Report - Downloader.exe

PE32 PE File
ScreenShot
Created 2023.03.23 13:16 Machine s1_win7_x6403
Filename Downloader.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
Behavior Score
5.0
ZERO API file : malware
VT API (file) 59 detected (malicious, high confidence, Midie, AgentMF, S19993834, FBWZ, unsafe, Save, confidence, 100%, VBObfuse, VBTrojan, Maxi, score, Aizczvpi, xabduu, fxwldb, Xmhl, DownLoader30, REDLINE, YXDCVZ, Static AI, Suspicious PE, bdxz, Wacatac, Malware@#zmqidmwkoy54, Detected, Vobfus, R326912, ai score=84, 2XZfwNMewX, GenAsa, Ywn5wjDUu9s, susgen, Kryptik, HMTB, GdSda)
md5 75d45ac139ac9630ef44d1952e574633
sha256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
ssdeep 96:kIVg6r1wCCbBarsanJtRHJeZW+RElJ869X/QNsgBSEnrtDINyncI+vL/mg56NM69:LVZZrDRgAKErnEnrtDINynT+vCgcNX9
imphash 7561f617f3827674993d78a3c48f4610
impfuzzy 3:rTHTNT6IJjZzIJRM0HIWTkP1nELBJyJIWnIhsUHEgV8WIhSHzICqkCKpeEjgGUz6:HHTNWIrzGq8rTG1nq4qWWTpTa6n
  Network IP location

Signature (10cnts)

Level Description
danger File has been identified by 59 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice An executable file was downloaded by the process downloader.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (4cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://193.42.33.216/myp.exe Unknown 193.42.33.216 malware
http://193.42.33.216/clip.exe Unknown 193.42.33.216 malware
193.42.33.216 Unknown 193.42.33.216 malware

Suricata ids

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
 0x401000 None
 0x401004 None
 0x401008 DllFunctionCall
 0x40100c __vbaExceptHandler
 0x401010 None
 0x401014 None
 0x401018 None
 0x40101c ProcCallEngine
 0x401020 None
 0x401024 None

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure