popup

Report - Server.exe

UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.06 17:27 Machine s1_win7_x6401
Filename Server.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
9
 Behavior Score
6.0
ZERO API file : malware
VT API (file) 47 detected (AIDetectMalware, malicious, moderate confidence, MulDrop20, DeepScan, Rincux2, FarfliRI, S28114709, Save, Farfli, Eldorado, Attribute, HighConfidence, CJVZ, score, RATX, jowqxn, AGEN, moderate, ai score=82, Magania, F@7jjkv4, Wacatac, Detected, BScope, unsafe, Generic@AI, RDML, gCV1hYbBbdDlu0DAyHzW9w, Static AI, Suspicious PE, susgen, Zard, confidence)
md5 fe262ce1be6d20d9bb8cd378a73d5a3f
sha256 0b4eb7fdae7e90c0bd0dbfc7552865ba6d7dcd03e77efd91b5e246c71f9f2f7c
ssdeep 1536:z+YpZTtGuYKKiRQhEyPD4WnWl0clFBfxwfXUmeKX2o:JptpRQhvPDPW+clFB54eK
imphash e58ab46f2a279ded0846d81bf0fa21f7
impfuzzy 3:swBJAEPwS9KTXzhAXwEQaxRAAbsEBJJ67EGV21MOB:dBJAEHGDzyRlbRmVOZB
  Network IP location

Signature (9cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a service
notice Resolves a suspicious Top Level Domain (TLD)
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
lqwljs.top
whois
Unknown clean
lqwljs.cn
whois
Unknown clean
194.147.140.199
whois
GB Patron Technology Persia Ltd 194.147.140.199 clean
182.42.105.12
whois
CN Cloud Computing Corporation 182.42.105.12 malware

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x460028 LoadLibraryA
 0x46002c GetProcAddress
 0x460030 VirtualProtect
 0x460034 VirtualAlloc
 0x460038 VirtualFree
 0x46003c ExitProcess

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure