popup

Report - WW2.exe

Generic Malware Malicious Library UPX PE32 OS Processor Check PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.02.12 15:05 Machine s1_win7_x6401
Filename WW2.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
5.8
ZERO API file : malware
VT API (file) 42 detected (Mint, PrivateLoader, Artemis, Unsafe, Vzn3, Nekark, malicious, confidence, 100%, Attribute, HighConfidence, Windows, ADGH, score, PWSX, Jtgl, DownLoader45, YXDBKZ, jtxwk, ai score=89, Wacatac, kcloud, Casdet, ZexaF, tw0@aOND2PkQ, BScope, TrojanPSW, Arkei, WDDisabler, CLASSIC, susgen)
md5 6cc7d9664c1a89c58549e57b5959bb38
sha256 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4
ssdeep 49152:kHEP1Ytp7MnOYoH7NzvsfZHXlIZELxmuY88jIvnPojMuHmsMtTQpw:GEPuBSONzvsfZ3eCxmQ8cWmsM
imphash 02951e73b23a430852958a5fac567566
impfuzzy 96:/mX3QbcGtpxWtv746AJ1wtLCW/DGg5KzF0:oGYtv7QJEd
  Network IP location

Signature (11cnts)

Level Description
danger File has been identified by 42 AntiVirus engines on VirusTotal as malicious
danger Disables Windows Security features
watch Communicates with host for which no DNS query was performed
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates hidden or system file
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info Checks if process is being debugged by a debugger

Rules (6cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (16cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.43.165.66 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.215.67 clean
http://23.254.227.214/api/tracemap.php
whois
US HOSTWINDS 23.254.227.214 26616 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 172.67.75.166 clean
https://db-ip.com/
whois
US CLOUDFLARENET 172.67.75.166 clean
apps.identrust.com
whois
US CCCH-3 23.43.165.105 clean
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.17.214.67 clean
172.217.175.68
whois
US GOOGLE 172.217.175.68 clean
23.254.227.214
whois
US HOSTWINDS 23.254.227.214 mailcious
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x603020 InitializeCriticalSectionEx
 0x603024 lstrlenA
 0x603028 lstrcatA
 0x60302c GetModuleHandleA
 0x603030 SetCurrentDirectoryA
 0x603034 Sleep
 0x603038 GetModuleHandleExA
 0x60303c GetFileAttributesA
 0x603040 GetBinaryTypeA
 0x603044 QueryFullProcessImageNameA
 0x603048 GetSystemDirectoryA
 0x60304c GlobalAlloc
 0x603050 lstrcpyA
 0x603054 SetFileAttributesA
 0x603058 VerSetConditionMask
 0x60305c WideCharToMultiByte
 0x603060 VerifyVersionInfoW
 0x603064 GetSystemTimeAsFileTime
 0x603068 HeapFree
 0x60306c HeapAlloc
 0x603070 GetProcAddress
 0x603074 lstrcpynA
 0x603078 GetProcessHeap
 0x60307c AreFileApisANSI
 0x603080 TryEnterCriticalSection
 0x603084 HeapCreate
 0x603088 EnterCriticalSection
 0x60308c GetFullPathNameW
 0x603090 GetDiskFreeSpaceW
 0x603094 OutputDebugStringA
 0x603098 LockFile
 0x60309c LeaveCriticalSection
 0x6030a0 InitializeCriticalSection
 0x6030a4 GetFullPathNameA
 0x6030a8 SetEndOfFile
 0x6030ac FindClose
 0x6030b0 GetTempPathW
 0x6030b4 CreateMutexW
 0x6030b8 WaitForSingleObject
 0x6030bc GetFileAttributesW
 0x6030c0 GetCurrentThreadId
 0x6030c4 UnmapViewOfFile
 0x6030c8 HeapValidate
 0x6030cc HeapSize
 0x6030d0 MultiByteToWideChar
 0x6030d4 GetTempPathA
 0x6030d8 FormatMessageW
 0x6030dc GetDiskFreeSpaceA
 0x6030e0 GetFileAttributesExW
 0x6030e4 OutputDebugStringW
 0x6030e8 FlushViewOfFile
 0x6030ec LoadLibraryA
 0x6030f0 WaitForSingleObjectEx
 0x6030f4 DeleteFileA
 0x6030f8 DeleteFileW
 0x6030fc HeapReAlloc
 0x603100 GetSystemInfo
 0x603104 LoadLibraryW
 0x603108 HeapCompact
 0x60310c HeapDestroy
 0x603110 UnlockFile
 0x603114 LocalFree
 0x603118 LockFileEx
 0x60311c GetFileSize
 0x603120 DeleteCriticalSection
 0x603124 GetCurrentProcessId
 0x603128 SystemTimeToFileTime
 0x60312c FreeLibrary
 0x603130 GetSystemTime
 0x603134 FormatMessageA
 0x603138 CreateFileMappingW
 0x60313c MapViewOfFile
 0x603140 QueryPerformanceCounter
 0x603144 GetTickCount
 0x603148 FlushFileBuffers
 0x60314c WriteConsoleW
 0x603150 CloseHandle
 0x603154 CreateFileA
 0x603158 GetLastError
 0x60315c CreateFileW
 0x603160 SetFilePointer
 0x603164 WriteFile
 0x603168 UnlockFileEx
 0x60316c ReadFile
 0x603170 SetEnvironmentVariableW
 0x603174 FreeEnvironmentStringsW
 0x603178 GetEnvironmentStringsW
 0x60317c GetCommandLineW
 0x603180 GetCommandLineA
 0x603184 GetOEMCP
 0x603188 GetACP
 0x60318c UnhandledExceptionFilter
 0x603190 SetUnhandledExceptionFilter
 0x603194 GetCurrentProcess
 0x603198 TerminateProcess
 0x60319c IsProcessorFeaturePresent
 0x6031a0 InitializeSListHead
 0x6031a4 InitializeCriticalSectionAndSpinCount
 0x6031a8 SetEvent
 0x6031ac ResetEvent
 0x6031b0 CreateEventW
 0x6031b4 GetModuleHandleW
 0x6031b8 IsDebuggerPresent
 0x6031bc GetStartupInfoW
 0x6031c0 CreateDirectoryW
 0x6031c4 FindFirstFileExW
 0x6031c8 FindNextFileW
 0x6031cc SetFilePointerEx
 0x6031d0 GetFileInformationByHandleEx
 0x6031d4 QueryPerformanceFrequency
 0x6031d8 LCMapStringEx
 0x6031dc EncodePointer
 0x6031e0 DecodePointer
 0x6031e4 GetCPInfo
 0x6031e8 GetStringTypeW
 0x6031ec SetLastError
 0x6031f0 GetThreadTimes
 0x6031f4 GetCurrentThread
 0x6031f8 InterlockedPushEntrySList
 0x6031fc RaiseException
 0x603200 RtlUnwind
 0x603204 TlsAlloc
 0x603208 TlsGetValue
 0x60320c TlsSetValue
 0x603210 TlsFree
 0x603214 LoadLibraryExW
 0x603218 GetFileType
 0x60321c ExitProcess
 0x603220 GetModuleHandleExW
 0x603224 CreateThread
 0x603228 ExitThread
 0x60322c FreeLibraryAndExitThread
 0x603230 GetModuleFileNameW
 0x603234 GetStdHandle
 0x603238 GetConsoleMode
 0x60323c ReadConsoleW
 0x603240 GetConsoleOutputCP
 0x603244 SetStdHandle
 0x603248 CompareStringW
 0x60324c LCMapStringW
 0x603250 GetLocaleInfoW
 0x603254 IsValidLocale
 0x603258 GetUserDefaultLCID
 0x60325c EnumSystemLocalesW
 0x603260 GetFileSizeEx
 0x603264 GetTimeZoneInformation
 0x603268 IsValidCodePage
 0x60326c VirtualQuery
USER32.dll
 0x60327c CharNextA
ADVAPI32.dll
 0x603000 RegCloseKey
 0x603004 RegCreateKeyExA
 0x603008 RegSetValueExA
 0x60300c OpenProcessToken
 0x603010 RegOpenKeyExA
 0x603014 GetTokenInformation
 0x603018 CryptReleaseContext
SHELL32.dll
 0x603274 ShellExecuteA
ole32.dll
 0x603284 CoCreateInstance
 0x603288 CoInitializeEx
 0x60328c CoUninitialize

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure