popup

Report - nigguy_1.exe

PWS .NET framework RAT Loki_b Generic Malware Antivirus UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check .NET EXE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.05.28 14:06 Machine s1_win7_x6403
Filename nigguy_1.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
9
 Behavior Score
6.8
ZERO API file : malware
VT API (file) 53 detected (AIDetectMalware, GenericKD, GenericRXTU, Save, malicious, Lazy, Eldorado, Attribute, HighConfidence, high confidence, score, Gencirc, ASYNCRAT, YXDEPZ, high, Tnega, Small, RDSA, Fakealert, 10AFFS0, Detected, R497632, BScope, Nitol, ai score=88, unsafe, Genetic, DcRat, BNER4NzZWDL, Static AI, Suspicious PE, Tiny, confidence, 100%)
md5 25344f4f54ec2afff00c28ca9c2a1818
sha256 ab43a51e3aeeb62be9d7c78800f45557b0131add4a882cf63f6c02e1c4421846
ssdeep 3072:KT4TeHj43Erh/LQo8F7FG0cAKOXN9l4necXq23zppMNPI7CVh:KUaj0SLb07FNvKOXDl4nzpwPI+
imphash a9c887a4f18a3fede2cc29ceea138ed3
impfuzzy 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 53 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local email clients
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (14cnts)

Level Name Description Collection
danger PWS_CnC_binary_Zero Communications PWS network binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x424400 malloc
 0x424404 memset
 0x424408 strcmp
 0x42440c strcpy
 0x424410 getenv
 0x424414 sprintf
 0x424418 fopen
 0x42441c fwrite
 0x424420 fclose
 0x424424 __argc
 0x424428 __argv
 0x42442c _environ
 0x424430 _XcptFilter
 0x424434 __set_app_type
 0x424438 _controlfp
 0x42443c __getmainargs
 0x424440 exit
shell32.dll
 0x424448 ShellExecuteA
kernel32.dll
 0x424450 SetUnhandledExceptionFilter

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure