popup

Report - trapline-drivers.exe

Generic Malware Antivirus PE File PE64 PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.05 17:34 Machine s1_win7_x6403
Filename trapline-drivers.exe
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
AI Score
5
 Behavior Score
6.2
ZERO API
VT API (file) 47 detected (Exnet, PackedNET, GenericKD, Artemis, Save, Bsymem, malicious, confidence, 100%, ABRisk, LTBM, Attribute, HighConfidence, high confidence, GenKryptik, GLJH, score, TrojanX, Gencirc, AGEN, R002C0XG123, CoinMiner, Static AI, Malicious PE, ai score=80, Wacatac, Detected, unsafe, Chgt, MSIL@AI, MSIL2, PXJsBVrZZtWaAEa, fAqhBQ, Krypt, susgen, Kryptik, AHRV)
md5 2fe56b5f4728f2fd8839ac9d937c097d
sha256 c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e
ssdeep 24576:dz+bXZnWLve+zZBXl+hAaeu3qmOPfXX8uZ4IqVhtjOMA+nTTMmIynfAXPNQ44eCJ:xQmGKXlfJutnTbfVGn
imphash
impfuzzy 3::
  Network IP location

Signature (15cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
watch Creates a suspicious Powershell process
watch One or more non-whitelisted processes were created
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Starts servers listening
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info PowerShell PowerShell script scripts

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
upload.nugeta.net
whois
US CLOUDFLARENET 172.67.183.35
172.67.183.35
whois
US CLOUDFLARENET 172.67.183.35

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure