Report - qr.png

UPX PE64 PE File
ScreenShot
Created 2023.07.22 21:50 Machine s1_win7_x6401
Filename qr.png
Type PE32+ executable (console) x86-64, for MS Windows
AI Score
4
Behavior Score
2.2
ZERO API file : malware
VT API (file) 40 detected (malicious, high confidence, GenericKD, Cobaltstrike, V4xc, ABRisk, IYHJ, Attribute, HighConfidence, GenKryptik, GEGB, score, HacktoolX, FalseSign, Msmw, EPACK, Gen2, Meterpreter, COBEACON, YXDGUZ, Artemis, ai score=80, CobalStrike, VU3Y2S, Detected, unsafe, GfPDmvfR3RE, Rozena, confidence, 100%)
md5 07ecd12de259e62383d687d8eac0b089
sha256 e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61
ssdeep 24576:BUNa3MUnPbWsANXdgEm2vEP9WlkQyOUkiZ9zkRP:BXXSnNNPsVWlkQVUkiZ9zkRP
imphash 7c4e296c67498d0ca3bb31360c5368f6
impfuzzy 24:8fH1JlDzncrAa0man0MG95XGDZykoDqoZn:8fH1jcrna0RJGVykoqE
  Network IP location

Signature (4cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice The binary likely contains encrypted or compressed data indicative of a packer
info One or more processes crashed

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x49f1fc DeleteCriticalSection
 0x49f204 EnterCriticalSection
 0x49f20c FreeConsole
 0x49f214 GetCurrentProcess
 0x49f21c GetCurrentProcessId
 0x49f224 GetCurrentThreadId
 0x49f22c GetLastError
 0x49f234 GetModuleHandleA
 0x49f23c GetProcAddress
 0x49f244 GetStartupInfoA
 0x49f24c GetSystemTimeAsFileTime
 0x49f254 GetTickCount
 0x49f25c InitializeCriticalSection
 0x49f264 LeaveCriticalSection
 0x49f26c OpenThread
 0x49f274 QueryPerformanceCounter
 0x49f27c QueueUserAPC
 0x49f284 RtlAddFunctionTable
 0x49f28c RtlCaptureContext
 0x49f294 RtlLookupFunctionEntry
 0x49f29c RtlVirtualUnwind
 0x49f2a4 SetUnhandledExceptionFilter
 0x49f2ac Sleep
 0x49f2b4 SleepEx
 0x49f2bc TerminateProcess
 0x49f2c4 TlsGetValue
 0x49f2cc UnhandledExceptionFilter
 0x49f2d4 VirtualProtect
 0x49f2dc VirtualQuery
msvcrt.dll
 0x49f2ec __C_specific_handler
 0x49f2f4 __getmainargs
 0x49f2fc __initenv
 0x49f304 __iob_func
 0x49f30c __lconv_init
 0x49f314 __set_app_type
 0x49f31c __setusermatherr
 0x49f324 _acmdln
 0x49f32c _amsg_exit
 0x49f334 _cexit
 0x49f33c _fmode
 0x49f344 _initterm
 0x49f34c _onexit
 0x49f354 abort
 0x49f35c calloc
 0x49f364 exit
 0x49f36c fprintf
 0x49f374 free
 0x49f37c fwrite
 0x49f384 malloc
 0x49f38c memcpy
 0x49f394 signal
 0x49f39c strlen
 0x49f3a4 strncmp
 0x49f3ac vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure