popup

Report - server.exe

UPX Malicious Library OS Processor Check PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.23 13:05 Machine s1_win7_x6403
Filename server.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
7.8
ZERO API file : malware
VT API (file) 58 detected (VariantPalevoB, Palevo, tnDr, malicious, high confidence, GenericKD, Mauvaise, GenericRXFQ, Save, None, confidence, 100%, ZexaF, juW@a01N9bei, Eldorado, score, hsfb, eedpnj, Gencirc, Mdrop, DownLoader24, FUSHIELD, NetLoader, moderate, Static AI, Suspicious PE, bgtwn, AGEN, ai score=84, AA@5szlv3, Detected, Dynamer, R159816, BScope, Pynamer, unsafe, CLASSIC, GenAsa, HmnMauVhttw, susgen, Genetic)
md5 faf3c47c4d784d20688a8cfd37198518
sha256 ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
ssdeep 1536:ia0dkJcE9FWrsyZK4aUkJ+sMpQCrIULTRN9EQQ5gci1fnGaBsWjcdpvJ+qHf7Uio:x0+HAaUO1C9dNaph+EUidlq3W5DSh
imphash 3eef63a9074cade023a62e2ebdf31860
impfuzzy 24:1ZNif8JxW/Vst0XvHilBd8VOegjJ8cf3t0ugDoPfx9Oov/lY7Jb+cMUv0kZ8vyjO:ZrziVOJ8cf3AAYx+cM+00/ck7+WbAT
  Network IP location

Signature (11cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 58 AntiVirus engines on VirusTotal as malicious
danger Disables Windows Security features
watch Attempts to modify UAC prompt behavior
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Installs itself for autorun at Windows startup
watch Modifies security center warnings
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
info This executable has a PDB path

Rules (10cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
81.68.216.37
whois
CN Shenzhen Tencent Computer Systems Company Limited 81.68.216.37 malware

Suricata ids

PE API

IAT(Import Address Table) Library

WS2_32.dll
 0x4151b0 WSAIoctl
 0x4151b4 select
 0x4151b8 recv
 0x4151bc __WSAFDIsSet
 0x4151c0 gethostname
 0x4151c4 connect
 0x4151c8 WSAStartup
 0x4151cc inet_addr
 0x4151d0 htonl
 0x4151d4 htons
 0x4151d8 setsockopt
 0x4151dc sendto
 0x4151e0 socket
 0x4151e4 closesocket
 0x4151e8 gethostbyname
 0x4151ec send
 0x4151f0 WSASocketA
IPHLPAPI.DLL
 0x415038 GetNetworkParams
DNSAPI.dll
 0x41502c DnsFree
 0x415030 DnsQuery_A
KERNEL32.dll
 0x415040 ReadConsoleW
 0x415044 LCMapStringW
 0x415048 FlushFileBuffers
 0x41504c SetStdHandle
 0x415050 WriteConsoleW
 0x415054 CreateFileW
 0x415058 IsDebuggerPresent
 0x41505c CreateFileA
 0x415060 GetTickCount
 0x415064 WriteFile
 0x415068 GlobalAlloc
 0x41506c InitializeCriticalSectionAndSpinCount
 0x415070 Sleep
 0x415074 TerminateProcess
 0x415078 RaiseException
 0x41507c GetLastError
 0x415080 GlobalFree
 0x415084 DecodePointer
 0x415088 DeleteCriticalSection
 0x41508c CloseHandle
 0x415090 DeleteFileA
 0x415094 CreateThread
 0x415098 GetCurrentProcess
 0x41509c WaitForSingleObject
 0x4150a0 CopyFileA
 0x4150a4 GetModuleFileNameA
 0x4150a8 GetCurrentThreadId
 0x4150ac GetCurrentProcessId
 0x4150b0 ExitProcess
 0x4150b4 GlobalMemoryStatus
 0x4150b8 SetErrorMode
 0x4150bc FreeLibrary
 0x4150c0 SetUnhandledExceptionFilter
 0x4150c4 ReadFile
 0x4150c8 GetEnvironmentVariableA
 0x4150cc GetProcAddress
 0x4150d0 LoadLibraryA
 0x4150d4 GetSystemInfo
 0x4150d8 CreateMutexA
 0x4150dc GetVersionExA
 0x4150e0 WinExec
 0x4150e4 HeapFree
 0x4150e8 HeapAlloc
 0x4150ec EncodePointer
 0x4150f0 IsProcessorFeaturePresent
 0x4150f4 GetSystemTimeAsFileTime
 0x4150f8 GetCommandLineA
 0x4150fc GetProcessHeap
 0x415100 GetModuleHandleExW
 0x415104 AreFileApisANSI
 0x415108 MultiByteToWideChar
 0x41510c WideCharToMultiByte
 0x415110 GetStdHandle
 0x415114 GetModuleFileNameW
 0x415118 HeapSize
 0x41511c SetLastError
 0x415120 UnhandledExceptionFilter
 0x415124 TlsAlloc
 0x415128 TlsGetValue
 0x41512c TlsSetValue
 0x415130 TlsFree
 0x415134 GetStartupInfoW
 0x415138 GetModuleHandleW
 0x41513c IsValidCodePage
 0x415140 GetACP
 0x415144 GetOEMCP
 0x415148 GetCPInfo
 0x41514c EnterCriticalSection
 0x415150 LeaveCriticalSection
 0x415154 RtlUnwind
 0x415158 CreateDirectoryW
 0x41515c GetFileType
 0x415160 QueryPerformanceCounter
 0x415164 GetEnvironmentStringsW
 0x415168 FreeEnvironmentStringsW
 0x41516c LoadLibraryExW
 0x415170 OutputDebugStringW
 0x415174 HeapReAlloc
 0x415178 GetConsoleCP
 0x41517c GetConsoleMode
 0x415180 SetFilePointerEx
 0x415184 GetStringTypeW
 0x415188 SetEndOfFile
USER32.dll
 0x4151a8 wsprintfA
ADVAPI32.dll
 0x415000 AllocateAndInitializeSid
 0x415004 FreeSid
 0x415008 CheckTokenMembership
 0x41500c OpenProcessToken
 0x415010 RegSetValueExA
 0x415014 RegQueryValueExA
 0x415018 RegCloseKey
 0x41501c AdjustTokenPrivileges
 0x415020 RegOpenKeyA
 0x415024 LookupPrivilegeValueA
SHELL32.dll
 0x415190 ShellExecuteExA
 0x415194 SHGetSpecialFolderPathA
SHLWAPI.dll
 0x41519c PathFindFileNameA
 0x4151a0 PathRemoveFileSpecA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure