Report - hostdll.exe

Generic Malware UPX Malicious Library PE File PE32
ScreenShot
Created 2023.06.08 13:47 Machine s1_win7_x6401
Filename hostdll.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
Behavior Score
4.2
ZERO API file : clean
VT API (file) 60 detected (AIDetectMalware, Farfli, malicious, high confidence, Zegost, FarfliRI, S27090835, GenericRXLP, unsafe, Save, confidence, 100%, GenusB, DGCY, LBET, Attribute, HighConfidence, Kryptik, HCAH, score, jmvgmk, BackdoorX, XPACK, Siggen11, R002C0DF623, Outbreak, ai score=82, FK@7jqjxo, Detected, R299466, CLASSIC, GenAsa, gBhknYBDYco, Static AI, Suspicious PE, susgen, ZexaF, xmW@auqvm9i)
md5 d8c387e22a23fcdac8444ff9d43ebef8
sha256 0d58634b6a27b0bf1f79c7a60dbcbc342bf08481cee3f535313c9351b7a8690d
ssdeep 6144:ROyLEbWaR5Cc/8JFmuy4ixRDDDDhlbGYzaQ:cUaWaR5v/6q7RG
imphash 032ac126bef9dc99c70a99a6b91b16f2
impfuzzy 24:mDo2auMiOovuH+fcd37JHd3iv8ERRvNuCeRVXWyM1y3:duM1hH+fclr3WJeRHmy3
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 60 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Resolves a suspicious Top Level Domain (TLD)
notice Searches running processes potentially to identify processes for sandbox evasion
info Checks amount of memory in system
info The executable uses a known packer

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
imtieken.top KR UCloud (HK) Holdings Group Limited 152.32.138.112 clean
152.32.138.112 KR UCloud (HK) Holdings Group Limited 152.32.138.112 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40f000 GetProcAddress
 0x40f004 LoadLibraryA
 0x40f008 VirtualAlloc
 0x40f00c VirtualFree
 0x40f010 FreeLibrary
 0x40f014 RtlUnwind
 0x40f018 RaiseException
 0x40f01c GetModuleHandleA
 0x40f020 GetStartupInfoA
 0x40f024 GetCommandLineA
 0x40f028 GetVersion
 0x40f02c ExitProcess
 0x40f030 InitializeCriticalSection
 0x40f034 DeleteCriticalSection
 0x40f038 EnterCriticalSection
 0x40f03c LeaveCriticalSection
 0x40f040 HeapFree
 0x40f044 GetCurrentThreadId
 0x40f048 TlsSetValue
 0x40f04c TlsAlloc
 0x40f050 SetLastError
 0x40f054 TlsGetValue
 0x40f058 GetLastError
 0x40f05c SetUnhandledExceptionFilter
 0x40f060 TerminateProcess
 0x40f064 GetCurrentProcess
 0x40f068 UnhandledExceptionFilter
 0x40f06c GetModuleFileNameA
 0x40f070 FreeEnvironmentStringsA
 0x40f074 FreeEnvironmentStringsW
 0x40f078 WideCharToMultiByte
 0x40f07c GetEnvironmentStrings
 0x40f080 GetEnvironmentStringsW
 0x40f084 SetHandleCount
 0x40f088 GetStdHandle
 0x40f08c GetFileType
 0x40f090 GetEnvironmentVariableA
 0x40f094 GetVersionExA
 0x40f098 HeapDestroy
 0x40f09c HeapCreate
 0x40f0a0 WriteFile
 0x40f0a4 IsBadWritePtr
 0x40f0a8 IsBadReadPtr
 0x40f0ac HeapValidate
 0x40f0b0 HeapAlloc
 0x40f0b4 HeapReAlloc
 0x40f0b8 DebugBreak
 0x40f0bc InterlockedDecrement
 0x40f0c0 OutputDebugStringA
 0x40f0c4 InterlockedIncrement
 0x40f0c8 IsBadCodePtr
 0x40f0cc GetCPInfo
 0x40f0d0 GetACP
 0x40f0d4 GetOEMCP
 0x40f0d8 MultiByteToWideChar
 0x40f0dc LCMapStringA
 0x40f0e0 LCMapStringW
 0x40f0e4 GetStringTypeA
 0x40f0e8 GetStringTypeW
 0x40f0ec SetFilePointer
 0x40f0f0 SetStdHandle
 0x40f0f4 FlushFileBuffers
 0x40f0f8 CloseHandle

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure