popup

Report - rw001ext.exe

Gen2 Generic Malware UPX Malicious Library OS Processor Check PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.21 10:18 Machine s1_win7_x6401
Filename rw001ext.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
2
 Behavior Score
1.2
ZERO API file : malware
VT API (file) 8 detected (malicious, confidence, ESUM, FileRepMalware, Artemis, Casdet)
md5 0ad8d4cffac5f713a2ef3b2c72a84e29
sha256 d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d
ssdeep 196608:HUNWu+zM+o+OVv8ZTN4OPF4pzR1X7/kBV5DEp:0gOiZT1F4/1/si
imphash 85a54fad2bd6b77afdc3a0e3e1364550
impfuzzy 96:NN+9W5W6ttFWA55nH6buxKcXHdbxofPDRufI9yXiX1SjwJGdN17qtj5:L+9W5W6ttFWA5nt2wWySFGd3mtj5
  Network IP location

Signature (3cnts)

Level Description
notice Allocates read-write-execute memory (usually to unpack itself)
notice File has been identified by 8 AntiVirus engines on VirusTotal as malicious
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (14cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

advapi32.dll
 0xad2440 OpenProcessToken
crypt.dll
 0xad2448 BCryptCloseAlgorithmProvider
 0xad244c BCryptGenRandom
 0xad2450 BCryptOpenAlgorithmProvider
kernel32.dll
 0xad2458 AcquireSRWLockExclusive
 0xad245c AcquireSRWLockShared
 0xad2460 AddVectoredExceptionHandler
 0xad2464 CancelIo
 0xad2468 CloseHandle
 0xad246c CompareStringOrdinal
 0xad2470 CopyFileExW
 0xad2474 CreateDirectoryW
 0xad2478 CreateEventW
 0xad247c CreateFileMappingA
 0xad2480 CreateFileW
 0xad2484 CreateHardLinkW
 0xad2488 CreateMutexA
 0xad248c CreateNamedPipeW
 0xad2490 CreateProcessW
 0xad2494 CreateSymbolicLinkW
 0xad2498 CreateThread
 0xad249c CreateToolhelp32Snapshot
 0xad24a0 DeleteFileW
 0xad24a4 DeviceIoControl
 0xad24a8 DuplicateHandle
 0xad24ac ExitProcess
 0xad24b0 FindClose
 0xad24b4 FindFirstFileW
 0xad24b8 FindNextFileW
 0xad24bc FlushFileBuffers
 0xad24c0 FormatMessageW
 0xad24c4 FreeEnvironmentStringsW
 0xad24c8 FreeLibrary
 0xad24cc GetCommandLineW
 0xad24d0 GetConsoleMode
 0xad24d4 GetCurrentDirectoryW
 0xad24d8 GetCurrentProcess
 0xad24dc GetCurrentProcessId
 0xad24e0 GetCurrentThread
 0xad24e4 GetEnvironmentStringsW
 0xad24e8 GetEnvironmentVariableW
 0xad24ec GetExitCodeProcess
 0xad24f0 GetFileAttributesW
 0xad24f4 GetFileInformationByHandle
 0xad24f8 GetFileInformationByHandleEx
 0xad24fc GetFileType
 0xad2500 GetFinalPathNameByHandleW
 0xad2504 GetFullPathNameW
 0xad2508 GetLastError
 0xad250c GetModuleFileNameW
 0xad2510 GetModuleHandleA
 0xad2514 GetModuleHandleW
 0xad2518 GetOverlappedResult
 0xad251c GetProcAddress
 0xad2520 GetProcessHeap
 0xad2524 GetProcessId
 0xad2528 GetStartupInfoA
 0xad252c GetStdHandle
 0xad2530 GetSystemDirectoryW
 0xad2534 GetSystemInfo
 0xad2538 GetSystemTimeAsFileTime
 0xad253c GetTempPathW
 0xad2540 GetWindowsDirectoryW
 0xad2544 GlobalAlloc
 0xad2548 HeapAlloc
 0xad254c HeapFree
 0xad2550 HeapReAlloc
 0xad2554 InitOnceBeginInitialize
 0xad2558 InitOnceComplete
 0xad255c LoadLibraryA
 0xad2560 LoadLibraryW
 0xad2564 MapViewOfFile
 0xad2568 Module32FirstW
 0xad256c Module32NextW
 0xad2570 MoveFileExW
 0xad2574 QueryPerformanceCounter
 0xad2578 QueryPerformanceFrequency
 0xad257c ReadConsoleW
 0xad2580 ReadFile
 0xad2584 ReadFileEx
 0xad2588 ReleaseMutex
 0xad258c ReleaseSRWLockExclusive
 0xad2590 ReleaseSRWLockShared
 0xad2594 RemoveDirectoryW
 0xad2598 RtlCaptureContext
 0xad259c SetCurrentDirectoryW
 0xad25a0 SetEnvironmentVariableW
 0xad25a4 SetEvent
 0xad25a8 SetFileAttributesW
 0xad25ac SetFileInformationByHandle
 0xad25b0 SetFilePointerEx
 0xad25b4 SetFileTime
 0xad25b8 SetHandleInformation
 0xad25bc SetLastError
 0xad25c0 SetThreadStackGuarantee
 0xad25c4 SetUnhandledExceptionFilter
 0xad25c8 Sleep
 0xad25cc SleepConditionVariableSRW
 0xad25d0 SleepEx
 0xad25d4 SwitchToThread
 0xad25d8 TerminateProcess
 0xad25dc TlsAlloc
 0xad25e0 TlsFree
 0xad25e4 TlsGetValue
 0xad25e8 TlsSetValue
 0xad25ec TryAcquireSRWLockExclusive
 0xad25f0 UnmapViewOfFile
 0xad25f4 VirtualProtect
 0xad25f8 WaitForMultipleObjects
 0xad25fc WaitForSingleObject
 0xad2600 WaitForSingleObjectEx
 0xad2604 WakeAllConditionVariable
 0xad2608 WakeConditionVariable
 0xad260c WriteConsoleW
 0xad2610 WriteFileEx
ole32.dll
 0xad2618 CoCreateGuid
oleaut32.dll
 0xad2620 GetErrorInfo
 0xad2624 SetErrorInfo
 0xad2628 SysAllocStringLen
 0xad262c SysFreeString
 0xad2630 SysStringLen
userenv.dll
 0xad2638 GetUserProfileDirectoryW
ws2_32.dll
 0xad2640 WSACleanup
 0xad2644 WSADuplicateSocketW
 0xad2648 WSAGetLastError
 0xad264c WSARecv
 0xad2650 WSASend
 0xad2654 WSASocketW
 0xad2658 WSAStartup
 0xad265c accept
 0xad2660 ind
 0xad2664 closesocket
 0xad2668 connect
 0xad266c freeaddrinfo
 0xad2670 getaddrinfo
 0xad2674 getpeername
 0xad2678 getsockname
 0xad267c getsockopt
 0xad2680 ioctlsocket
 0xad2684 listen
 0xad2688 recv
 0xad268c recvfrom
 0xad2690 select
 0xad2694 send
 0xad2698 sendto
 0xad269c setsockopt
 0xad26a0 shutdown
KERNEL32.dll
 0xad26a8 CreateEventA
 0xad26ac CreateSemaphoreA
 0xad26b0 DeleteCriticalSection
 0xad26b4 EnterCriticalSection
 0xad26b8 GetCurrentThreadId
 0xad26bc GetHandleInformation
 0xad26c0 GetProcessAffinityMask
 0xad26c4 GetThreadContext
 0xad26c8 GetThreadPriority
 0xad26cc GetTickCount
 0xad26d0 InitializeCriticalSection
 0xad26d4 IsDebuggerPresent
 0xad26d8 LeaveCriticalSection
 0xad26dc OutputDebugStringA
 0xad26e0 RaiseException
 0xad26e4 ReleaseSemaphore
 0xad26e8 RemoveVectoredExceptionHandler
 0xad26ec ResetEvent
 0xad26f0 ResumeThread
 0xad26f4 SetProcessAffinityMask
 0xad26f8 SetThreadContext
 0xad26fc SetThreadPriority
 0xad2700 SuspendThread
 0xad2704 TryEnterCriticalSection
 0xad2708 UnhandledExceptionFilter
 0xad270c VirtualQuery
msvcrt.dll
 0xad2714 __dllonexit
 0xad2718 __getmainargs
 0xad271c __initenv
 0xad2720 __lconv_init
 0xad2724 __set_app_type
 0xad2728 __setusermatherr
 0xad272c _acmdln
 0xad2730 _amsg_exit
 0xad2734 _beginthreadex
 0xad2738 _cexit
 0xad273c _endthreadex
 0xad2740 _fmode
 0xad2744 _fpreset
 0xad2748 _initterm
 0xad274c _iob
 0xad2750 _lock
 0xad2754 _onexit
 0xad2758 _setjmp3
 0xad275c _strdup
 0xad2760 _ultoa
 0xad2764 _unlock
 0xad2768 abort
 0xad276c calloc
 0xad2770 exit
 0xad2774 fprintf
 0xad2778 free
 0xad277c fwrite
 0xad2780 longjmp
 0xad2784 malloc
 0xad2788 memcmp
 0xad278c memcpy
 0xad2790 memmove
 0xad2794 memset
 0xad2798 printf
 0xad279c realloc
 0xad27a0 signal
 0xad27a4 strlen
 0xad27a8 strncmp
 0xad27ac vfprintf
 0xad27b0 wcslen

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure