
Filename INV.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score
5
Behavior Score
5.2
ZERO API
VT API (file) 45 detected (malicious, high confidence, GenericKD, Unsafe, Redcap, ABRisk, DRNF, NSISPacker, AGen, InjectorX, iqtst, Loader, Static AI, Suspicious PE, GenKD, Detected, GenShell, qwxpn, ai score=88, Formbook, Casdet, Noon, score, NSISInject, R495658, ZexaF, fqW@aGhmtkei, Lazy, R002H0DAR23, 4WZSEkuvkMG, GdSda)
md5 f5ba8cd2153faf89a84faceabd8c8a50
sha256 d004812639335fc21774851e271241aaead5918a69f978e1aedb6b573b6cca1b
ssdeep 6144:zYa6TIDW7dny8QOUiUK66kWsXlIO+8EJkcln1e5bVaVZlJcG8U:zYKDWA8QOiK65yO+TJkcln1ApSZT9/
imphash 61259b55b8912888e90f516ca08dc514
impfuzzy 48://dKexsvEqY80DoS5rAJKQ9P7+nzFwqQ7/llLHAOe+ztlk4Or8L5Sv0WbX06Uyv3:HdKexJUGKR5U50Pw849
  Network IP location

Signature (11cnts)

Level Description
danger File has been identified by 45 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (38cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.defituesday.com/gbhu/ Unknown 199.59.243.222
http://www.bordain.website/gbhu/?dwq11ePF=Z0JOfegcJus8QT/ga7HhKsxVghDCE41qFhckdElZvPNE+U6wFU3FpNVOM7LfjIcK+KFXTjs52Dx2xmlkwnBEWQpZ+ijccONCTZsjAaQ=&YabdMo=eHFLyxLS9HiIq CA ACP 162.0.216.254
http://www.49138.net/gbhu/?dwq11ePF=WL2v/sGFsFIuAk53tX4v3ozaI9MekZ54iiHcVmD4RVE9irnVRUhCIdhzHcX9OStZFhWObZgZr940JPQfa5eUhFHz/csG7i5yqe9ZH20=&YabdMo=eHFLyxLS9HiIq KH BGPNET Global ASN 143.92.48.236
http://www.bts-exhibition20.com/gbhu/?dwq11ePF=tpqPZatFSWftMZbuFeOnBOSwBNRYNC4bECF+5KuudrHZL+uj6SAhnLM79xl9TgWodfNUMHSE7zon0vuCBBc1ktEpBF17jxL0iiyPMLM=&YabdMo=eHFLyxLS9HiIq Unknown 199.59.243.222
http://www.bobblehead8.com/gbhu/ US BIZLAND-SD 66.96.147.160
http://www.adalexs.com/gbhu/?dwq11ePF=D1b/tXE1wqN7p4mfTi76DPsviRaFjnrtscBWiPbYkZ2JHeEtyHLUC4ibH92W8gaDc10nQ7RDCV1MC1LMji13NdslOWFcPJvVlGENFow=&YabdMo=eHFLyxLS9HiIq US IT7NET 66.112.211.168
http://www.bobblehead8.com/gbhu/?dwq11ePF=meqTUx5kIEeA9O3K+DspA+9TJQ7rWtYm9pdGl178RL9fSiIP48l7cIqKAbR6uI16zGzDWzC2kHM4w1/jD5NrA8QTbIMv2qGMhL2x80Q=&YabdMo=eHFLyxLS9HiIq US BIZLAND-SD 66.96.147.160
http://www.bordain.website/gbhu/ CA ACP 162.0.216.254
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip US Linode, LLC 45.33.6.223
http://www.defituesday.com/gbhu/?dwq11ePF=K8gb+vg3lIj7mLsgY2s/Un2w4+nCuuuuWVhNes+vUVynttvh63W50QdwpB+jXhqV1vb6jBT4NlQZn884uDSkCA0C7jdkyYeP3Sv4iJE=&YabdMo=eHFLyxLS9HiIq Unknown 199.59.243.222
http://www.govcintria.online/gbhu/ LT Hostinger International Limited 2.57.90.16
http://www.actualabaule.com/gbhu/?dwq11ePF=2pxLiO942t5FkFRjNHyAiMW5bHO63rkjCdflxXdQmiqtiPUBqVrUFlO8JTqg/bEqxMzFYZexGJrShELInTuzWAoQXV3U24qzi0sYkgA=&YabdMo=eHFLyxLS9HiIq FR GANDI SAS 217.70.184.50
http://www.govcintria.online/gbhu/?dwq11ePF=dVbA+IXcm1YuOJ1N0YfoPOUPspwoFrMI8eGyv/hTd7M6maCfXa3GNmu+O7MNTYOdhYiwJPdemCWc8/TOWhgps6HIHGnlIWhMsDwJ9t4=&YabdMo=eHFLyxLS9HiIq LT Hostinger International Limited 2.57.90.16
http://www.adalexs.com/gbhu/ US IT7NET 66.112.211.168
http://www.actualabaule.com/gbhu/ FR GANDI SAS 217.70.184.50
http://www.dongshi88.com/gbhu/ CN CHINANET SiChuan Telecom Internet Data Center 211.149.132.144
http://www.49138.net/gbhu/ KH BGPNET Global ASN 143.92.48.236
http://www.dongshi88.com/gbhu/?dwq11ePF=b1ijv7/tEC2PXjxDsbuxsXva2wZ3D1czsA+lhOYVJxZEUWwbEdFBMQFsyzcPw/mr8NXL74lT/Fd9q4Dp8JhY/9JDjuMN4js97XFbSws=&YabdMo=eHFLyxLS9HiIq CN CHINANET SiChuan Telecom Internet Data Center 211.149.132.144
www.adalexs.com US IT7NET 66.112.211.168
www.govcintria.online LT Hostinger International Limited 2.57.90.16
www.bordain.website CA ACP 162.0.216.254
www.defituesday.com Unknown 199.59.243.222
www.dongshi88.com CN CHINANET SiChuan Telecom Internet Data Center 211.149.132.144
www.bts-exhibition20.com Unknown 199.59.243.222
www.sqlite.org US Linode, LLC 45.33.6.223
www.bobblehead8.com US BIZLAND-SD 66.96.147.160
www.actualabaule.com FR GANDI SAS 217.70.184.50
www.49138.net KH BGPNET Global ASN 143.92.48.236
143.92.48.236 KH BGPNET Global ASN 143.92.48.236 clean
211.149.132.144 CN CHINANET SiChuan Telecom Internet Data Center 211.149.132.144
199.59.243.222 Unknown 199.59.243.222 mailcious
104.21.76.77 US CLOUDFLARENET 104.21.76.77
217.70.184.50 FR GANDI SAS 217.70.184.50
66.112.211.168 US IT7NET 66.112.211.168
2.57.90.16 LT Hostinger International Limited 2.57.90.16
162.0.216.254 CA ACP 162.0.216.254
45.33.6.223 US Linode, LLC 45.33.6.223
66.96.147.160 US BIZLAND-SD 66.96.147.160

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x408000 RegCreateKeyExW
 0x408004 RegEnumKeyW
 0x408008 RegQueryValueExW
 0x40800c RegSetValueExW
 0x408010 RegCloseKey
 0x408014 RegDeleteValueW
 0x408018 RegDeleteKeyW
 0x40801c AdjustTokenPrivileges
 0x408020 LookupPrivilegeValueW
 0x408024 OpenProcessToken
 0x408028 SetFileSecurityW
 0x40802c RegOpenKeyExW
 0x408030 RegEnumValueW
SHELL32.dll
 0x408178 SHGetSpecialFolderLocation
 0x40817c SHFileOperationW
 0x408180 SHBrowseForFolderW
 0x408184 SHGetPathFromIDListW
 0x408188 ShellExecuteExW
 0x40818c SHGetFileInfoW
ole32.dll
 0x408298 OleInitialize
 0x40829c OleUninitialize
 0x4082a0 CoCreateInstance
 0x4082a4 IIDFromString
 0x4082a8 CoTaskMemFree
COMCTL32.dll
 0x408038 None
 0x40803c ImageList_Create
 0x408040 ImageList_Destroy
 0x408044 ImageList_AddMasked
USER32.dll
 0x408194 GetClientRect
 0x408198 EndPaint
 0x40819c DrawTextW
 0x4081a0 IsWindowEnabled
 0x4081a4 DispatchMessageW
 0x4081a8 wsprintfA
 0x4081ac CharNextA
 0x4081b0 CharPrevW
 0x4081b4 MessageBoxIndirectW
 0x4081b8 GetDlgItemTextW
 0x4081bc SetDlgItemTextW
 0x4081c0 GetSystemMetrics
 0x4081c4 FillRect
 0x4081c8 AppendMenuW
 0x4081cc TrackPopupMenu
 0x4081d0 OpenClipboard
 0x4081d4 SetClipboardData
 0x4081d8 CloseClipboard
 0x4081dc IsWindowVisible
 0x4081e0 CallWindowProcW
 0x4081e4 GetMessagePos
 0x4081e8 CheckDlgButton
 0x4081ec LoadCursorW
 0x4081f0 SetCursor
 0x4081f4 GetSysColor
 0x4081f8 SetWindowPos
 0x4081fc GetWindowLongW
 0x408200 PeekMessageW
 0x408204 SetClassLongW
 0x408208 GetSystemMenu
 0x40820c EnableMenuItem
 0x408210 GetWindowRect
 0x408214 ScreenToClient
 0x408218 EndDialog
 0x40821c RegisterClassW
 0x408220 SystemParametersInfoW
 0x408224 CreateWindowExW
 0x408228 GetClassInfoW
 0x40822c DialogBoxParamW
 0x408230 CharNextW
 0x408234 ExitWindowsEx
 0x408238 DestroyWindow
 0x40823c CreateDialogParamW
 0x408240 SetTimer
 0x408244 SetWindowTextW
 0x408248 PostQuitMessage
 0x40824c SetForegroundWindow
 0x408250 ShowWindow
 0x408254 wsprintfW
 0x408258 SendMessageTimeoutW
 0x40825c FindWindowExW
 0x408260 IsWindow
 0x408264 GetDlgItem
 0x408268 SetWindowLongW
 0x40826c LoadImageW
 0x408270 GetDC
 0x408274 ReleaseDC
 0x408278 EnableWindow
 0x40827c InvalidateRect
 0x408280 SendMessageW
 0x408284 DefWindowProcW
 0x408288 BeginPaint
 0x40828c EmptyClipboard
 0x408290 CreatePopupMenu
GDI32.dll
 0x40804c SetBkMode
 0x408050 SetBkColor
 0x408054 GetDeviceCaps
 0x408058 CreateFontIndirectW
 0x40805c CreateBrushIndirect
 0x408060 DeleteObject
 0x408064 SetTextColor
 0x408068 SelectObject
KERNEL32.dll
 0x408070 GetExitCodeProcess
 0x408074 WaitForSingleObject
 0x408078 GetModuleHandleA
 0x40807c GetProcAddress
 0x408080 GetSystemDirectoryW
 0x408084 lstrcatW
 0x408088 Sleep
 0x40808c lstrcpyA
 0x408090 WriteFile
 0x408094 GetTempFileNameW
 0x408098 lstrcmpiA
 0x40809c RemoveDirectoryW
 0x4080a0 CreateProcessW
 0x4080a4 CreateDirectoryW
 0x4080a8 GetLastError
 0x4080ac CreateThread
 0x4080b0 GlobalLock
 0x4080b4 GlobalUnlock
 0x4080b8 GetDiskFreeSpaceW
 0x4080bc WideCharToMultiByte
 0x4080c0 lstrcpynW
 0x4080c4 lstrlenW
 0x4080c8 SetErrorMode
 0x4080cc GetVersionExW
 0x4080d0 GetCommandLineW
 0x4080d4 GetTempPathW
 0x4080d8 GetWindowsDirectoryW
 0x4080dc SetEnvironmentVariableW
 0x4080e0 CopyFileW
 0x4080e4 ExitProcess
 0x4080e8 GetCurrentProcess
 0x4080ec GetModuleFileNameW
 0x4080f0 GetFileSize
 0x4080f4 CreateFileW
 0x4080f8 GetTickCount
 0x4080fc MulDiv
 0x408100 SetFileAttributesW
 0x408104 GetFileAttributesW
 0x408108 SetCurrentDirectoryW
 0x40810c MoveFileW
 0x408110 GetFullPathNameW
 0x408114 GetShortPathNameW
 0x408118 SearchPathW
 0x40811c CompareFileTime
 0x408120 SetFileTime
 0x408124 CloseHandle
 0x408128 lstrcmpiW
 0x40812c lstrcmpW
 0x408130 ExpandEnvironmentStringsW
 0x408134 GlobalFree
 0x408138 GlobalAlloc
 0x40813c GetModuleHandleW
 0x408140 LoadLibraryExW
 0x408144 MoveFileExW
 0x408148 FreeLibrary
 0x40814c WritePrivateProfileStringW
 0x408150 GetPrivateProfileStringW
 0x408154 lstrlenA
 0x408158 MultiByteToWideChar
 0x40815c ReadFile
 0x408160 SetFilePointer
 0x408164 FindClose
 0x408168 FindNextFileW
 0x40816c FindFirstFileW
 0x408170 DeleteFileW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure