Report - 1.exe

UPX Malicious Library OS Processor Check PE File PE32
ScreenShot
Created 2023.08.04 10:21 Machine s1_win7_x6401
Filename 1.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
7
Behavior Score
7.2
ZERO API file : malware
VT API (file) 20 detected (AIDetectMalware, malicious, high confidence, confidence, Attribute, HighConfidence, GenKryptik, GHTO, score, Steal, high, Redline, Wacapew, Detected, ZexaF, Aq2@a0Vj@Sdi, unsafe, Kryptik, dGZlOgVEgIaz2LxhTA, Static AI, Malicious PE)
md5 bb8b0862c3c8ac468a57d9ae32f873f2
sha256 498ce4ddc627a2b95a11ab521c9314fbe975d5aa4de496792906fe7bb8ce64e0
ssdeep 6144:Uj6yKNstxo6mjbLLi7LLccO28qrVO2l5vlR4CX1SvihNAI:UpDtxZEsdBN5v3rXainAI
imphash c1d8dc34360d5ef7aa5bc95ab2a0e4a8
impfuzzy 24:WjlNDoryPeEOovnKQFQ8RyvDh/J3ISlRT4Fmfpl/qH+X:zEK3DjhcFmfp5qHO
  Network IP location

Signature (18cnts)

Level Description
warning File has been identified by 20 AntiVirus engines on VirusTotal as malicious
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
176.123.9.85 MD Alexhost Srl 176.123.9.85 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40e008 WaitForSingleObject
 0x40e00c CreateThread
 0x40e010 lstrlenW
 0x40e014 VirtualProtect
 0x40e018 GetProcAddress
 0x40e01c LoadLibraryA
 0x40e020 VirtualAlloc
 0x40e024 LockResource
 0x40e028 LoadResource
 0x40e02c Sleep
 0x40e030 FindResourceW
 0x40e034 GetModuleHandleW
 0x40e038 GetLastError
 0x40e03c CreateMutexA
 0x40e040 GetModuleHandleA
 0x40e044 GetConsoleWindow
 0x40e048 SizeofResource
 0x40e04c GetACP
 0x40e050 GetCommandLineA
 0x40e054 SetUnhandledExceptionFilter
 0x40e058 ExitProcess
 0x40e05c WriteFile
 0x40e060 GetStdHandle
 0x40e064 GetModuleFileNameA
 0x40e068 FreeEnvironmentStringsA
 0x40e06c GetEnvironmentStrings
 0x40e070 FreeEnvironmentStringsW
 0x40e074 WideCharToMultiByte
 0x40e078 GetEnvironmentStringsW
 0x40e07c SetHandleCount
 0x40e080 GetFileType
 0x40e084 GetStartupInfoA
 0x40e088 DeleteCriticalSection
 0x40e08c TlsGetValue
 0x40e090 TlsAlloc
 0x40e094 TlsSetValue
 0x40e098 TlsFree
 0x40e09c InterlockedIncrement
 0x40e0a0 SetLastError
 0x40e0a4 GetCurrentThreadId
 0x40e0a8 InterlockedDecrement
 0x40e0ac HeapCreate
 0x40e0b0 VirtualFree
 0x40e0b4 HeapFree
 0x40e0b8 QueryPerformanceCounter
 0x40e0bc GetTickCount
 0x40e0c0 GetCurrentProcessId
 0x40e0c4 GetSystemTimeAsFileTime
 0x40e0c8 GetCPInfo
 0x40e0cc GetOEMCP
 0x40e0d0 IsValidCodePage
 0x40e0d4 TerminateProcess
 0x40e0d8 GetCurrentProcess
 0x40e0dc UnhandledExceptionFilter
 0x40e0e0 IsDebuggerPresent
 0x40e0e4 LeaveCriticalSection
 0x40e0e8 EnterCriticalSection
 0x40e0ec InitializeCriticalSectionAndSpinCount
 0x40e0f0 HeapAlloc
 0x40e0f4 HeapReAlloc
 0x40e0f8 RtlUnwind
 0x40e0fc LCMapStringA
 0x40e100 MultiByteToWideChar
 0x40e104 LCMapStringW
 0x40e108 GetStringTypeA
 0x40e10c GetStringTypeW
 0x40e110 GetLocaleInfoA
 0x40e114 HeapSize
USER32.dll
 0x40e11c ShowWindow
ADVAPI32.dll
 0x40e000 RegDeleteKeyA
ole32.dll
 0x40e124 OleInitialize

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure