popup

Report - fffffff.exe1

Gozi UPX OS Processor Check PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.08.02 10:16 Machine s1_win7_x6403
Filename fffffff.exe1
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
4.6
ZERO API file : malware
VT API (file) 25 detected (AIDetectMalware, malicious, high confidence, unsafe, Save, score, ccmw, EncPk, Static AI, Malicious PE, Wacapew, Detected, ZexaF, Gu0@aeWpXDci, BScope, Dridex, MachineLearning, Anomalous, 100%, Generic@AI, RDML, 6zgeAFwHW4a5Z6Nvl7, susgen, confidence)
md5 12e493f7a5f1d8487239d477631457b9
sha256 0c21cc2b9bf1e49a8b2eada21a695170c89a52fe209b13c6b136cb189fd62abb
ssdeep 12288:q1DmCRaGA1J9NlMn1zn+AWkCDb8we0Yz2yCHBhaaB8O:IKCYTza1zNWkAQZ0M2yCj
imphash 5afa9a8b314006f35dd01e2aac6bc7ca
impfuzzy 12:BPEUGsjv0QXn3H/m1jxB7HySnAGw7sUj7/qRKeARleny:NEUGsT0QX3H/cjxBpnEjWSlN
  Network IP location

Signature (10cnts)

Level Description
warning File has been identified by 25 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Disables proxy possibly for traffic interception
watch Looks for the Windows Idle Time to determine the uptime
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Queries for the computername

Rules (4cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://79.132.130.230/zerotohero/K3vk9WJHpEMX6hbZw9tQyo5/AMBJbLu6tj/I4dyyPRvEIc_2Bo5I/2NUNLIkQqXoM/4CLXycYanau/8WFUZdkBqHxj0k/G1Dz8Bb1qnisHoMvqFItJ/4wfCjdP1Gf4MD015/_2Fjg_2BwAknLxt/5g2XdSihMUmd7kf0Vf/ZYb5g5bV4/ib0vVzu4C_2FW6ak5OEU/GWK9iVTriGnuRYnmHaa/jVg2
whois
Unknown 79.132.130.230 35359 mailcious
http://78.138.9.136/zerotohero/BOMG5brBej/W6MNwYSFq4lSlX9tT/x4Y3Omef7UGN/WZhhSM2s5vi/V1FDzyIOh5EpoI/CWWIkqKkrw75RSUzXr7ex/W1RxkTyF3m2S3f2E/Y99btwsIJQuuhmN/lw3cuoTnNFNiXX7cu0/2whafmQx2/EkaF2FKoKeqHPMNHsEAQ/keKvvr9l1uzq8oU96Le/2jrUUusg_2B0I6xcr09dJj/XFvFn_2
whois
GB SkyVision Global Networks Ltd 78.138.9.136 35357 mailcious
http://79.132.130.230/zerotohero/DVrxwIAQMgsf7onOLh/XV75B5oFA/y1vXWahjjQZVMDH_2FiQ/4PZa4sHCsckUL377wx1/ZWvRgGdffXeg9iPEYWZ0h_/2BhA96Rc7xe4R/qby1FhUA/D3J5ocbPv6vcjAoxDEpqdg_/2BxvziDIQC/aLCB4AL9AMx8ac_2B/QNhLbiQcgZin/EpRbwzEa4e4/D_2BKwsvigFCN_/2FBg_2Fw3ZaNS
whois
Unknown 79.132.130.230 35359 mailcious
http://185.212.47.65/zerotohero/cdXm_2FVJxK0LegSF/qWrY8fts8Fcq/0NYojf5UlKt/8DhxFr0B_2FsfH/yh95t8o1NlDiZvluicJ4e/y3s9rzRcxmXrVVJ7/Ka_2BqSUQBoccRO/pPeTmlMcibaZ1A8GB4/_2FCWWzpa/5CmD7rRKRlIWq5D4qu77/BGDeyVKNAc3pBFiPPX0/ncnmY9UmOi2ZepGuelaMz6/Fs7cUQ3jbJA0N/WaI
whois
DE servinga GmbH 185.212.47.65 35353 mailcious
http://45.155.249.172/zerotohero/_2BNfe26Q_2BhpzcY80eoW/2IbQqms219ain/8xo_2BRo/O79HFwawAOqR1xwy3PGyFgp/h2FreaMQGU/PghXl8ePxYt85SSHr/L_2B7SHWLYe8/Jvu0omXw0U8/B2o2reD4ai5rDs/W5ZivSf7_2FvcBaSlziH8/2oaBAztGA6DuRQnj/fby_2FNeLRkfUIG/Tb9pBn4LDJSKpggRop/2yOnyRMrq
whois
DE meerfarbig GmbH & Co. KG 45.155.249.172 35355 mailcious
lisfwhite.ch2eck.yaheoo.com
whois
Unknown mailcious
listwhfite.check3.yaho1o.com
whois
Unknown mailcious
185.212.47.65
whois
DE servinga GmbH 185.212.47.65 mailcious
78.138.9.136
whois
GB SkyVision Global Networks Ltd 78.138.9.136 mailcious
79.132.130.230
whois
Unknown 79.132.130.230 mailcious
45.155.249.172
whois
DE meerfarbig GmbH & Co. KG 45.155.249.172 mailcious

Suricata ids

ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

PE API

IAT(Import Address Table) Library

USER32.dll
 0x420064 GetLastInputInfo
 0x420068 CreateWindowExA
 0x42006c InvalidateRgn
 0x420070 DispatchMessageA
 0x420074 RegisterClassA
 0x420078 AppendMenuA
 0x42007c GetMessageA
 0x420080 GetUpdateRgn
 0x420084 DefWindowProcA
SETUPAPI.dll
 0x42004c SetupDiGetClassDevsA
 0x420050 SetupDiEnumDeviceInfo
 0x420054 SetupDiGetDeviceRegistryPropertyA
SHLWAPI.dll
 0x42005c UrlCanonicalizeA
msvcrt.dll
 0x42008c memset
OLEAUT32.dll
 0x420040 GetErrorInfo
 0x420044 GetRecordInfoFromGuids
KERNEL32.dll
 0x42000c LoadLibraryW
 0x420010 GetModuleHandleW
 0x420014 GetSystemTimeAsFileTime
 0x420018 CreateEventA
 0x42001c TerminateProcess
 0x420020 SetStdHandle
 0x420024 WaitForSingleObject
 0x420028 MoveFileW
 0x42002c LeaveCriticalSection
 0x420030 IsProcessorFeaturePresent
 0x420034 InitializeCriticalSectionAndSpinCount
 0x420038 WTSGetActiveConsoleSessionId
ADVAPI32.dll
 0x420000 AccessCheck
 0x420004 GetKernelObjectSecurity

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure