Report - DefendUpdate.exe

PE File PE64
ScreenShot
Created 2023.03.09 09:57 Machine s1_win7_x6403
Filename DefendUpdate.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
6
Behavior Score
1.8
ZERO API file : clean
VT API (file) 21 detected (malicious, moderate confidence, score, Save, confidence, Eldorado, Attribute, HighConfidence, a variant of WinGo, Goback, FileRepMalware, QQPass, QQRob, Yolw, moderate, WinGo, AGEN, Sabsik, Detected, unsafe, susgen)
md5 bbabecb60a7d91dc4b01da5359280b92
sha256 b02a4cdd494c1e0963f824ecaf7d676f3c1572be89ddd7e89c79b5f16bdebd94
ssdeep 98304:hJMf8K1TFdBNgfXxLePYQ0QPkP3dOpd0Yp0uORyyStn2Bq77F46X:XMf8cTFLeZLSBFPSdOpV0HRyqBy7F4M
imphash 9aebf3da4677af9275c461261e5abde3
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGUq:dBJAEoZ/OEGDzyRs
  Network IP location

Signature (4cnts)

Level Description
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info One or more processes crashed

Rules (2cnts)

Level Name Description Collection
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x125e03c LoadLibraryA
 0x125e044 ExitProcess
 0x125e04c GetProcAddress
 0x125e054 VirtualProtect
msvcrt.dll
 0x125e064 exit

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure