popup

Report - 2.jpg

.NET EXE PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.11 07:47 Machine s1_win7_x6403
Filename 2.jpg
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
4
 Behavior Score
3.8
ZERO API
VT API (file) 33 detected (malicious, high confidence, unsafe, Save, Kryptik, confidence, 100%, KillAV, gen1, score, Quasar, CrypterX, Swhl, Sabsik, T7NEWB, AgentTesla, Artemis, R002H0DG923, MSIL@AI, MSIL2, Pfmfd6, BFmrQxjf1xsapTg, Static AI, Malicious PE, ZemsilF, qm0@aipcZnb)
md5 7416ede6924c85117720a8a9d158c67f
sha256 2b2c926a0d587f409f3c7453d3d9018642cdc51abce1752eb2bf395728619576
ssdeep 6144:sfKS9XQhhREyGp2cCeu6rdBCAOXLSqr8IN:C0Q2cCjnr
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (7cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 33 AntiVirus engines on VirusTotal as malicious
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice The binary likely contains encrypted or compressed data indicative of a packer
info This executable has a PDB path

Rules (3cnts)

Level Name Description Collection
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1
frp-bar.top
whois
CN CHINATELECOM Guangxi Nanning IDC networkdescr: NanningGuangxi Province, P.R.China. 116.10.184.211
ip-api.com
whois
US TUT-AS 208.95.112.1
116.10.184.211
whois
CN CHINATELECOM Guangxi Nanning IDC networkdescr: NanningGuangxi Province, P.R.China. 116.10.184.211
208.95.112.1
whois
US TUT-AS 208.95.112.1

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Common RAT Connectivity Check Observed
ET POLICY External IP Lookup ip-api.com

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure