popup

Report - demon.exe

Generic Malware PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.08.07 08:54 Machine s1_win7_x6401
Filename demon.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
2.2
ZERO API file : malware
VT API (file)
md5 6fc6eb3ed2366b85dca354e44e956a11
sha256 37a6ef95815119e73613aa856f88a70ace7ce8dffa6e0b131b6f148f2dd37fc8
ssdeep 768:ubgyYWldBM19THIh9TxzGtZ4o+BGwC6M6IT7JAD14lthdxALrCPx1VskZhba/ejo:TyZ4THI7QQy7J84JACjZpbdHQz0Pshr
imphash
impfuzzy 3::
  Network IP location

Signature (5cnts)

Level Description
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://157.245.47.66/test.txt
whois
GB DIGITALOCEAN-ASN 157.245.47.66 clean
https://157.245.47.66/funny_cat.gif
whois
GB DIGITALOCEAN-ASN 157.245.47.66 clean
157.245.47.66
whois
GB DIGITALOCEAN-ASN 157.245.47.66 malware

Suricata ids

ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed

Similarity measure (PE file only) - Checking for service failure