Report - 91.exe

NPKI UPX Malicious Library OS Processor Check PE64 PE File
ScreenShot
Created 2023.03.17 07:36 Machine s1_win7_x6401
Filename 91.exe
Type PE32+ executable (console) x86-64, for MS Windows
AI Score
1
Behavior Score
6.4
ZERO API file : malware
VT API (file) 37 detected (malicious, high confidence, GenericKD, Artemis, Aurora, Vdwx, confidence, 100%, Attribute, HighConfidence, a variant of Generik, CKYFYFJ, score, Coins, PWSX, QQPass, QQRob, Aujl, AURORASTEALER, YXDCOZ, Generic ML PUA, Casdet, AGEN, ai score=86, Sabsik, Malware@#2zq6fhhfnv2i9, Detected, Undefined, hm8XUiEnfpE)
md5 e309c8e66cb963033a3e8cc4b480f81d
sha256 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658
ssdeep 49152:1gjtfvNrQtMX9NQz0/BtRd8F4Ji8UUr8eNp2HEqkseUJc0In5:W7rQQvQzyR84JxF8eNp2HEqksPcd
imphash 1b5afa72ae21524cce342735db6e44db
impfuzzy 24:32gDy02tdS1CBgdlJeDc+pl39roUOovbO3URZHu99RovPGMR:6tdS1CBgic+ppZi3L63
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
watch Appends a known multi-family ransomware file extension to files that have been encrypted
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level Name Description Collection
danger NPKI_Zero File included NPKI binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
138.201.198.8 DE Hetzner Online GmbH 138.201.198.8 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x140013000 SizeofResource
 0x140013008 VirtualAlloc
 0x140013010 FindResourceA
 0x140013018 LoadLibraryA
 0x140013020 FreeConsole
 0x140013028 LoadResource
 0x140013030 GetProcAddress
 0x140013038 WriteConsoleW
 0x140013040 RtlCaptureContext
 0x140013048 RtlLookupFunctionEntry
 0x140013050 RtlVirtualUnwind
 0x140013058 UnhandledExceptionFilter
 0x140013060 SetUnhandledExceptionFilter
 0x140013068 GetCurrentProcess
 0x140013070 TerminateProcess
 0x140013078 IsProcessorFeaturePresent
 0x140013080 IsDebuggerPresent
 0x140013088 GetStartupInfoW
 0x140013090 GetModuleHandleW
 0x140013098 QueryPerformanceCounter
 0x1400130a0 GetCurrentProcessId
 0x1400130a8 GetCurrentThreadId
 0x1400130b0 GetSystemTimeAsFileTime
 0x1400130b8 InitializeSListHead
 0x1400130c0 RtlUnwindEx
 0x1400130c8 RtlPcToFileHeader
 0x1400130d0 RaiseException
 0x1400130d8 GetLastError
 0x1400130e0 SetLastError
 0x1400130e8 EncodePointer
 0x1400130f0 EnterCriticalSection
 0x1400130f8 LeaveCriticalSection
 0x140013100 DeleteCriticalSection
 0x140013108 InitializeCriticalSectionAndSpinCount
 0x140013110 TlsAlloc
 0x140013118 TlsGetValue
 0x140013120 TlsSetValue
 0x140013128 TlsFree
 0x140013130 FreeLibrary
 0x140013138 LoadLibraryExW
 0x140013140 ExitProcess
 0x140013148 GetModuleHandleExW
 0x140013150 GetModuleFileNameW
 0x140013158 GetStdHandle
 0x140013160 WriteFile
 0x140013168 GetCommandLineA
 0x140013170 GetCommandLineW
 0x140013178 HeapAlloc
 0x140013180 HeapFree
 0x140013188 FindClose
 0x140013190 FindFirstFileExW
 0x140013198 FindNextFileW
 0x1400131a0 IsValidCodePage
 0x1400131a8 GetACP
 0x1400131b0 GetOEMCP
 0x1400131b8 GetCPInfo
 0x1400131c0 MultiByteToWideChar
 0x1400131c8 WideCharToMultiByte
 0x1400131d0 GetEnvironmentStringsW
 0x1400131d8 FreeEnvironmentStringsW
 0x1400131e0 SetEnvironmentVariableW
 0x1400131e8 FlsAlloc
 0x1400131f0 FlsGetValue
 0x1400131f8 FlsSetValue
 0x140013200 FlsFree
 0x140013208 CompareStringW
 0x140013210 LCMapStringW
 0x140013218 GetProcessHeap
 0x140013220 GetFileType
 0x140013228 SetStdHandle
 0x140013230 GetStringTypeW
 0x140013238 HeapSize
 0x140013240 HeapReAlloc
 0x140013248 FlushFileBuffers
 0x140013250 GetConsoleOutputCP
 0x140013258 GetConsoleMode
 0x140013260 SetFilePointerEx
 0x140013268 CreateFileW
 0x140013270 CloseHandle

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure