popup

Report - update-pyt.exe

Gen2 Generic Malware UPX Malicious Library Antivirus OS Processor Check PE32 PE File JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.27 10:28 Machine s1_win7_x6403
Filename update-pyt.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
8.2
ZERO API file : malware
VT API (file)
md5 ba6a75f0c69a7f22b526ad940c3451b4
sha256 f9065a3e8905c4433fb9df4dbff6a8c6645cfb12291dcdc1a3e7148f46e2762e
ssdeep 393216:Ow1YoG53jQu7j/ZFztE4Fg1EFoK2Er/QG7fal7a:OsYtTjC4Fg1s2Erlf
imphash 0ec728b69f9b2c2cd0c25c220fb7500a
impfuzzy 96:NN+9W5W6ttFWA55nH6buxKcXHdbxofPDRufI9yXiX1SjwJGdN17qtj+1AXJ4Zcpw:L+9W5W6ttFWA5nt2wWySFGd3mtjrZ45r
  Network IP location

Signature (21cnts)

Level Description
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process oneetx.exe
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (16cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (31cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://clients2.google.com/time/1/current?cup2key=4:1168666890&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
whois
US GOOGLE 142.250.206.206 clean
http://78.46.242.112/so57Nst/index.php?scr=1
whois
DE Hetzner Online GmbH 78.46.242.112 27654 phishing
http://91.107.196.27/75e7ead3c17835de.php
whois
IR Hetzner Online GmbH 91.107.196.27 clean
http://www.gstatic.com/generate_204
whois
US GOOGLE 172.217.25.163 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.43.165.105 clean
http://79.137.248.23/Lamb.pif.exe
whois
RU LLC Digital Network 79.137.248.23 clean
http://79.137.248.23/RedHat.exe
whois
RU LLC Digital Network 79.137.248.23 malware
http://78.46.242.112/so57Nst/index.php
whois
DE Hetzner Online GmbH 78.46.242.112 27654 phishing
www.google.com
whois
US GOOGLE 172.217.25.164 clean
www.gstatic.com
whois
US GOOGLE 142.250.206.227 clean
cdn.stubdownloader.services.mozilla.com
whois
US GOOGLE 34.120.48.173 clean
fonts.googleapis.com
whois
US GOOGLE 142.250.206.202 clean
clients2.googleusercontent.com
whois
US GOOGLE 172.217.25.161 clean
accounts.google.com
whois
US GOOGLE 142.250.207.109 clean
_googlecast._tcp.local
whois
Unknown clean
apis.google.com
whois
US GOOGLE 172.217.25.174 clean
fonts.gstatic.com
whois
US GOOGLE 142.250.76.131 clean
clientservices.googleapis.com
whois
US GOOGLE 142.250.207.99 clean
78.46.242.112
whois
DE Hetzner Online GmbH 78.46.242.112 phishing
142.250.66.138
whois
US GOOGLE 142.250.66.138 clean
142.251.220.45
whois
US GOOGLE 142.251.220.45 clean
172.217.27.35
whois
US GOOGLE 172.217.27.35 clean
142.250.204.142
whois
US GOOGLE 142.250.204.142 clean
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
79.137.248.23
whois
RU LLC Digital Network 79.137.248.23 malware
172.217.24.68
whois
US GOOGLE 172.217.24.68 clean
34.120.48.173
whois
US GOOGLE 34.120.48.173 clean
142.251.220.3
whois
US GOOGLE 142.251.220.3 clean
142.250.204.67
whois
US GOOGLE 142.250.204.67 clean
91.107.196.27
whois
IR Hetzner Online GmbH 91.107.196.27 mailcious
142.250.204.65
whois
US GOOGLE 142.250.204.65 mailcious

Suricata ids

ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

advapi32.dll
 0xbd2000 OpenProcessToken
crypt.dll
 0xbd2008 BCryptCloseAlgorithmProvider
 0xbd200c BCryptGenRandom
 0xbd2010 BCryptOpenAlgorithmProvider
kernel32.dll
 0xbd2018 AcquireSRWLockExclusive
 0xbd201c AcquireSRWLockShared
 0xbd2020 AddVectoredExceptionHandler
 0xbd2024 CancelIo
 0xbd2028 CloseHandle
 0xbd202c CompareStringOrdinal
 0xbd2030 CopyFileExW
 0xbd2034 CreateDirectoryW
 0xbd2038 CreateEventW
 0xbd203c CreateFileMappingA
 0xbd2040 CreateFileW
 0xbd2044 CreateHardLinkW
 0xbd2048 CreateMutexA
 0xbd204c CreateNamedPipeW
 0xbd2050 CreateProcessW
 0xbd2054 CreateSymbolicLinkW
 0xbd2058 CreateThread
 0xbd205c CreateToolhelp32Snapshot
 0xbd2060 DeleteFileW
 0xbd2064 DeviceIoControl
 0xbd2068 DuplicateHandle
 0xbd206c ExitProcess
 0xbd2070 FindClose
 0xbd2074 FindFirstFileW
 0xbd2078 FindNextFileW
 0xbd207c FlushFileBuffers
 0xbd2080 FormatMessageW
 0xbd2084 FreeEnvironmentStringsW
 0xbd2088 FreeLibrary
 0xbd208c GetCommandLineW
 0xbd2090 GetConsoleMode
 0xbd2094 GetCurrentDirectoryW
 0xbd2098 GetCurrentProcess
 0xbd209c GetCurrentProcessId
 0xbd20a0 GetCurrentThread
 0xbd20a4 GetEnvironmentStringsW
 0xbd20a8 GetEnvironmentVariableW
 0xbd20ac GetExitCodeProcess
 0xbd20b0 GetFileAttributesW
 0xbd20b4 GetFileInformationByHandle
 0xbd20b8 GetFileInformationByHandleEx
 0xbd20bc GetFileType
 0xbd20c0 GetFinalPathNameByHandleW
 0xbd20c4 GetFullPathNameW
 0xbd20c8 GetLastError
 0xbd20cc GetModuleFileNameW
 0xbd20d0 GetModuleHandleA
 0xbd20d4 GetModuleHandleW
 0xbd20d8 GetOverlappedResult
 0xbd20dc GetProcAddress
 0xbd20e0 GetProcessHeap
 0xbd20e4 GetProcessId
 0xbd20e8 GetStartupInfoA
 0xbd20ec GetStdHandle
 0xbd20f0 GetSystemDirectoryW
 0xbd20f4 GetSystemInfo
 0xbd20f8 GetSystemTimeAsFileTime
 0xbd20fc GetTempPathW
 0xbd2100 GetWindowsDirectoryW
 0xbd2104 GlobalAlloc
 0xbd2108 HeapAlloc
 0xbd210c HeapFree
 0xbd2110 HeapReAlloc
 0xbd2114 InitOnceBeginInitialize
 0xbd2118 InitOnceComplete
 0xbd211c LoadLibraryA
 0xbd2120 LoadLibraryW
 0xbd2124 MapViewOfFile
 0xbd2128 Module32FirstW
 0xbd212c Module32NextW
 0xbd2130 MoveFileExW
 0xbd2134 QueryPerformanceCounter
 0xbd2138 QueryPerformanceFrequency
 0xbd213c ReadConsoleW
 0xbd2140 ReadFile
 0xbd2144 ReadFileEx
 0xbd2148 ReleaseMutex
 0xbd214c ReleaseSRWLockExclusive
 0xbd2150 ReleaseSRWLockShared
 0xbd2154 RemoveDirectoryW
 0xbd2158 RtlCaptureContext
 0xbd215c SetCurrentDirectoryW
 0xbd2160 SetEnvironmentVariableW
 0xbd2164 SetEvent
 0xbd2168 SetFileAttributesW
 0xbd216c SetFileInformationByHandle
 0xbd2170 SetFilePointerEx
 0xbd2174 SetFileTime
 0xbd2178 SetHandleInformation
 0xbd217c SetLastError
 0xbd2180 SetThreadStackGuarantee
 0xbd2184 SetUnhandledExceptionFilter
 0xbd2188 Sleep
 0xbd218c SleepConditionVariableSRW
 0xbd2190 SleepEx
 0xbd2194 SwitchToThread
 0xbd2198 TerminateProcess
 0xbd219c TlsAlloc
 0xbd21a0 TlsFree
 0xbd21a4 TlsGetValue
 0xbd21a8 TlsSetValue
 0xbd21ac TryAcquireSRWLockExclusive
 0xbd21b0 UnmapViewOfFile
 0xbd21b4 VirtualProtect
 0xbd21b8 WaitForMultipleObjects
 0xbd21bc WaitForSingleObject
 0xbd21c0 WaitForSingleObjectEx
 0xbd21c4 WakeAllConditionVariable
 0xbd21c8 WakeConditionVariable
 0xbd21cc WriteConsoleW
 0xbd21d0 WriteFileEx
ole32.dll
 0xbd21d8 CoCreateGuid
oleaut32.dll
 0xbd21e0 GetErrorInfo
 0xbd21e4 SetErrorInfo
 0xbd21e8 SysAllocStringLen
 0xbd21ec SysFreeString
 0xbd21f0 SysStringLen
userenv.dll
 0xbd21f8 GetUserProfileDirectoryW
ws2_32.dll
 0xbd2200 WSACleanup
 0xbd2204 WSADuplicateSocketW
 0xbd2208 WSAGetLastError
 0xbd220c WSARecv
 0xbd2210 WSASend
 0xbd2214 WSASocketW
 0xbd2218 WSAStartup
 0xbd221c accept
 0xbd2220 ind
 0xbd2224 closesocket
 0xbd2228 connect
 0xbd222c freeaddrinfo
 0xbd2230 getaddrinfo
 0xbd2234 getpeername
 0xbd2238 getsockname
 0xbd223c getsockopt
 0xbd2240 ioctlsocket
 0xbd2244 listen
 0xbd2248 recv
 0xbd224c recvfrom
 0xbd2250 select
 0xbd2254 send
 0xbd2258 sendto
 0xbd225c setsockopt
 0xbd2260 shutdown
kernel32.dll
 0xbd2268 CreateEventA
 0xbd226c CreateSemaphoreA
 0xbd2270 DeleteCriticalSection
 0xbd2274 EnterCriticalSection
 0xbd2278 GetCurrentThreadId
 0xbd227c GetHandleInformation
 0xbd2280 GetProcessAffinityMask
 0xbd2284 GetThreadContext
 0xbd2288 GetThreadPriority
 0xbd228c GetTickCount
 0xbd2290 InitializeCriticalSection
 0xbd2294 IsDebuggerPresent
 0xbd2298 LeaveCriticalSection
 0xbd229c OutputDebugStringA
 0xbd22a0 RaiseException
 0xbd22a4 ReleaseSemaphore
 0xbd22a8 RemoveVectoredExceptionHandler
 0xbd22ac ResetEvent
 0xbd22b0 ResumeThread
 0xbd22b4 SetProcessAffinityMask
 0xbd22b8 SetThreadContext
 0xbd22bc SetThreadPriority
 0xbd22c0 SuspendThread
 0xbd22c4 TryEnterCriticalSection
 0xbd22c8 UnhandledExceptionFilter
 0xbd22cc VirtualQuery
msvcrt.dll
 0xbd22d4 __dllonexit
 0xbd22d8 __getmainargs
 0xbd22dc __initenv
 0xbd22e0 __lconv_init
 0xbd22e4 __set_app_type
 0xbd22e8 __setusermatherr
 0xbd22ec _acmdln
 0xbd22f0 _amsg_exit
 0xbd22f4 _beginthreadex
 0xbd22f8 _cexit
 0xbd22fc _endthreadex
 0xbd2300 _fmode
 0xbd2304 _fpreset
 0xbd2308 _initterm
 0xbd230c _iob
 0xbd2310 _lock
 0xbd2314 _onexit
 0xbd2318 _setjmp3
 0xbd231c _strdup
 0xbd2320 _ultoa
 0xbd2324 _unlock
 0xbd2328 abort
 0xbd232c calloc
 0xbd2330 exit
 0xbd2334 fprintf
 0xbd2338 free
 0xbd233c fwrite
 0xbd2340 longjmp
 0xbd2344 malloc
 0xbd2348 memcmp
 0xbd234c memcpy
 0xbd2350 memmove
 0xbd2354 memset
 0xbd2358 printf
 0xbd235c realloc
 0xbd2360 signal
 0xbd2364 strlen
 0xbd2368 strncmp
 0xbd236c vfprintf
 0xbd2370 wcslen
kernel32.dll
 0xbd2378 GetSystemTimeAsFileTime
 0xbd237c CreateEventA
 0xbd2380 GetModuleHandleA
 0xbd2384 TerminateProcess
 0xbd2388 GetCurrentProcess
 0xbd238c CreateToolhelp32Snapshot
 0xbd2390 Thread32First
 0xbd2394 GetCurrentProcessId
 0xbd2398 GetCurrentThreadId
 0xbd239c OpenThread
 0xbd23a0 Thread32Next
 0xbd23a4 CloseHandle
 0xbd23a8 SuspendThread
 0xbd23ac ResumeThread
 0xbd23b0 WriteProcessMemory
 0xbd23b4 GetSystemInfo
 0xbd23b8 VirtualAlloc
 0xbd23bc VirtualProtect
 0xbd23c0 VirtualFree
 0xbd23c4 GetProcessAffinityMask
 0xbd23c8 SetProcessAffinityMask
 0xbd23cc GetCurrentThread
 0xbd23d0 SetThreadAffinityMask
 0xbd23d4 Sleep
 0xbd23d8 LoadLibraryA
 0xbd23dc FreeLibrary
 0xbd23e0 GetTickCount
 0xbd23e4 SystemTimeToFileTime
 0xbd23e8 FileTimeToSystemTime
 0xbd23ec GlobalFree
 0xbd23f0 HeapAlloc
 0xbd23f4 HeapFree
 0xbd23f8 GetProcAddress
 0xbd23fc ExitProcess
 0xbd2400 EnterCriticalSection
 0xbd2404 LeaveCriticalSection
 0xbd2408 InitializeCriticalSection
 0xbd240c DeleteCriticalSection
 0xbd2410 MultiByteToWideChar
 0xbd2414 GetModuleHandleW
 0xbd2418 LoadResource
 0xbd241c FindResourceExW
 0xbd2420 FindResourceExA
 0xbd2424 WideCharToMultiByte
 0xbd2428 GetThreadLocale
 0xbd242c GetUserDefaultLCID
 0xbd2430 GetSystemDefaultLCID
 0xbd2434 EnumResourceNamesA
 0xbd2438 EnumResourceNamesW
 0xbd243c EnumResourceLanguagesA
 0xbd2440 EnumResourceLanguagesW
 0xbd2444 EnumResourceTypesA
 0xbd2448 EnumResourceTypesW
 0xbd244c CreateFileW
 0xbd2450 LoadLibraryW
 0xbd2454 GetLastError
 0xbd2458 FlushFileBuffers
 0xbd245c VirtualQuery
 0xbd2460 GetCommandLineA
 0xbd2464 GetCPInfo
 0xbd2468 InterlockedIncrement
 0xbd246c InterlockedDecrement
 0xbd2470 GetACP
 0xbd2474 GetOEMCP
 0xbd2478 IsValidCodePage
 0xbd247c TlsGetValue
 0xbd2480 TlsAlloc
 0xbd2484 TlsSetValue
 0xbd2488 TlsFree
 0xbd248c SetLastError
 0xbd2490 UnhandledExceptionFilter
 0xbd2494 SetUnhandledExceptionFilter
 0xbd2498 IsDebuggerPresent
 0xbd249c RaiseException
 0xbd24a0 LCMapStringA
 0xbd24a4 LCMapStringW
 0xbd24a8 SetHandleCount
 0xbd24ac GetStdHandle
 0xbd24b0 GetFileType
 0xbd24b4 GetStartupInfoA
 0xbd24b8 GetModuleFileNameA
 0xbd24bc FreeEnvironmentStringsA
 0xbd24c0 GetEnvironmentStrings
 0xbd24c4 FreeEnvironmentStringsW
 0xbd24c8 GetEnvironmentStringsW
 0xbd24cc HeapCreate
 0xbd24d0 HeapDestroy
 0xbd24d4 QueryPerformanceCounter
 0xbd24d8 HeapReAlloc
 0xbd24dc GetStringTypeA
 0xbd24e0 GetStringTypeW
 0xbd24e4 GetLocaleInfoA
 0xbd24e8 HeapSize
 0xbd24ec WriteFile
 0xbd24f0 RtlUnwind
 0xbd24f4 SetFilePointer
 0xbd24f8 GetConsoleCP
 0xbd24fc GetConsoleMode
 0xbd2500 InitializeCriticalSectionAndSpinCount
 0xbd2504 SetStdHandle
 0xbd2508 WriteConsoleA
 0xbd250c GetConsoleOutputCP
 0xbd2510 WriteConsoleW
 0xbd2514 CreateFileA
USER32.dll
 0xbd251c CharUpperBuffW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure