popup

Report - 0002.exe

Malicious Library AntiDebug AntiVM PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.04 17:13 Machine s1_win7_x6403
Filename 0002.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
9
 Behavior Score
7.8
ZERO API file : malware
VT API (file) 55 detected (Magania, Farfli, DeepScan, KillMBR, Artemis, unsafe, An34, Zegost, malicious, confidence, 100%, ZexaF, mzxaaWwAKpab, Genus, Eldorado, Attribute, HighConfidence, high confidence, a variant of Generik, NVMRNID, score, BackdoorX, Gencirc, XPACK, Gen2, R002C0DCU23, high, Pack, Popwin, ~IQ@ogvrk, GameThief, Detected, BScope, ai score=82, GhostRat, Genetic, Gh0st, CLOUD, Static AI, Suspicious PE, susgen, Behavior)
md5 245ef358e384f40caf1c178b4825f029
sha256 9a5e9c343569f8b246585d9ebdb19a62e83116e988454ff74e9d6f18d182bc1c
ssdeep 24576:tIDoTqctaY5effnW8RDsXOvvYG1OArRYfPQcmzeznyG0B:tyoTpE/WwDIGOAYf2KyrB
imphash 73ec795c6c369c6ce2c3b4c3f6477daa
impfuzzy 12:oAR0DaGsfGhqRJRke2V4TKLRmLF+Sg/m4T:B0DaLft2V4T/+Sg/1T
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 55 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Installs itself for autorun at Windows startup
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a service
notice Creates a suspicious process
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (15cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
192.253.237.20
whois
US BGPNET Global ASN 192.253.237.20 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x605000 lstrcatA
 0x605004 InitializeCriticalSection
 0x605008 GetProcAddress
 0x60500c LocalFree
 0x605010 RaiseException
 0x605014 LocalAlloc
 0x605018 GetModuleHandleA
 0x60501c LeaveCriticalSection
 0x605020 EnterCriticalSection
 0x605024 DuplicateHandle
 0x605028 GetShortPathNameA
 0x60502c ResumeThread
 0x605030 WriteProcessMemory
 0x605034 GetPrivateProfileSectionA
 0x605038 GetStringTypeA
 0x60503c LCMapStringW
 0x605040 LCMapStringA
 0x605044 RtlUnwind
 0x605048 WideCharToMultiByte
 0x60504c MultiByteToWideChar
 0x605050 GetStringTypeW
USER32.dll
 0x605058 DefWindowProcA
 0x60505c AdjustWindowRectEx

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure