Report - 6.ocx

Generic Malware UPX Malicious Library VMProtect PE32 PE File
ScreenShot
Created 2023.03.17 10:07 Machine s1_win7_x6401
Filename 6.ocx
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
5.0
ZERO API file : malware
VT API (file) 40 detected (malicious, high confidence, kzZ@bSjE9Ykb, unsafe, A02q, confidence, 100%, Attribute, HighConfidence, VMProtect, RATX, Lajl, VMProtBad, high, score, Detected, XPACK, ai score=81, Farfli, R562279, BScope, Generic@AI, RDMK, cmRtazoLb3Z0aDToUkpQRn1XQhqL, Static AI, Suspicious PE, susgen, Zard, Genetic)
md5 ef4a2bb28bee4196a1996de11a3bbf8b
sha256 870a43d88877a0a3e894c444742e29db08aa9c3ee11b8f355eda9c195cd00a4b
ssdeep 12288:5zU3p48uWBJuktdYlf+TaSW9gzpCIAhgxqfcm/qEwU6nYYl7SRBd0OzW5lho:5zJMjJFaSWOzpNnPuBd0oW5n
imphash 520e49367515fc0f38f619960f084b81
impfuzzy 3:sUWLwzsSWLcvbsIlgmX8VybAJSxqrJSx2AEZsWBJAEPwUgEJJ67UgDkSxqEs1MOB:AwAcvbP8VyvErBJAEf/JLGCZB
  Network IP location

Signature (8cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Foreign language identified in PE resource
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
3005.qmananan.com US COGENT-174 206.233.132.92 clean
206.233.132.92 US COGENT-174 206.233.132.92 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x51c000 GetVersionExA
 0x51c004 GetVersion
 0x51c008 OpenThread
USER32.dll
 0x51c010 CharUpperBuffW
KERNEL32.dll
 0x51c018 GetModuleFileNameW
KERNEL32.dll
 0x51c020 GetModuleHandleA
 0x51c024 LoadLibraryA
 0x51c028 LocalAlloc
 0x51c02c LocalFree
 0x51c030 GetModuleFileNameA
 0x51c034 ExitProcess

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure