popup

Report - the_what.exe

PWS .NET framework RAT PhysicalDrive Generic Malware UPX Malicious Library Malicious Packer .NET EXE PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.05.24 10:47 Machine s1_win7_x6403
Filename the_what.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score Not founds Behavior Score
3.4
ZERO API file : malware
VT API (file) 42 detected (Lazy, Save, BadJoke, malicious, Attribute, HighConfidence, moderate confidence, score, Agen, Bgow, Tool, Artemis, Generic ML PUA, Static AI, Suspicious PE, ai score=89, Wacatac, Detected, unsafe, R002H0CD423, CLOUD, susgen, PossibleThreat, confidence)
md5 914d34ecdfa0ef6430ca4809e7a8c10c
sha256 fe79fb788f0fc6c4752f7bab66a52d8a4a1d15aa3821a919b9af6ba2c03aa5ae
ssdeep 196608:WqIr4FXznyIwrgF9SrrHwybB28XiJtROJHgBtD22fgwAPIUh4vr2c1FFr2D51p:pIr4hOIwrgF9SrDwyAC2sMtfM4vrC5X
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (8cnts)

Level Description
danger File has been identified by 42 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername
info This executable has a PDB path

Rules (10cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
warning PhysicalDrive_20181001 (no description) binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
77.91.124.20
whois
RU Foton Telecom CJSC 77.91.124.20 malware

Suricata ids

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure