popup

Report - wininit.exe

Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.08 17:43 Machine s1_win7_x6403
Filename wininit.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
3.6
ZERO API file : malware
VT API (file) 47 detected (AIDetectMalware, malicious, high confidence, Razy, GenericRXVJ, Formbook, V8zk, Eldorado, Attribute, HighConfidence, PWSX, Unkl, ZPACK, Packed2, score, GrayWare, X2184, General, ai score=88, unsafe, Digitala, 4bkQNC3KfED, Static AI, Malicious PE, susgen, confidence, 100%)
md5 4c46bfbd4f6224963065eede69e80f7d
sha256 9f649df261b4acb42fd9bef068c1ec6dab2728b4cc351f10abe779776c57903b
ssdeep 3072:KM0EfxEL+nQslvNqn93DqLaPazjL3q2BiwX1fCtPzSJ/wzKJuwmT6yO:K1L+nzA9TqLw4jLfidPzlzKJo6
imphash
impfuzzy 3::
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (34cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.seseapk.com/hqny/
whois
US DXTL Tseung Kwan O Service 156.237.242.36 clean
http://www.gardinalplace.life/hqny/
whois
US COGECO-PEER1 162.254.37.64 clean
http://www.montanasapphires.online/hqny/?m40HnJIf=n1CdPpzxYwqEjsG0Qgxc3fK1e+R7zylx10dE7UARUo2qmYQZkuFozCTNAjLX4OweHcopEvO11zC7KH5OIbyIbW6BPXRJsCk2YfaTf38=&k-I=dHgK57WfpMAIaF9c
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.27 clean
http://www.luxeconcept.net/hqny/
whois
CA TUCOWS 216.40.34.41 clean
http://www.luxeconcept.net/hqny/?m40HnJIf=Hsr+FS3aUC3v5cYG2kJwTz2Fiv05Ac/D2GVn4rP2+cnf/CEwXrKsow638/CQaZGhQs+ww4P4gMYs+x3Lc8BNJT7QU85Ww4GHlJMw20s=&k-I=dHgK57WfpMAIaF9c
whois
CA TUCOWS 216.40.34.41 clean
http://www.montanasapphires.online/hqny/
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.27 clean
http://www.seseapk.com/hqny/?m40HnJIf=mJH9W27z8cbsc7vpY+E6DLxpKObOQHn2HvWQb9G1AeaU7CpO/W7NVY91S6OxE3LAXZsPh7Ioc7rkgvN9xJr9EVPP8ghUoovlGQYiqlI=&k-I=dHgK57WfpMAIaF9c
whois
US DXTL Tseung Kwan O Service 156.237.242.36 clean
http://www.uchbfm.cfd/hqny/
whois
US Alibaba (US) Technology Co., Ltd. 47.57.240.200 clean
http://www.69573.xyz/hqny/
whois
HK DXTL Tseung Kwan O Service 122.10.50.92 clean
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.uchbfm.cfd/hqny/?m40HnJIf=m+ybVjvh7agWR9kwIW90wxm7xw0mVpAKZ7IrFeQzPIYANX32/SKYYL1eEsf44L+W0nPEXXXW2Q2sM9/iZhRVCXL5a7JofqeU46QhEqQ=&k-I=dHgK57WfpMAIaF9c
whois
US Alibaba (US) Technology Co., Ltd. 47.57.240.200 clean
http://www.69573.xyz/hqny/?m40HnJIf=LuFWF9Ua84RDJQoWRjdHaxOOJGr2k3CF/TnoVcaYxo8S6F7pRCZMbcZzZdCEfatU6D3gOhGC0lLUMqABcFj4if2qqDICpO2nO8eNe9I=&k-I=dHgK57WfpMAIaF9c
whois
HK DXTL Tseung Kwan O Service 122.10.50.92 clean
http://www.gardinalplace.life/hqny/?m40HnJIf=dCEp+0m3P0JUSbGijBo/RSr8kaN/Z3sSlC8vhR/5CqloiAn9JexI0t5iKqyAv6gMC40bfRj5WBEr7LlDi1AuUeAMNiBwlcnzOqfFvew=&k-I=dHgK57WfpMAIaF9c
whois
US COGECO-PEER1 162.254.37.64 clean
http://www.kakekgirang5.shop/hqny/
whois
US HAWKHOST 198.252.98.107 clean
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.kakekgirang5.shop/hqny/?m40HnJIf=CXlbuvDGPZkDZuVIC7pN9bWZtfAlmQpQeGiqx6WAcwFRIivK0QTPVQRfBJCVm9sX5H1lJ3DwQtgXkv6CkHLTc1MyWUNY9q0X0o/sl2U=&k-I=dHgK57WfpMAIaF9c
whois
US HAWKHOST 198.252.98.107 clean
www.uchbfm.cfd
whois
US Alibaba (US) Technology Co., Ltd. 47.57.240.200 clean
www.luxeconcept.net
whois
CA TUCOWS 216.40.34.41 clean
www.montanasapphires.online
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.27 clean
www.kakekgirang5.shop
whois
US HAWKHOST 198.252.98.107 clean
www.rosifariasestetica.online
whois
Unknown clean
www.new-balkon-otdelka.site
whois
Unknown clean
www.gardinalplace.life
whois
US COGECO-PEER1 162.254.37.64 clean
www.winchespullers.store
whois
Unknown clean
www.seseapk.com
whois
US DXTL Tseung Kwan O Service 156.237.242.36 clean
www.69573.xyz
whois
HK DXTL Tseung Kwan O Service 122.10.50.92 clean
162.254.37.64
whois
US COGECO-PEER1 162.254.37.64 clean
208.91.197.27
whois
VG CONFLUENCE-NETWORK-INC 208.91.197.27 mailcious
216.40.34.41
whois
CA TUCOWS 216.40.34.41 mailcious
122.10.50.92
whois
HK DXTL Tseung Kwan O Service 122.10.50.92 clean
156.237.242.36
whois
US DXTL Tseung Kwan O Service 156.237.242.36 clean
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
198.252.98.107
whois
US HAWKHOST 198.252.98.107 clean
47.57.240.200
whois
US Alibaba (US) Technology Co., Ltd. 47.57.240.200 clean

Suricata ids

ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure