popup

Report - Acx_w01.exe

Emotet Generic Malware Malicious Library Malicious Packer Antivirus PE64 PE File DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.16 16:21 Machine s1_win7_x6401
Filename Acx_w01.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
2
 Behavior Score
10.8
ZERO API file : malware
VT API (file) 29 detected (GenericKD, Artemis, unsafe, Vd95, grayware, confidence, a variant of Generik, MDFZPMG, Malicious, TrojanX, AGEN, Siggen20, Sabsik, Phonzy, Detected, ai score=88, PossibleThreat)
md5 9b329956bf938c36fe12b1524eff3be0
sha256 e188218c37cc8a570fbcdc84e9ac9116c3a8a958c945dbf7fdecdde78ae43480
ssdeep 24576:mkAgHyFfkacLnDDqWXeI4XI29huCbK4Nkk7tGlU0nDSnIbNk8aq1UZxKwiP2w9+n:dyFfCDDDLe9fFbntGlwsrr+7Lw2yjUlT
imphash e185c011f6fe26e5b7589294dce332b4
impfuzzy 24:d6WDLbiOZjdc8BRbO3pOov7UtQzg1FQ8Ryv9WdJ9ZXfLplN2Qwr:cOHc8TqcYUtBQ9sXfF7Rw
  Network IP location

Signature (25cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
warning File has been identified by 29 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Created a service where a service was also not started
watch Drops a binary and executes it
watch Installs itself for autorun at Windows startup
watch The process powershell.exe wrote an executable file to disk
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Starts servers listening
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (11cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
info IsDLL (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://140.99.221.199/w01
whois
US REMOTE-SUB-SERVICES-01 140.99.221.199 clean
140.99.221.199
whois
US REMOTE-SUB-SERVICES-01 140.99.221.199 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x140010000 GetLastError
 0x140010008 CreateFileW
 0x140010010 CloseHandle
 0x140010018 ReadFile
 0x140010020 WriteFile
 0x140010028 SetFilePointer
 0x140010030 GetProcAddress
 0x140010038 GetModuleHandleW
 0x140010040 GetVersionExW
 0x140010048 LoadLibraryExW
 0x140010050 lstrcatW
 0x140010058 lstrlenW
 0x140010060 GetSystemDirectoryW
 0x140010068 CreateDirectoryW
 0x140010070 FindClose
 0x140010078 FindFirstFileW
 0x140010080 RemoveDirectoryW
 0x140010088 FindNextFileW
 0x140010090 DeleteFileW
 0x140010098 SetFileAttributesW
 0x1400100a0 GetExitCodeProcess
 0x1400100a8 WaitForSingleObject
 0x1400100b0 CreateProcessW
 0x1400100b8 SetCurrentDirectoryW
 0x1400100c0 GetCurrentDirectoryW
 0x1400100c8 SetFileTime
 0x1400100d0 GetCurrentProcessId
 0x1400100d8 GetTickCount
 0x1400100e0 GetCurrentThreadId
 0x1400100e8 GetTempPathW
 0x1400100f0 GetCommandLineW
 0x1400100f8 GetModuleFileNameW
 0x140010100 HeapAlloc
 0x140010108 HeapFree
 0x140010110 GetCommandLineA
 0x140010118 GetStartupInfoA
 0x140010120 Sleep
 0x140010128 ExitProcess
 0x140010130 GetStdHandle
 0x140010138 GetModuleFileNameA
 0x140010140 HeapSetInformation
 0x140010148 HeapCreate
 0x140010150 TerminateProcess
 0x140010158 GetCurrentProcess
 0x140010160 UnhandledExceptionFilter
 0x140010168 SetUnhandledExceptionFilter
 0x140010170 IsDebuggerPresent
 0x140010178 RtlVirtualUnwind
 0x140010180 RtlLookupFunctionEntry
 0x140010188 RtlCaptureContext
 0x140010190 RtlUnwindEx
 0x140010198 FreeEnvironmentStringsA
 0x1400101a0 GetEnvironmentStrings
 0x1400101a8 FreeEnvironmentStringsW
 0x1400101b0 WideCharToMultiByte
 0x1400101b8 GetEnvironmentStringsW
 0x1400101c0 SetHandleCount
 0x1400101c8 GetFileType
 0x1400101d0 DeleteCriticalSection
 0x1400101d8 EncodePointer
 0x1400101e0 DecodePointer
 0x1400101e8 FlsGetValue
 0x1400101f0 FlsSetValue
 0x1400101f8 FlsFree
 0x140010200 SetLastError
 0x140010208 FlsAlloc
 0x140010210 QueryPerformanceCounter
 0x140010218 GetSystemTimeAsFileTime
 0x140010220 LeaveCriticalSection
 0x140010228 EnterCriticalSection
 0x140010230 LoadLibraryA
 0x140010238 InitializeCriticalSectionAndSpinCount
 0x140010240 GetCPInfo
 0x140010248 GetACP
 0x140010250 GetOEMCP
 0x140010258 IsValidCodePage
 0x140010260 HeapSize
 0x140010268 GetLocaleInfoA
 0x140010270 LCMapStringA
 0x140010278 MultiByteToWideChar
 0x140010280 LCMapStringW
 0x140010288 GetStringTypeA
 0x140010290 GetStringTypeW
 0x140010298 HeapReAlloc
USER32.dll
 0x1400102b8 MessageBoxA
SHELL32.dll
 0x1400102a8 ShellExecuteExW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure