Report - 1.exe

UPX Malicious Library MZP Format PE32 PE File
ScreenShot
Created 2023.03.24 09:44 Machine s1_win7_x6403
Filename 1.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
1
Behavior Score
6.2
ZERO API file : malware
VT API (file) 34 detected (malicious, high confidence, Phonzy, GenericKD, Votj, ABRisk, DIME, score, Dealalpha, Csdi, FileRepMalware, Misc, Zwhl, Generic ML PUA, Siggen20, PRIVATELOADER, YXDCXZ, ObfuscatedPoly, Chebka, AGEN, Detected, Artemis, susgen)
md5 7429ee8b83fcbb48fe5b383a6235ac1d
sha256 59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32
ssdeep 12288:VQi3IG+zy2Rc6m6UR0Ipp1hf39Wkv8xwJA:VQiYG+zy2RzHIppdUMA
imphash 884310b1928934402ea6fec1dbd3cf5e
impfuzzy 48:8cfp1rcQX0gebPCDr+ZbldH9AOZGwt+Eu55T/lGB:8cfpdcqNebqDrmrHW2
  Network IP location

Signature (15cnts)

Level Description
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process 1.tmp
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info mzp_file_format MZP(Delphi) file format binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (20cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://s3.eu-central-1.wasabisys.com/delice/delice-prov/poweroff.exe US BLUEARCHIVE-ZONE-1 130.117.252.29 clean
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies RU RocketTelecom LLC 37.230.138.66 23046 mailcious
https://connectini.net/Series/SuperNitouDisc.php RU RocketTelecom LLC 37.230.138.123 7619 mailcious
https://s3.eu-central-1.wasabisys.com/delice/delice-purify/hand-emHqRHrKsna22Rea.exe US BLUEARCHIVE-ZONE-1 130.117.252.29 clean
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe DE AMAZON-02 52.219.140.125 23052 mailcious
https://www.google.com/ US GOOGLE 142.250.66.36 clean
https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=6 RU RocketTelecom LLC 37.230.138.123 7620 mailcious
https://s3.eu-central-1.wasabisys.com/delice/delice-purify/up-do-dat-emHqRHrKsna22Rea.exe US BLUEARCHIVE-ZONE-1 130.117.252.29 clean
n8w5.c12.e2-1.dev Unknown malware
wewewe.s3.eu-central-1.amazonaws.com Unknown 52.219.170.150 mailcious
www.google.com US GOOGLE 172.217.25.164 clean
360devtracking.com RU RocketTelecom LLC 37.230.138.66 mailcious
s3.eu-central-1.wasabisys.com US BLUEARCHIVE-ZONE-1 130.117.252.29 malware
connectini.net RU RocketTelecom LLC 37.230.138.123 mailcious
130.117.252.29 US BLUEARCHIVE-ZONE-1 130.117.252.29 malware
52.219.140.125 DE AMAZON-02 52.219.140.125 clean
130.117.252.31 US BLUEARCHIVE-ZONE-1 130.117.252.31 clean
142.250.66.36 US GOOGLE 142.250.66.36 clean
37.230.138.123 RU RocketTelecom LLC 37.230.138.123 mailcious
37.230.138.66 RU RocketTelecom LLC 37.230.138.66 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x40d0b4 DeleteCriticalSection
 0x40d0b8 LeaveCriticalSection
 0x40d0bc EnterCriticalSection
 0x40d0c0 InitializeCriticalSection
 0x40d0c4 VirtualFree
 0x40d0c8 VirtualAlloc
 0x40d0cc LocalFree
 0x40d0d0 LocalAlloc
 0x40d0d4 WideCharToMultiByte
 0x40d0d8 TlsSetValue
 0x40d0dc TlsGetValue
 0x40d0e0 MultiByteToWideChar
 0x40d0e4 GetModuleHandleA
 0x40d0e8 GetLastError
 0x40d0ec GetCommandLineA
 0x40d0f0 WriteFile
 0x40d0f4 SetFilePointer
 0x40d0f8 SetEndOfFile
 0x40d0fc RtlUnwind
 0x40d100 ReadFile
 0x40d104 RaiseException
 0x40d108 GetStdHandle
 0x40d10c GetFileSize
 0x40d110 GetSystemTime
 0x40d114 GetFileType
 0x40d118 ExitProcess
 0x40d11c CreateFileA
 0x40d120 CloseHandle
user32.dll
 0x40d128 MessageBoxA
oleaut32.dll
 0x40d130 VariantChangeTypeEx
 0x40d134 VariantCopyInd
 0x40d138 VariantClear
 0x40d13c SysStringLen
 0x40d140 SysAllocStringLen
advapi32.dll
 0x40d148 RegQueryValueExA
 0x40d14c RegOpenKeyExA
 0x40d150 RegCloseKey
 0x40d154 OpenProcessToken
 0x40d158 LookupPrivilegeValueA
kernel32.dll
 0x40d160 WriteFile
 0x40d164 VirtualQuery
 0x40d168 VirtualProtect
 0x40d16c VirtualFree
 0x40d170 VirtualAlloc
 0x40d174 Sleep
 0x40d178 SizeofResource
 0x40d17c SetLastError
 0x40d180 SetFilePointer
 0x40d184 SetErrorMode
 0x40d188 SetEndOfFile
 0x40d18c RemoveDirectoryA
 0x40d190 ReadFile
 0x40d194 LockResource
 0x40d198 LoadResource
 0x40d19c LoadLibraryA
 0x40d1a0 IsDBCSLeadByte
 0x40d1a4 GetWindowsDirectoryA
 0x40d1a8 GetVersionExA
 0x40d1ac GetUserDefaultLangID
 0x40d1b0 GetSystemInfo
 0x40d1b4 GetSystemDefaultLCID
 0x40d1b8 GetProcAddress
 0x40d1bc GetModuleHandleA
 0x40d1c0 GetModuleFileNameA
 0x40d1c4 GetLocaleInfoA
 0x40d1c8 GetLastError
 0x40d1cc GetFullPathNameA
 0x40d1d0 GetFileSize
 0x40d1d4 GetFileAttributesA
 0x40d1d8 GetExitCodeProcess
 0x40d1dc GetEnvironmentVariableA
 0x40d1e0 GetCurrentProcess
 0x40d1e4 GetCommandLineA
 0x40d1e8 GetACP
 0x40d1ec InterlockedExchange
 0x40d1f0 FormatMessageA
 0x40d1f4 FindResourceA
 0x40d1f8 DeleteFileA
 0x40d1fc CreateProcessA
 0x40d200 CreateFileA
 0x40d204 CreateDirectoryA
 0x40d208 CloseHandle
user32.dll
 0x40d210 TranslateMessage
 0x40d214 SetWindowLongA
 0x40d218 PeekMessageA
 0x40d21c MsgWaitForMultipleObjects
 0x40d220 MessageBoxA
 0x40d224 LoadStringA
 0x40d228 ExitWindowsEx
 0x40d22c DispatchMessageA
 0x40d230 DestroyWindow
 0x40d234 CreateWindowExA
 0x40d238 CallWindowProcA
 0x40d23c CharPrevA
comctl32.dll
 0x40d244 InitCommonControls
advapi32.dll
 0x40d24c AdjustTokenPrivileges

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure