Report - mn.php

UPX Malicious Library OS Processor Check DLL PE64 PE File
ScreenShot
Created 2023.05.20 16:21 Machine s1_win7_x6403
Filename mn.php
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
AI Score
4
Behavior Score
3.8
ZERO API file : clean
VT API (file)
md5 8444b7011547a0b4bdc18437aa9d6e83
sha256 5fe729f544cc86f4f5ccf5dae66af895a29bcae90e081589b318c3d62ab5b56a
ssdeep 24576:+f1mNgvhcTL+puoCTrQwYKUkzGE0MbyvDPZGz7VlWnJ0iKS0tMNiG:dQS+WvVUxle5G
imphash 47e01530ad43ec939d1c47709a80a5c6
impfuzzy 12:3JtXZI+3ncfh++yLfv680qXJXPXJwdzrJEnDx9A41mLRBRZqRq0ZGNsfbZHur:Zt6Scirv680qteJEnDx95uc5oObZHur
  Network IP location

Signature (8cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
34.254.140.99 IE AMAZON-02 34.254.140.99 clean
214.43.249.250 US DNIC-ASBLK-01534-01546 214.43.249.250 clean
2.228.251.38 IT Fastweb 2.228.251.38 clean
57.182.80.190 Unknown 57.182.80.190 clean
92.119.178.40 SG M247 Ltd 92.119.178.40 clean
62.4.213.138 BE Proximus NV 62.4.213.138 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x180025000 GetProcessHeap
 0x180025008 CreateFileA
 0x180025010 CloseHandle
 0x180025018 GetLastError
 0x180025020 HeapWalk
 0x180025028 CreateFiber
 0x180025030 SwitchToFiber
 0x180025038 CreateActCtxA
 0x180025040 ActivateActCtx
 0x180025048 DeactivateActCtx
 0x180025050 OpenThread
 0x180025058 GetFileAttributesA
 0x180025060 FindFirstFileA
 0x180025068 FindNextFileA
 0x180025070 GetModuleFileNameA
 0x180025078 GetModuleHandleA
 0x180025080 GetCurrentProcessId
 0x180025088 GetFileInformationByHandle
 0x180025090 CreateFileMappingA
 0x180025098 VirtualAlloc
 0x1800250a0 RaiseException
 0x1800250a8 RtlCaptureContext
 0x1800250b0 RtlLookupFunctionEntry
 0x1800250b8 RtlVirtualUnwind
 0x1800250c0 IsDebuggerPresent
 0x1800250c8 UnhandledExceptionFilter
 0x1800250d0 SetUnhandledExceptionFilter
 0x1800250d8 GetCurrentProcess
 0x1800250e0 TerminateProcess
 0x1800250e8 IsProcessorFeaturePresent
 0x1800250f0 SetLastError
 0x1800250f8 HeapAlloc
 0x180025100 HeapFree
 0x180025108 GetModuleHandleW
 0x180025110 GetProcAddress
 0x180025118 TlsGetValue
 0x180025120 TlsSetValue
 0x180025128 FreeLibrary
 0x180025130 LoadLibraryExW
 0x180025138 CompareStringW
 0x180025140 LCMapStringW
 0x180025148 EnterCriticalSection
 0x180025150 LeaveCriticalSection
 0x180025158 IsValidCodePage
 0x180025160 GetACP
 0x180025168 GetOEMCP
 0x180025170 GetCPInfo
 0x180025178 ExitProcess
 0x180025180 GetModuleHandleExW
 0x180025188 GetStringTypeW
 0x180025190 MultiByteToWideChar
 0x180025198 WideCharToMultiByte
 0x1800251a0 HeapSize
 0x1800251a8 HeapReAlloc
 0x1800251b0 RtlUnwindEx
 0x1800251b8 GetEnvironmentStringsW
 0x1800251c0 FreeEnvironmentStringsW
 0x1800251c8 SetEnvironmentVariableA

EAT(Export Address Table) Library

0x1800243e0 JDuCS622tuL6
0x180021bc0 MkcDIl34k3Si
0x180008260 PcYge9j
0x1800204c0 eOXScagadNKe


Similarity measure (PE file only) - Checking for service failure