Report - Htilunw.exe

PWS .NET framework RAT UPX OS Processor Check .NET EXE PE32 PE File

ScreenShot

Info
Location map


Created	2023.04.06 08:10	Machine	s1_win7_x6403
Filename	Htilunw.exe
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score	7	Behavior Score	1.2
ZERO API	file : clean
VT API (file)	9 detected (DownLoaderNET, GenKryptik, GIIN, Malicious, moderate, score)
md5	295235562a5d804fad58078b9b014165
sha256	9e6b68e3d8a7190213dce70731fa3414a6701c192dd5709a281dab55c57697a3
ssdeep	49152:RWOV0WqYuBvO9GoNvmvKgq9Npkqt/gAMrVveOVu5zgkvbDsyKnZW9QED/CEhz5a:7GBeeSdtvMrV2kgzbNKnf
imphash	f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy	3:rGsLdAIEK:tf

Network IP location

Signature (3cnts)

Level	Description
notice	File has been identified by 9 AntiVirus engines on VirusTotal as malicious
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer

Rules (7cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (upload)
watch	Win32_Trojan_PWS_Net_1_Zero	Win32 Trojan PWS .NET Azorult	binaries (upload)
info	Is_DotNET_EXE	(no description)	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (upload)

Network (5cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt whois		EDGECAST	152.195.38.76		clean
cacerts.digicert.com whois		EDGECAST	152.195.38.76		clean
onedrive.live.com whois		MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13		mailcious
13.107.42.13 whois		MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13		mailcious
152.195.38.76 whois		EDGECAST	152.195.38.76		clean

Suricata ids

PE API

IAT(Import Address Table) Library

mscoree.dll
0x402000 _CorExeMain

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure