popup

Report - imgengine.dll

UPX OS Processor Check MZP Format DLL PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.13 09:09 Machine s1_win7_x6402
Filename imgengine.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score Not founds Behavior Score
4.0
ZERO API file : clean
VT API (file) 15 detected (malicious, high confidence, Attribute, HighConfidence, Mekotio, score, AGEN, Static AI, Malicious PE, R568749, hylQq4PvDCH)
md5 511f56b74826a4e053db05e34f72bd6b
sha256 1a9b5e974dee1f8ad4c36c15c23b5573fb0a8066cb70ba29ae4971e5c6a7dec9
ssdeep 393216:BD47Ywnk2h2q8qhlBOs60wWTrrlJMWbDBHjci+:pak2gqdMsvwWTvoW3a
imphash bad0605d8f372e620cd77bb44b221b67
impfuzzy 12:dPupsOrWKnSmyZgDRrJuv2Q+DATOZGqAJcDW:dPusOSx+Rtv/DeadNDW
  Network IP location

Signature (11cnts)

Level Description
watch Executes one or more WMI queries
watch File has been identified by 15 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info mzp_file_format MZP(Delphi) file format binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.43.165.66 clean
esp-78-56-65-23.esp.artforcemusic.de
whois
FR Aruba SAS 185.8.51.230 clean
185.8.51.230
whois
FR Aruba SAS 185.8.51.230 clean
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

comctl32.dll
 0x111a000 FlatSB_SetScrollInfo
shell32.dll
 0x111a008 Shell_NotifyIconW
user32.dll
 0x111a010 CopyImage
version.dll
 0x111a018 GetFileVersionInfoSizeW
oleaut32.dll
 0x111a020 SafeArrayPutElement
advapi32.dll
 0x111a028 InitializeAcl
netapi32.dll
 0x111a030 NetWkstaGetInfo
msvcrt.dll
 0x111a038 memcpy
winhttp.dll
 0x111a040 WinHttpGetIEProxyConfigForCurrentUser
kernel32.dll
 0x111a048 GetVersion
 0x111a04c GetVersionExW
wsock32.dll
 0x111a054 gethostbyaddr
ole32.dll
 0x111a05c CreateBindCtx
gdi32.dll
 0x111a064 Arc
kernel32.dll
 0x111a06c GetSystemTimeAsFileTime
kernel32.dll
 0x111a074 HeapAlloc
 0x111a078 HeapFree
 0x111a07c ExitProcess
 0x111a080 LoadLibraryA
 0x111a084 GetModuleHandleA
 0x111a088 GetProcAddress

EAT(Export Address Table) Library

0x77adb0 BindImage
0x77ada8 BindImageEx
0x77ada4 CheckSumMappedFile
0x77ad9c EnumerateLoadedModules
0x77ada0 EnumerateLoadedModules64
0x77ad98 EnumerateLoadedModulesEx
0x77ad94 EnumerateLoadedModulesExW
0x77ad90 EnumerateLoadedModulesW64
0x77ad8c FindDebugInfoFile
0x77ad88 FindDebugInfoFileEx
0x77ad84 FindExecutableImage
0x77ad80 FindExecutableImageEx
0x77ad7c FindFileInPath
0x77ad78 FindFileInSearchPath
0x77ad74 GetImageConfigInformation
0x77ad70 GetImageUnusedHeaderBytes
0x77ad6c GetTimestampForLoadedLibrary
0x77ad68 ImageAddCertificate
0x77ad64 ImageDirectoryEntryToData
0x77ad60 ImageDirectoryEntryToDataEx
0x77ad5c ImageEnumerateCertificates
0x77ad58 ImageGetCertificateData
0x77ad54 ImageGetCertificateHeader
0x77ad50 ImageGetDigestStream
0x77ad4c ImageLoad
0x77ad48 ImageNtHeader
0x77ad44 ImageRemoveCertificate
0x77ad40 ImageRvaToSection
0x77ad3c ImageRvaToVa
0x77ad38 ImageUnload
0x77ad34 ImagehlpApiVersion
0x77ad30 ImagehlpApiVersionEx
0x77ad2c MakeSureDirectoryPathExists
0x77ad28 MapAndLoad
0x77ad24 MapDebugInformation
0x77ad20 MapFileAndCheckSumA
0x77ad1c MapFileAndCheckSumW
0x77ad14 ReBaseImage
0x77ad18 ReBaseQHddvKE4
0x77ad10 RemovePrivateCvSymbolic
0x77ad0c RemovePrivateCvSymbolicEx
0x77adac RemoveRelocations
0x77ad08 SearchTreeForFile
0x77ad04 SetImageConfigInformation
0x77ad00 SplitSymbols
0x77acf8 StackWalk
0x77acfc StackWalk64
0x77acf4 SymCleanup
0x77acf0 SymEnumSym
0x77acec SymEnumSymbols
0x77ace8 SymEnumSymbolsForAddr
0x77ace4 SymEnumTypes
0x77ace0 SymEnumTypesByName
0x77acdc SymEnumTypesByNameW
0x77acd8 SymEnumTypesW
0x77acd0 SymEnumerateModules
0x77acd4 SymEnumerateModules64
0x77acc8 SymEnumerateSymbols
0x77accc SymEnumerateSymbols64
0x77acc0 SymEnumerateSymbolsW
0x77acc4 SymEnumerateSymbolsW64
0x77acbc SymFindFileInPath
0x77acb8 SymFindFileInPathW
0x77acb4 SymFromAddr
0x77acb0 SymFromName
0x77aca8 SymFunctionTableAccess
0x77acac SymFunctionTableAccess64
0x77aca0 SymGetLineFromAddr
0x77aca4 SymGetLineFromAddr64
0x77ac98 SymGetLineFromName
0x77ac9c SymGetLineFromName64
0x77ac90 SymGetLineNext
0x77ac94 SymGetLineNext64
0x77ac88 SymGetLinePrev
0x77ac8c SymGetLinePrev64
0x77ac80 SymGetModuleBase
0x77ac84 SymGetModuleBase64
0x77ac78 SymGetModuleInfo
0x77ac7c SymGetModuleInfo64
0x77ac70 SymGetModuleInfoW
0x77ac74 SymGetModuleInfoW64
0x77ac6c SymGetOptions
0x77ac68 SymGetSearchPath
0x77ac64 SymGetSourceFileFromTokenW
0x77ac60 SymGetSourceFileTokenW
0x77ac5c SymGetSourceVarFromTokenW
0x77ac54 SymGetSymFromAddr
0x77ac58 SymGetSymFromAddr64
0x77ac4c SymGetSymFromName
0x77ac50 SymGetSymFromName64
0x77ac44 SymGetSymNext
0x77ac48 SymGetSymNext64
0x77ac3c SymGetSymPrev
0x77ac40 SymGetSymPrev64
0x77ac38 SymGetSymbolFile
0x77ac34 SymGetSymbolFileW
0x77ac30 SymGetTypeFromName
0x77ac2c SymGetTypeFromNameW
0x77ac28 SymGetTypeInfo
0x77ac24 SymGetTypeInfoEx
0x77ac20 SymInitialize
0x77ac18 SymLoadModule
0x77ac1c SymLoadModule64
0x77ac14 SymMatchFileName
0x77ac10 SymMatchFileNameW
0x77ac0c SymMatchString
0x77ac08 SymMatchStringA
0x77ac04 SymMatchStringW
0x77abfc SymRegisterCallback
0x77ac00 SymRegisterCallback64
0x77abf4 SymRegisterFunctionEntryCallback
0x77abf8 SymRegisterFunctionEntryCallback64
0x77abf0 SymSetContext
0x77abec SymSetOptions
0x77abe8 SymSetScopeFromAddr
0x77abe4 SymSetScopeFromIndex
0x77abe0 SymSetSearchPath
0x77abdc SymSrvGetFileIndexString
0x77abd8 SymSrvGetFileIndexStringW
0x77abd4 SymSrvGetFileIndexes
0x77abd0 SymSrvGetFileIndexesW
0x77abc8 SymUnDName
0x77abcc SymUnDName64
0x77abc0 SymUnloadModule
0x77abc4 SymUnloadModule64
0x46f228 TMethodImplementationIntercept
0x77aba4 TMethodImplementationIntercept
0x77abbc TouchFileTimes
0x77abb8 UnDecorateSymbolName
0x77abb4 UnMapAndLoad
0x77abb0 UnmapDebugInformation
0x77abac UpdateDebugInfoFile
0x77aba8 UpdateDebugInfoFileEx
0x411dec __dbk_fcall_wrapper
0x79f640 dbkFCallWrapperAddr

Similarity measure (PE file only) - Checking for service failure