popup

Report - build.exe

Vidar UPX Malicious Library OS Processor Check PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.22 21:44 Machine s1_win7_x6401
Filename build.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
4.0
ZERO API file : malware
VT API (file) 19 detected (AIDetectMalware, malicious, high confidence, RedLineStealer, confidence, 100%, Attribute, HighConfidence, GenKryptik, GMBA, score, PWSX, moderate, Static AI, Suspicious PE, Detected, unsafe, TmDVI2xbRDB, Krypt, Kryptik, HUBJ)
md5 ed3809d571d4d52fa5bf9339b9750b27
sha256 ac3e72d085e062564ec329377615d7188683c24e4e6744c75eb5be82eb91e132
ssdeep 98304:yqL5M17FDIAh1sbMIwFGvcJFfh3csYKH2SVlEZgxYvG+7brIFZIIffmyEiD0n48T:yqL5M1dI06bMIgGUP+KHx0exyG+7br4G
imphash 055ea1090d6cc01b13403afd6132861b
impfuzzy 24:dojuVDoIsS1jtYGbJeDc+pl39LoEOovbO3kPvRRZHu9oGMSM:CS1jtYG6c+ppJc30neM
  Network IP location

Signature (10cnts)

Level Description
watch Communicates with host for which no DNS query was performed
watch File has been identified by 19 AntiVirus engines on VirusTotal as malicious
watch Network activity contains more than one unique useragent
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://116.203.7.113/ba898ce7ff6c6db9d00aca6445e5d347
whois
DE Hetzner Online GmbH 116.203.7.113 clean
http://116.203.7.113/upgrade.zip
whois
DE Hetzner Online GmbH 116.203.7.113 clean
https://steamcommunity.com/profiles/76561198982268531
whois
US AKAMAI-AS 104.88.222.199 35281 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Hong Kong Broadband Network Ltd. 184.87.111.197 mailcious
116.203.7.113
whois
DE Hetzner Online GmbH 116.203.7.113 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
104.88.222.199
whois
US AKAMAI-AS 104.88.222.199 clean

Suricata ids

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x830000 GetLastError
 0x830004 WaitForSingleObject
 0x830008 CreateMutexA
 0x83000c Sleep
 0x830010 CreateThread
 0x830014 VirtualAlloc
 0x830018 VirtualProtect
 0x83001c GetModuleHandleA
 0x830020 GetProcAddress
 0x830024 LoadLibraryA
 0x830028 lstrlenW
 0x83002c GetConsoleWindow
 0x830030 WriteConsoleW
 0x830034 CreateFileW
 0x830038 QueryPerformanceCounter
 0x83003c GetCurrentProcessId
 0x830040 GetCurrentThreadId
 0x830044 GetSystemTimeAsFileTime
 0x830048 InitializeSListHead
 0x83004c IsDebuggerPresent
 0x830050 UnhandledExceptionFilter
 0x830054 SetUnhandledExceptionFilter
 0x830058 GetStartupInfoW
 0x83005c IsProcessorFeaturePresent
 0x830060 GetModuleHandleW
 0x830064 GetCurrentProcess
 0x830068 TerminateProcess
 0x83006c RaiseException
 0x830070 RtlUnwind
 0x830074 SetLastError
 0x830078 EncodePointer
 0x83007c EnterCriticalSection
 0x830080 LeaveCriticalSection
 0x830084 DeleteCriticalSection
 0x830088 InitializeCriticalSectionAndSpinCount
 0x83008c TlsAlloc
 0x830090 TlsGetValue
 0x830094 TlsSetValue
 0x830098 TlsFree
 0x83009c FreeLibrary
 0x8300a0 LoadLibraryExW
 0x8300a4 GetStdHandle
 0x8300a8 WriteFile
 0x8300ac GetModuleFileNameW
 0x8300b0 ExitProcess
 0x8300b4 GetModuleHandleExW
 0x8300b8 GetCommandLineA
 0x8300bc GetCommandLineW
 0x8300c0 HeapAlloc
 0x8300c4 HeapFree
 0x8300c8 CompareStringW
 0x8300cc LCMapStringW
 0x8300d0 GetFileType
 0x8300d4 FindClose
 0x8300d8 FindFirstFileExW
 0x8300dc FindNextFileW
 0x8300e0 IsValidCodePage
 0x8300e4 GetACP
 0x8300e8 GetOEMCP
 0x8300ec GetCPInfo
 0x8300f0 MultiByteToWideChar
 0x8300f4 WideCharToMultiByte
 0x8300f8 GetEnvironmentStringsW
 0x8300fc FreeEnvironmentStringsW
 0x830100 SetEnvironmentVariableW
 0x830104 SetStdHandle
 0x830108 GetStringTypeW
 0x83010c GetProcessHeap
 0x830110 FlushFileBuffers
 0x830114 GetConsoleOutputCP
 0x830118 GetConsoleMode
 0x83011c GetFileSizeEx
 0x830120 SetFilePointerEx
 0x830124 HeapSize
 0x830128 HeapReAlloc
 0x83012c CloseHandle
 0x830130 DecodePointer
USER32.dll
 0x830138 ShowWindow

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure