popup

Report - doudian8574.exe

Malicious Library UPX PE64 PE File CHM Format OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.08.12 19:13 Machine s1_win7_x6403
Filename doudian8574.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
8
 Behavior Score
5.4
ZERO API file : malware
VT API (file) 28 detected (malicious, high confidence, Vy0i, Attribute, HighConfidence, AGen, xyaytd, FileRepMalware, Misc, Oader, Hflw, NetLoader, Static AI, Suspicious PE, GrayWare, Wacapew, Casdet, unsafe, Chgt, R002H0DHB23, VthFwSSuMeK, Outbreak, susgen, confidence, 100%)
md5 11746e92a679b202ffc31a9397db030f
sha256 a511fac843b237992e58bde1e41ec271891e96c9e32279687c058baea9f005a2
ssdeep 768:V4f9SsBo7cTlFWT8llD4zAA8lU6ez5cIgQMzKHMcTzH5iakD0XdLIsybqvZY:2foF7cvWTEPUP5/gQoqZTliIoeZ
imphash 4ecd752f2d70ad77939724fa31d997d9
impfuzzy 24:257l1DkoOovBtQzGYIcplELYJ3Xq8RyvgT4RjMMBicbT:QMnKtiIcpekugcGcbT
  Network IP location

Signature (11cnts)

Level Description
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Attempts to modify browser security settings
watch Communicates with host for which no DNS query was performed
watch Network activity contains more than one unique useragent
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process doudian8574.exe
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Performs some HTTP requests
info Collects information to fingerprint the system (MachineGuid

Rules (10cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
info chm_file_format chm file format binaries (download)
info IsDLL (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (12cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://2023816.oss-cn-hangzhou.aliyuncs.com/qd.CHM
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.110.23.90 clean
https://2023816.oss-cn-hangzhou.aliyuncs.com/md.exe
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.110.23.90 clean
https://yts2023811.oss-cn-hangzhou.aliyuncs.com/3.bin
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 121.199.204.179 clean
https://2023816.oss-cn-hangzhou.aliyuncs.com/hrsgdsb8574wknzms.jpg
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.110.23.90 clean
https://2023815.oss-cn-hangzhou.aliyuncs.com/UnityPlayer.dll
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 121.199.204.174 clean
https://2023815.oss-cn-hangzhou.aliyuncs.com/ttd.exe
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 121.199.204.174 clean
yts2023811.oss-cn-hangzhou.aliyuncs.com
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 121.199.204.179 clean
2023816.oss-cn-hangzhou.aliyuncs.com
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.110.23.90 clean
2023815.oss-cn-hangzhou.aliyuncs.com
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 121.199.204.174 clean
121.199.204.179
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 121.199.204.179 clean
47.110.23.90
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.110.23.90 clean
121.199.204.174
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 121.199.204.174 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x140009000 VirtualFree
 0x140009008 CopyFileW
 0x140009010 GetModuleFileNameW
 0x140009018 VirtualAlloc
 0x140009020 CreateFileW
 0x140009028 SetStdHandle
 0x140009030 WriteConsoleW
 0x140009038 CloseHandle
 0x140009040 SetFilePointer
 0x140009048 GetStringTypeW
 0x140009050 MultiByteToWideChar
 0x140009058 LCMapStringW
 0x140009060 GetLastError
 0x140009068 HeapFree
 0x140009070 HeapAlloc
 0x140009078 GetProcAddress
 0x140009080 GetModuleHandleW
 0x140009088 ExitProcess
 0x140009090 DecodePointer
 0x140009098 GetCommandLineA
 0x1400090a0 TerminateProcess
 0x1400090a8 GetCurrentProcess
 0x1400090b0 UnhandledExceptionFilter
 0x1400090b8 SetUnhandledExceptionFilter
 0x1400090c0 IsDebuggerPresent
 0x1400090c8 RtlVirtualUnwind
 0x1400090d0 RtlLookupFunctionEntry
 0x1400090d8 RtlCaptureContext
 0x1400090e0 HeapSetInformation
 0x1400090e8 GetVersion
 0x1400090f0 HeapCreate
 0x1400090f8 WriteFile
 0x140009100 GetStdHandle
 0x140009108 EncodePointer
 0x140009110 RtlUnwindEx
 0x140009118 EnterCriticalSection
 0x140009120 LeaveCriticalSection
 0x140009128 InitializeCriticalSectionAndSpinCount
 0x140009130 DeleteCriticalSection
 0x140009138 LoadLibraryW
 0x140009140 FlsGetValue
 0x140009148 FlsSetValue
 0x140009150 FlsFree
 0x140009158 SetLastError
 0x140009160 GetCurrentThreadId
 0x140009168 FlsAlloc
 0x140009170 GetModuleFileNameA
 0x140009178 FreeEnvironmentStringsW
 0x140009180 WideCharToMultiByte
 0x140009188 GetEnvironmentStringsW
 0x140009190 SetHandleCount
 0x140009198 GetFileType
 0x1400091a0 GetStartupInfoW
 0x1400091a8 QueryPerformanceCounter
 0x1400091b0 GetTickCount
 0x1400091b8 GetCurrentProcessId
 0x1400091c0 GetSystemTimeAsFileTime
 0x1400091c8 Sleep
 0x1400091d0 GetCPInfo
 0x1400091d8 GetACP
 0x1400091e0 GetOEMCP
 0x1400091e8 IsValidCodePage
 0x1400091f0 HeapSize
 0x1400091f8 HeapReAlloc
 0x140009200 GetConsoleCP
 0x140009208 GetConsoleMode
 0x140009210 FlushFileBuffers
SHELL32.dll
 0x140009220 ShellExecuteW
WININET.dll
 0x140009250 InternetOpenUrlA
 0x140009258 InternetCloseHandle
 0x140009260 InternetOpenA
 0x140009268 InternetReadFile
SHLWAPI.dll
 0x140009230 PathFindFileNameW
 0x140009238 PathFileExistsW
 0x140009240 PathCombineW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure