popup

Report - gjdj.exe

Gen1 UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.16 07:41 Machine s1_win7_x6403
Filename gjdj.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
11.0
ZERO API file : malware
VT API (file) 46 detected (AIDetectMalware, Fu0@b8XW@Tbi, Artemis, V4r5, malicious, ZexaF, Fu0@a8XW@Tbi, ABTrojan, XPIP, Attribute, HighConfidence, high confidence, Kryptik, HTVD, score, XPACK, VIDAR, YXDFOZ, Static AI, Suspicious PE, Detected, ai score=84, unsafe, Chgt, Generic@AI, RDML, KeJGTH36uYXLoigPxh83RA, susgen, PossibleThreat, confidence, 100%)
md5 fc32f42ee0146b5ac0d96e2f877e77bc
sha256 50af042a96a7cd69b4d895c91f767c571aa6bd03c1dcaf21b517fbb75217ec47
ssdeep 12288:93A73SMiQqArFGV/zIv6jAocA0IYxjUFW7FUUcVExeW8Yf0Ah3RIArF1uNnxI2Oj:9F/74cWR7JFhd
imphash 27fd43b4a41f4844532b688ebb70af0c
impfuzzy 6:+dBzm7vhetOynizAoMfp9mWFB72OjElggBl7XOXWa5CakSvQF:YyLLviNE5lgJP5CaxQF
  Network IP location

Signature (23cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Network activity contains more than one unique useragent
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (10cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://116.203.166.131/
whois
DE Hetzner Online GmbH 116.203.166.131 clean
http://116.203.166.131/update.zip
whois
DE Hetzner Online GmbH 116.203.166.131 clean
http://116.203.166.131/89ee4bbf22c7d753e1a9ef8f2bd34ce7
whois
DE Hetzner Online GmbH 116.203.166.131 clean
https://steamcommunity.com/profiles/76561199514261168
whois
US Akamai International B.V. 104.75.41.21 clean
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
116.203.166.131
whois
DE Hetzner Online GmbH 116.203.166.131 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
104.75.41.21
whois
US Akamai International B.V. 104.75.41.21 mailcious

Suricata ids

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x442000 EncodeSystemPointer
 0x442004 DecodeSystemPointer
 0x442008 HeapCreate
 0x44200c GetProcessHeap
 0x442010 SetEvent
 0x442014 CreateMutexW
 0x442018 CreateEventW
 0x44201c FlushInstructionCache
 0x442020 GetSystemInfo
 0x442024 FlushViewOfFile
 0x442028 CreateMemoryResourceNotification
 0x44202c CreateTimerQueue
 0x442030 GetModuleHandleA
 0x442034 ConvertFiberToThread
 0x442038 CreateFiber
 0x44203c DeleteAtom
 0x442040 ClearCommError
 0x442044 GetCommModemStatus
 0x442048 AddAtomW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure