popup

Report - install.exe

UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.11 17:58 Machine s1_win7_x6401
Filename install.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
6.0
ZERO API file : malware
VT API (file) 43 detected (AIDetectMalware, Darkrat, malicious, high confidence, Zusy, Save, confidence, 100%, ZexaF, sz0aa0kM5rd, Themida, Eldorado, Attribute, HighConfidence, score, DInvoke, Risktool, Osmw, AGEN, high, Static AI, Suspicious PE, ai score=80, Bladabindi, Detected, Artemis, unsafe, Probably Heur, ExeHeaderL, Generic@AI, RDML, wCt8w7kFjG, 5ff5IKkx3YQ)
md5 c9a2e54e8501a2f6dd57255225999b40
sha256 e2b8091be64890dacb851ae14b76723cff23b48048ec29c7eb5754ed2c89d5c4
ssdeep 24576:eCcJMTx/DszjipRnGKKfiqTJ7WGorsWTnkKRzjIKue1kJIBfFRVzv:UJAx/Dsz2NAi4wbpL3lfueW2FR
imphash baa93d47220682c04d92f7797d9224ce
impfuzzy 3:sBRGKqX1GtLRaY:nlc9
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 43 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://pastebin.com/raw/pdRjLLjy
whois
US CLOUDFLARENET 172.67.34.170 clean
pastebin.com
whois
US CLOUDFLARENET 172.67.34.170 mailcious
195.58.51.109
whois
RU Fibrenet Ltd 195.58.51.109 clean
172.67.34.170
whois
US CLOUDFLARENET 172.67.34.170 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x416033 lstrcpy
comctl32.dll
 0x41603b InitCommonControls

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure