popup

Report - clip.exe

PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.23 13:10 Machine s1_win7_x6403
Filename clip.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
AI Score
3
 Behavior Score
4.6
ZERO API file : malware
VT API (file) 26 detected (malicious, moderate confidence, Razy, Vc8k, confidence, Attribute, HighConfidence, score, RiskTool, ZexaF, @pGfaSi, Generic ML PUA, XPACK, GrayWare, Kryptik, R002H07CM23, Dkjl, ai score=82)
md5 8d3942d2bfaf962a1177aee8d08ca079
sha256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
ssdeep 98304:GHKnyIBCaUVmAYzLiw4UtCsDB2DsEUcQF+KnG5N73/hx9gnxxVeIaGgchSh13jDX:YoyIM3VczLiw4S5QirnGzpM3VHaGg6ug
imphash 6ed4f5f04d62b18d96b26d6db7c18840
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn
  Network IP location

Signature (10cnts)

Level Description
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Detects the presence of Wine emulator
watch Installs itself for autorun at Windows startup
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice One or more potentially interesting buffers were extracted
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Collects information to fingerprint the system (MachineGuid
info The executable uses a known packer

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
api.telegram.org
whois
GB Telegram Messenger Inc 149.154.167.220 clean
149.154.167.220
whois
GB Telegram Messenger Inc 149.154.167.220 clean

Suricata ids

ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0xbce028 LoadLibraryA
 0xbce02c ExitProcess
 0xbce030 GetProcAddress
 0xbce034 VirtualProtect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure