Report - setup.exe

Malicious Library PE32 PE File
ScreenShot
Created 2023.03.08 17:40 Machine s1_win7_x6403
Filename setup.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
Behavior Score
6.2
ZERO API file : clean
VT API (file) 33 detected (malicious, high confidence, Jaik, Kryptik, Eldorado, Neoreklami, score, Generic ML PUA, moderate, AGEN, GrayWare, Phonzy, Detected, Artemis, ai score=75, BrowserHijacker, R002H0CC723, CLASSIC, susgen, ZexaF, @xW@aORZnub)
md5 9926000294771eb592dd85d1b894b76e
sha256 8c394e93be7bbdd0af7794c7f247e6c87fc35e03615dba0b9f501abd74b2e66f
ssdeep 196608:91OiFpCxGANsXXTn27YXaYtk/juWqW+T1H0ksf5QvH3w:3OiLCxGesXXTn3KYC/jurW+TijBQPw
imphash 3786a4cf8bfee8b4821db03449141df4
impfuzzy 48:oAUXy6Uy6U0wt8tAkSej5SU/Svn6GK/gRIA+MeQAcj2AqLJf+cYq989ZOwOo0lMr:oAwmdMexcj2rlf+nqSH7b0lMMQj
  Network IP location

Signature (11cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 33 AntiVirus engines on VirusTotal as malicious
watch Checks the version of Bios
watch Communicates with host for which no DNS query was performed
watch Detects VirtualBox using WNetGetProviderName trick
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates executable files on the filesystem
notice Executes one or more WMI queries
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
23.111.184.154 US HVC-AS 23.111.184.154 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

OLEAUT32.dll
 0x41b190 VariantClear
 0x41b194 SysAllocString
USER32.dll
 0x41b1a4 SendMessageA
 0x41b1a8 SetTimer
 0x41b1ac DialogBoxParamW
 0x41b1b0 DialogBoxParamA
 0x41b1b4 SetWindowLongA
 0x41b1b8 GetWindowLongA
 0x41b1bc SetWindowTextW
 0x41b1c0 LoadIconA
 0x41b1c4 LoadStringW
 0x41b1c8 LoadStringA
 0x41b1cc CharUpperW
 0x41b1d0 CharUpperA
 0x41b1d4 DestroyWindow
 0x41b1d8 EndDialog
 0x41b1dc PostMessageA
 0x41b1e0 ShowWindow
 0x41b1e4 MessageBoxW
 0x41b1e8 GetDlgItem
 0x41b1ec KillTimer
 0x41b1f0 SetWindowTextA
SHELL32.dll
 0x41b19c ShellExecuteExA
KERNEL32.dll
 0x41b000 GetStringTypeW
 0x41b004 GetStringTypeA
 0x41b008 LCMapStringW
 0x41b00c LCMapStringA
 0x41b010 InterlockedIncrement
 0x41b014 InterlockedDecrement
 0x41b018 GetProcAddress
 0x41b01c GetOEMCP
 0x41b020 GetACP
 0x41b024 GetCPInfo
 0x41b028 IsBadCodePtr
 0x41b02c IsBadReadPtr
 0x41b030 GetFileType
 0x41b034 SetHandleCount
 0x41b038 GetEnvironmentStringsW
 0x41b03c GetEnvironmentStrings
 0x41b040 FreeEnvironmentStringsW
 0x41b044 FreeEnvironmentStringsA
 0x41b048 UnhandledExceptionFilter
 0x41b04c HeapSize
 0x41b050 GetCurrentProcess
 0x41b054 TerminateProcess
 0x41b058 IsBadWritePtr
 0x41b05c HeapCreate
 0x41b060 HeapDestroy
 0x41b064 GetEnvironmentVariableA
 0x41b068 SetUnhandledExceptionFilter
 0x41b06c TlsAlloc
 0x41b070 ExitProcess
 0x41b074 GetVersion
 0x41b078 GetCommandLineA
 0x41b07c GetStartupInfoA
 0x41b080 GetModuleHandleA
 0x41b084 WaitForSingleObject
 0x41b088 CloseHandle
 0x41b08c CreateProcessA
 0x41b090 SetCurrentDirectoryA
 0x41b094 GetCommandLineW
 0x41b098 GetVersionExA
 0x41b09c LeaveCriticalSection
 0x41b0a0 EnterCriticalSection
 0x41b0a4 DeleteCriticalSection
 0x41b0a8 MultiByteToWideChar
 0x41b0ac WideCharToMultiByte
 0x41b0b0 GetLastError
 0x41b0b4 LoadLibraryA
 0x41b0b8 AreFileApisANSI
 0x41b0bc GetModuleFileNameA
 0x41b0c0 GetModuleFileNameW
 0x41b0c4 LocalFree
 0x41b0c8 FormatMessageA
 0x41b0cc FormatMessageW
 0x41b0d0 GetWindowsDirectoryA
 0x41b0d4 SetFileTime
 0x41b0d8 CreateFileW
 0x41b0dc SetLastError
 0x41b0e0 SetFileAttributesA
 0x41b0e4 RemoveDirectoryA
 0x41b0e8 SetFileAttributesW
 0x41b0ec RemoveDirectoryW
 0x41b0f0 CreateDirectoryA
 0x41b0f4 CreateDirectoryW
 0x41b0f8 DeleteFileA
 0x41b0fc DeleteFileW
 0x41b100 lstrlenA
 0x41b104 GetFullPathNameA
 0x41b108 GetFullPathNameW
 0x41b10c GetCurrentDirectoryA
 0x41b110 GetTempPathA
 0x41b114 GetTempFileNameA
 0x41b118 FindClose
 0x41b11c FindFirstFileA
 0x41b120 FindFirstFileW
 0x41b124 FindNextFileA
 0x41b128 CreateFileA
 0x41b12c GetFileSize
 0x41b130 SetFilePointer
 0x41b134 ReadFile
 0x41b138 WriteFile
 0x41b13c SetEndOfFile
 0x41b140 GetStdHandle
 0x41b144 WaitForMultipleObjects
 0x41b148 Sleep
 0x41b14c VirtualAlloc
 0x41b150 VirtualFree
 0x41b154 CreateEventA
 0x41b158 SetEvent
 0x41b15c ResetEvent
 0x41b160 InitializeCriticalSection
 0x41b164 RtlUnwind
 0x41b168 RaiseException
 0x41b16c HeapAlloc
 0x41b170 HeapFree
 0x41b174 HeapReAlloc
 0x41b178 CreateThread
 0x41b17c GetCurrentThreadId
 0x41b180 TlsSetValue
 0x41b184 TlsGetValue
 0x41b188 ExitThread

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure