popup

Report - 2023.exe.exe

UPX Malicious Library Malicious Packer OS Processor Check PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.28 08:35 Machine s1_win7_x6401
Filename 2023.exe.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
4
 Behavior Score
6.4
ZERO API file : clean
VT API (file) 46 detected (Convagent, Jaik, Vnzc, TitanStealer, malicious, confidence, 100%, ABRisk, FLVX, Attribute, HighConfidence, high confidence, a variant of WinGo, score, Aurora, Coins, affj, CLASSIC, AURORASTEALER, YXDC1Z, Static AI, Suspicious PE, XPACK, ai score=81, Casdet, Detected, Artemis, BScope, Nacra, Qgil, susgen, GoAgent, Chgt)
md5 027a60b4337dd0847d0414aa8719ffec
sha256 3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168
ssdeep 49152:ZRxujKxS2EuSIYkgSc71bdf5k6N21D5MwICiaiSLE6k1/lRr:ZRM282P2jScBbS2lRr
imphash 9cbefe68f395e67356e2a5d8d1b285c0
impfuzzy 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP
  Network IP location

Signature (15cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
watch Collects information on the system (ipconfig
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Executes one or more WMI queries
notice Executes one or more WMI queries which can be used to identify virtual machines
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
212.87.204.93
whois
Unknown 212.87.204.93 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x6bc260 WriteFile
 0x6bc264 WriteConsoleW
 0x6bc268 WaitForMultipleObjects
 0x6bc26c WaitForSingleObject
 0x6bc270 VirtualQuery
 0x6bc274 VirtualFree
 0x6bc278 VirtualAlloc
 0x6bc27c SwitchToThread
 0x6bc280 SuspendThread
 0x6bc284 SetWaitableTimer
 0x6bc288 SetUnhandledExceptionFilter
 0x6bc28c SetProcessPriorityBoost
 0x6bc290 SetEvent
 0x6bc294 SetErrorMode
 0x6bc298 SetConsoleCtrlHandler
 0x6bc29c ResumeThread
 0x6bc2a0 PostQueuedCompletionStatus
 0x6bc2a4 LoadLibraryA
 0x6bc2a8 LoadLibraryW
 0x6bc2ac SetThreadContext
 0x6bc2b0 GetThreadContext
 0x6bc2b4 GetSystemInfo
 0x6bc2b8 GetSystemDirectoryA
 0x6bc2bc GetStdHandle
 0x6bc2c0 GetQueuedCompletionStatusEx
 0x6bc2c4 GetProcessAffinityMask
 0x6bc2c8 GetProcAddress
 0x6bc2cc GetEnvironmentStringsW
 0x6bc2d0 GetConsoleMode
 0x6bc2d4 FreeEnvironmentStringsW
 0x6bc2d8 ExitProcess
 0x6bc2dc DuplicateHandle
 0x6bc2e0 CreateWaitableTimerExW
 0x6bc2e4 CreateThread
 0x6bc2e8 CreateIoCompletionPort
 0x6bc2ec CreateFileA
 0x6bc2f0 CreateEventA
 0x6bc2f4 CloseHandle
 0x6bc2f8 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure