popup

Report - B.exe

UPX Malicious Packer Antivirus Malicious Library PE32 PE File OS Processor Check PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.22 09:03 Machine s1_win7_x6401
Filename B.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
7.4
ZERO API file : malware
VT API (file) 55 detected (AIDetect, malware1, Bjlog, lzuS, Graftor, Artemis, unsafe, Hupigon, FlyStudio, Vaou, malicious, confidence, ZexaF, rmGdayXyRTi, Eldorado, Attribute, HighConfidence, high confidence, score, Siscos, acer, jvoaam, TrojanX, Mcnw, AGEN, high, Static AI, Malicious PE, StartPage, ai score=82, Pack, Popwin, ~IQ@ogvrk, Tiggre, Detected, R002H0CDJ23, CLOUD, NSPack)
md5 665d90fc3264e6f0b3a2b2e4fc715caf
sha256 cd96e18da320ba4ac313d3a189776d7defbea7098cf53156b1e4b680eb9e4c68
ssdeep 6144:Ipb0nofW70cc6rX8aZAG7p4q5LmSVNR/XnzBvqi3TFRL9QolQ:Ipb/fk5iGVbgshDBvqijFvRlQ
imphash 1619c2fb0abae4a066cd55f93e5cd107
impfuzzy 12:VA/DzqYOZsdF0KjKJZqX+mOqRnzdxHIT3VIE:V0DBasdF3K3sXZ7HumE
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 55 AntiVirus engines on VirusTotal as malicious
warning Stops Windows services
watch Installs itself for autorun at Windows startup
watch Network communications indicative of possible code injection originated from the process smss.exe
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes b.exe
notice Creates a service
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (10cnts)

Level Name Description Collection
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://211.101.237.65:5566/server.exe
whois
Unknown 211.101.237.65 malware
http://211.101.237.65:5566/NODD.exe
whois
Unknown 211.101.237.65 malware
www.jz3366.top
whois
Unknown 211.101.237.65 mailcious
211.101.237.65
whois
Unknown 211.101.237.65 malware

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x4d409c LoadLibraryA
 0x4d40a0 GetProcAddress
 0x4d40a4 VirtualProtect
 0x4d40a8 VirtualAlloc
 0x4d40ac VirtualFree
 0x4d40b0 ExitProcess
RASAPI32.DLL
 0x4d40b8 RasHangUpA
USER32.DLL
 0x4d40c0 GetCursorPos
GDI32.DLL
 0x4d40c8 GetSystemPaletteEntries
WINMM.DLL
 0x4d40d0 waveOutUnprepareHeader
WINSPOOL.DRV
 0x4d40d8 ClosePrinter
ADVAPI32.DLL
 0x4d40e0 RegCreateKeyExA
SHELL32.DLL
 0x4d40e8 ShellExecuteA
OLE32.DLL
 0x4d40f0 CLSIDFromString
OLEAUT32.DLL
 0x4d40f8 UnRegisterTypeLib
COMCTL32.DLL
 0x4d4100 None
WS2_32.DLL
 0x4d4108 closesocket
WININET.DLL
 0x4d4110 HttpQueryInfoA
COMDLG32.DLL
 0x4d4118 ChooseColorA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure