popup

Report - Fix.exe

UPX Malicious Library Admin Tool (Sysinternals etc ...) AntiDebug AntiVM OS Processor Check PE File PE64 JPEG Format MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.09 14:47 Machine s1_win7_x6401
Filename Fix.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
2
 Behavior Score
6.4
ZERO API
VT API (file) 2 detected (Malicious, score, Probably Heur, RARAutorun)
md5 d543b38b01f033815b048cd17cd658dd
sha256 b8a7a405433e2382aeafcac799e1031cd0ef3016bbfd180f490f37f225ca9584
ssdeep 12288:ZUk6NAQQU+f1ojhDtNXjhlGzVk+0qCNS20ESkJ/H0:2kGXyAfCVp07NS20Ex/H0
imphash 2966f92d157c36f79b35f712e3a60302
impfuzzy 48:J9jOXRpLy1XFjsX1Pfc++6W31YgfbtSXvBiJyX:JdcpLy1XFgX1Pfc++VGGbtSXvBiJyX
  Network IP location

Signature (18cnts)

Level Description
watch Communicates with host for which no DNS query was performed
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice File has been identified by 2 AntiVirus engines on VirusTotal as malicious
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Command line console output was observed
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (17cnts)

Level Name Description Collection
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE64 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (70cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://fonts.googleapis.com/css2?family=Oswald&display=swap
whois
US GOOGLE 142.250.207.106
https://i.imgur.com/Dk4kbVR.jpg
whois
US FASTLY 151.101.24.193
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlvAA.woff
whois
US GOOGLE 142.250.207.99
https://i.imgur.com/nsHW2sD.jpg
whois
US FASTLY 151.101.24.193
https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.6/clipboard.min.js
whois
US CLOUDFLARENET 104.17.25.14
https://i.imgur.com/nZtfyNw.jpg
whois
US FASTLY 151.101.24.193
https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/dXk5exdOVhk.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://fonts.gstatic.com/s/roboto/v30/KFOkCnqEu92Fr1MmgWxM.woff
whois
US GOOGLE 142.250.207.99
https://i.imgur.com/scAAvrJ.jpg
whois
US FASTLY 151.101.24.193
https://2.bp.blogspot.com/-6FlMntiv-QM/XHqS-LCeUaI/AAAAAAAAD4M/Ytwi80ug7NMakyJvZKNdhj54iZFjanCMgCLcBGAs/s1600/header-01.jpg
whois
US GOOGLE 172.217.25.161
https://static.xx.fbcdn.net/rsrc.php/v3/yW/l/0,cross/sbAUsFSFkMm.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://use.fontawesome.com/releases/v6.1.1/css/all.css
whois
US CLOUDFLARENET 172.64.133.15
https://www.jaiefra.com/
whois
US GOOGLE 142.250.76.147
https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/Dkx2xQN1fRV.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://i.imgur.com/6kRvFKg.jpg
whois
US FASTLY 151.101.24.193
https://www.jaiefra.com/favicon.ico
whois
US GOOGLE 142.250.76.147
https://connect.facebook.net/es_LA/sdk/xfbml.customerchat.js
whois
US FACEBOOK 157.240.215.14
https://unpkg.com/feather-icons@4.29.0/dist/feather.min.js
whois
US CLOUDFLARENET 104.16.124.175
https://cdnjs.cloudflare.com/ajax/libs/animate.css/4.1.1/animate.min.css
whois
US CLOUDFLARENET 104.17.25.14
https://static.xx.fbcdn.net/rsrc.php/v3/yo/r/J6ifX-SKuSy.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://scontent-ssn1-1.xx.fbcdn.net/v/t39.30808-1/309787944_467309492095485_6740795535777712297_n.jpg?stp=cp0_dst-jpg_p50x50&_nc_cat=109&ccb=1-7&_nc_sid=dbb9e7&_nc_ohc=hcNmGrJIxpQAX_WRHMe&_nc_ht=scontent-ssn1-1.xx&edm=ADwHzz8EAAAA&oh=00_AfDP3q8bQdDV7qvBO
whois
US FACEBOOK 157.240.215.14
https://static.xx.fbcdn.net/rsrc.php/v3/yw/r/UXtr_j2Fwe-.png
whois
US FACEBOOK 157.240.215.14
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmSU5vAA.woff
whois
US GOOGLE 142.250.207.99
https://static.xx.fbcdn.net/rsrc.php/v3/y5/r/VnkLYxrrsQ6.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://i.imgur.com/6MYEl1l.jpg
whois
US FASTLY 151.101.24.193
https://cdn.jsdelivr.net/gh/zkreations/whale@1.5.5/dist/js/whale.min.js
whois
US CLOUDFLARENET 104.16.86.20
https://use.fontawesome.com/releases/v5.15.4/css/all.css
whois
US CLOUDFLARENET 172.64.133.15
https://www.facebook.com/plugins/page.php?adapt_container_width=true&app_id=&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df34fdb5418190dc%26domain%3Dwww.jaiefra.com%26is_canvas%3Dfalse%26origin%3Dhttps%25
whois
US FACEBOOK 157.240.215.35
https://static.xx.fbcdn.net/rsrc.php/v3/yN/l/0,cross/zzibYZcrR6-.css?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://i.imgur.com/HFGWqH9.jpg
whois
US FASTLY 151.101.24.193
https://static.xx.fbcdn.net/rsrc.php/v3iWO94/yu/l/es_LA/w3cpxApqWUX.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://unpkg.com/feather-icons@4.29.0
whois
US CLOUDFLARENET 104.16.124.175
https://unpkg.com/feather-icons
whois
US CLOUDFLARENET 104.16.124.175
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9vAA.woff
whois
US GOOGLE 142.250.207.99
https://fonts.gstatic.com/s/oswald/v49/TK3_WkUHHAIjg75cFRf3bXL8LICs1_FvgUI.woff
whois
US GOOGLE 142.250.207.99
https://i.imgur.com/lSf6ELo.jpg
whois
US FASTLY 151.101.24.193
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmYUtvAA.woff
whois
US GOOGLE 142.250.207.99
https://cdn.jsdelivr.net/gh/danieIabel/rellax@1.8.0/rellax.min.js
whois
US CLOUDFLARENET 104.16.86.20
https://i.imgur.com/2y3RhsW.jpg
whois
US FASTLY 151.101.24.193
https://scontent-ssn1-1.xx.fbcdn.net/v/t39.30808-6/274807150_3110650415868810_6155898568556935251_n.jpg?stp=dst-jpg_p130x130&_nc_cat=104&ccb=1-7&_nc_sid=dd9801&_nc_ohc=YwkpRMD6IQgAX82-_QL&_nc_ht=scontent-ssn1-1.xx&edm=ADwHzz8EAAAA&oh=00_AfCuu1QHp9xS8ATdxk
whois
US FACEBOOK 157.240.215.14
https://www.blogger.com/static/v1/widgets/229057146-widgets.js
whois
US GOOGLE 142.250.206.233
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Me5g.woff
whois
US GOOGLE 142.250.207.99
https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/P8FoGCIGp4L.js?_nc_x=Ij3Wp8lg5Kz
whois
US FACEBOOK 157.240.215.14
https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap
whois
US GOOGLE 142.250.207.106
static.xx.fbcdn.net
whois
US FACEBOOK 157.240.215.14 clean
www.facebook.com
whois
US FACEBOOK 157.240.215.35 clean
2.bp.blogspot.com
whois
US GOOGLE 172.217.25.161 clean
fonts.googleapis.com
whois
US GOOGLE 142.250.207.106 clean
unpkg.com
whois
US CLOUDFLARENET 104.16.123.175 clean
scontent-ssn1-1.xx.fbcdn.net
whois
US FACEBOOK 157.240.215.14 clean
cdn.jsdelivr.net
whois
US CLOUDFLARENET 104.16.86.20 malware
i.imgur.com
whois
US FASTLY 151.101.40.193 mailcious
use.fontawesome.com
whois
US CLOUDFLARENET 172.64.132.15 clean
connect.facebook.net
whois
US FACEBOOK 157.240.215.14 clean
fonts.gstatic.com
whois
US GOOGLE 142.250.207.99 clean
cdnjs.cloudflare.com
whois
US CLOUDFLARENET 104.17.25.14 mailcious
www.jaiefra.com
whois
US GOOGLE 142.250.76.147 clean
www.blogger.com
whois
US GOOGLE 142.250.206.233 clean
104.17.25.14
whois
US CLOUDFLARENET 104.17.25.14
157.240.215.14
whois
US FACEBOOK 157.240.215.14
142.250.206.233
whois
US GOOGLE 142.250.206.233
104.16.86.20
whois
US CLOUDFLARENET 104.16.86.20
172.217.25.161
whois
US GOOGLE 172.217.25.161 mailcious
142.250.207.99
whois
US GOOGLE 142.250.207.99 clean
172.64.133.15
whois
US CLOUDFLARENET 172.64.133.15
151.101.24.193
whois
US FASTLY 151.101.24.193 mailcious
104.16.124.175
whois
US CLOUDFLARENET 104.16.124.175 clean
157.240.215.35
whois
US FACEBOOK 157.240.215.35 clean
142.250.76.147
whois
US GOOGLE 142.250.76.147 mailcious
142.250.207.106
whois
US GOOGLE 142.250.207.106 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x14003a000 GetLastError
 0x14003a008 SetLastError
 0x14003a010 FormatMessageW
 0x14003a018 GetCurrentProcess
 0x14003a020 DeviceIoControl
 0x14003a028 SetFileTime
 0x14003a030 CloseHandle
 0x14003a038 CreateDirectoryW
 0x14003a040 RemoveDirectoryW
 0x14003a048 CreateFileW
 0x14003a050 DeleteFileW
 0x14003a058 CreateHardLinkW
 0x14003a060 GetShortPathNameW
 0x14003a068 GetLongPathNameW
 0x14003a070 MoveFileW
 0x14003a078 GetFileType
 0x14003a080 GetStdHandle
 0x14003a088 WriteFile
 0x14003a090 ReadFile
 0x14003a098 FlushFileBuffers
 0x14003a0a0 SetEndOfFile
 0x14003a0a8 SetFilePointer
 0x14003a0b0 GetCurrentProcessId
 0x14003a0b8 SetFileAttributesW
 0x14003a0c0 GetFileAttributesW
 0x14003a0c8 FindClose
 0x14003a0d0 FindFirstFileW
 0x14003a0d8 FindNextFileW
 0x14003a0e0 GetVersionExW
 0x14003a0e8 GetCurrentDirectoryW
 0x14003a0f0 GetFullPathNameW
 0x14003a0f8 FoldStringW
 0x14003a100 GetModuleFileNameW
 0x14003a108 GetModuleHandleW
 0x14003a110 FindResourceW
 0x14003a118 FreeLibrary
 0x14003a120 GetProcAddress
 0x14003a128 ExitProcess
 0x14003a130 SetThreadExecutionState
 0x14003a138 Sleep
 0x14003a140 LoadLibraryW
 0x14003a148 GetSystemDirectoryW
 0x14003a150 CompareStringW
 0x14003a158 AllocConsole
 0x14003a160 FreeConsole
 0x14003a168 AttachConsole
 0x14003a170 WriteConsoleW
 0x14003a178 GetProcessAffinityMask
 0x14003a180 CreateThread
 0x14003a188 SetThreadPriority
 0x14003a190 InitializeCriticalSection
 0x14003a198 EnterCriticalSection
 0x14003a1a0 LeaveCriticalSection
 0x14003a1a8 DeleteCriticalSection
 0x14003a1b0 SetEvent
 0x14003a1b8 ResetEvent
 0x14003a1c0 ReleaseSemaphore
 0x14003a1c8 WaitForSingleObject
 0x14003a1d0 CreateEventW
 0x14003a1d8 CreateSemaphoreW
 0x14003a1e0 GetSystemTime
 0x14003a1e8 SystemTimeToTzSpecificLocalTime
 0x14003a1f0 TzSpecificLocalTimeToSystemTime
 0x14003a1f8 SystemTimeToFileTime
 0x14003a200 FileTimeToLocalFileTime
 0x14003a208 LocalFileTimeToFileTime
 0x14003a210 FileTimeToSystemTime
 0x14003a218 GetCPInfo
 0x14003a220 IsDBCSLeadByte
 0x14003a228 MultiByteToWideChar
 0x14003a230 WideCharToMultiByte
 0x14003a238 GlobalAlloc
 0x14003a240 LockResource
 0x14003a248 GlobalLock
 0x14003a250 GlobalUnlock
 0x14003a258 GlobalFree
 0x14003a260 LoadResource
 0x14003a268 SizeofResource
 0x14003a270 SetCurrentDirectoryW
 0x14003a278 GetTimeFormatW
 0x14003a280 GetDateFormatW
 0x14003a288 GetExitCodeProcess
 0x14003a290 GetLocalTime
 0x14003a298 GetTickCount
 0x14003a2a0 MapViewOfFile
 0x14003a2a8 UnmapViewOfFile
 0x14003a2b0 CreateFileMappingW
 0x14003a2b8 OpenFileMappingW
 0x14003a2c0 GetCommandLineW
 0x14003a2c8 SetEnvironmentVariableW
 0x14003a2d0 ExpandEnvironmentStringsW
 0x14003a2d8 GetTempPathW
 0x14003a2e0 MoveFileExW
 0x14003a2e8 GetLocaleInfoW
 0x14003a2f0 GetNumberFormatW
 0x14003a2f8 SetFilePointerEx
 0x14003a300 GetConsoleMode
 0x14003a308 GetConsoleCP
 0x14003a310 HeapSize
 0x14003a318 SetStdHandle
 0x14003a320 GetProcessHeap
 0x14003a328 FreeEnvironmentStringsW
 0x14003a330 GetEnvironmentStringsW
 0x14003a338 GetCommandLineA
 0x14003a340 GetOEMCP
 0x14003a348 IsValidCodePage
 0x14003a350 RaiseException
 0x14003a358 GetSystemInfo
 0x14003a360 VirtualProtect
 0x14003a368 VirtualQuery
 0x14003a370 LoadLibraryExA
 0x14003a378 RtlCaptureContext
 0x14003a380 RtlLookupFunctionEntry
 0x14003a388 RtlVirtualUnwind
 0x14003a390 IsDebuggerPresent
 0x14003a398 UnhandledExceptionFilter
 0x14003a3a0 SetUnhandledExceptionFilter
 0x14003a3a8 GetStartupInfoW
 0x14003a3b0 IsProcessorFeaturePresent
 0x14003a3b8 QueryPerformanceCounter
 0x14003a3c0 GetCurrentThreadId
 0x14003a3c8 GetSystemTimeAsFileTime
 0x14003a3d0 InitializeSListHead
 0x14003a3d8 LocalFree
 0x14003a3e0 RtlUnwindEx
 0x14003a3e8 RtlPcToFileHeader
 0x14003a3f0 EncodePointer
 0x14003a3f8 InitializeCriticalSectionAndSpinCount
 0x14003a400 TlsAlloc
 0x14003a408 TlsGetValue
 0x14003a410 TlsSetValue
 0x14003a418 TlsFree
 0x14003a420 LoadLibraryExW
 0x14003a428 TerminateProcess
 0x14003a430 QueryPerformanceFrequency
 0x14003a438 GetModuleHandleExW
 0x14003a440 GetModuleFileNameA
 0x14003a448 GetACP
 0x14003a450 HeapFree
 0x14003a458 HeapReAlloc
 0x14003a460 HeapAlloc
 0x14003a468 GetStringTypeW
 0x14003a470 LCMapStringW
 0x14003a478 FindFirstFileExA
 0x14003a480 FindNextFileA
OLEAUT32.dll
 0x14003a490 SysAllocString
 0x14003a498 SysFreeString
 0x14003a4a0 VariantClear
gdiplus.dll
 0x14003a4b0 GdipCloneImage
 0x14003a4b8 GdipFree
 0x14003a4c0 GdipDisposeImage
 0x14003a4c8 GdipCreateBitmapFromStream
 0x14003a4d0 GdipCreateHBITMAPFromBitmap
 0x14003a4d8 GdiplusStartup
 0x14003a4e0 GdiplusShutdown
 0x14003a4e8 GdipAlloc

EAT(Export Address Table) Library


Similarity measure (PE file only) - Checking for service failure