popup

Report - NODD.exe

UPX Malicious Packer Antivirus Malicious Library PE32 PE File OS Processor Check PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.22 08:45 Machine s1_win7_x6401
Filename NODD.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
5.4
ZERO API file : malware
VT API (file) 55 detected (AIDetect, malware1, Bjlog, lzuS, malicious, high confidence, Graftor, Risktool, Flystudio, Artemis, unsafe, Hupigon, Siscos, Vhvh, confidence, ZexaF, smGda8pHmam, Eldorado, Attribute, HighConfidence, score, aceq, TrjGen, jvhiil, TrojanX, Mqil, AGEN, high, Generic Reputation PUA, Static AI, Malicious PE, Pack, Popwin, ~IQ@ogvrk, Tiggre, Detected, ai score=84, Chgt, R002H0CDJ23, MalCert, CLOUD, NSPack)
md5 95c5281f68d37a162fcd1b679fdaff5e
sha256 747618a8c380249ee66e65ece0c48cc71d19cfeaa2bf7850a93b80f980556d60
ssdeep 6144:R9GfgEwSdJ4P3ZBeNIX8ikIEjFoEiWnIGhOG517kR4n7i/XpQZyKHvw22yEc:RQ4+d6PJBqIIZlnIXIAWSXCyKHY22rc
imphash 1619c2fb0abae4a066cd55f93e5cd107
impfuzzy 12:VA/DzqYOZsdF0KjKJZqX+mOqRnzdxHIT3VIE:V0DBasdF3K3sXZ7HumE
  Network IP location

Signature (13cnts)

Level Description
danger File has been identified by 55 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process nodd.exe
notice Creates a service
notice Creates executable files on the filesystem
notice Expresses interest in specific running processes
notice Repeatedly searches for a not-found process
notice Resolves a suspicious Top Level Domain (TLD)
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (10cnts)

Level Name Description Collection
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://211.101.237.65:5566/server.exe
whois
Unknown 211.101.237.65 malware
www.jz3366.top
whois
Unknown 211.101.237.65 mailcious
211.101.237.65
whois
Unknown 211.101.237.65 malware

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x4de09c LoadLibraryA
 0x4de0a0 GetProcAddress
 0x4de0a4 VirtualProtect
 0x4de0a8 VirtualAlloc
 0x4de0ac VirtualFree
 0x4de0b0 ExitProcess
RASAPI32.DLL
 0x4de0b8 RasHangUpA
USER32.DLL
 0x4de0c0 GetCursorPos
GDI32.DLL
 0x4de0c8 GetSystemPaletteEntries
WINMM.DLL
 0x4de0d0 waveOutUnprepareHeader
WINSPOOL.DRV
 0x4de0d8 ClosePrinter
ADVAPI32.DLL
 0x4de0e0 RegCreateKeyExA
SHELL32.DLL
 0x4de0e8 ShellExecuteA
OLE32.DLL
 0x4de0f0 CLSIDFromString
OLEAUT32.DLL
 0x4de0f8 UnRegisterTypeLib
COMCTL32.DLL
 0x4de100 None
WS2_32.DLL
 0x4de108 closesocket
WININET.DLL
 0x4de110 HttpQueryInfoA
COMDLG32.DLL
 0x4de118 ChooseColorA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure