popup

Report - bin.exe

Malicious Library AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.19 18:34 Machine s1_win7_x6402
Filename bin.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
4.4
ZERO API file : malware
VT API (file) 50 detected (AIDetectMalware, Noon, Inject4, Zusy, FormBook, Vfge, malicious, Attribute, HighConfidence, high confidence, score, bews, PWSX, Rnkl, ZPACK, R002C0DII23, Static AI, Malicious PE, ai score=83, 17XRUK4, Detected, General, unsafe, Generic@AI, RDML, EpiL62kZ3jizHKSFJBq8Iw, Outbreak, susgen, confidence, 100%)
md5 1fcab65c8ca14af17470d1435b74d107
sha256 9c1cb827a9c3195a22dec07c71e32b110509d20c1014ad7609be651ce2e2dfde
ssdeep 3072:ADXg2NbW5ulGBIcDPT+EuxLbQB7PQzlsc8HfzWfLeQvRZ70rVwNurKPLXT78Bx4h:WgUbW5uMB9bTMQxes//z0S+NlTQ
imphash
impfuzzy 3::
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Drops an executable to the user AppData folder
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory

Rules (14cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.lphone-xl.com/bxgk/?xxN=ikWHN4MijQY5AyJKGBKmp9RfDy9IY0OsXenjOEW69DvhU9R0B37fDkF3Su7Bxfr5RqIxN6lkpQFNqNDBJbqyXHPoN3ksIA9BqLmVomk=&cXM=MHHcxFFn5MCj
whois
US SERVERCENTRAL 216.246.47.37 clean
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.3lock.fund/bxgk/
whois
US GOOGLE 35.192.39.194 clean
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.lphone-xl.com/bxgk/
whois
US SERVERCENTRAL 216.246.47.37 clean
http://www.3lock.fund/bxgk/?xxN=Wu6jB5Q+lKuCukxPzm2WMbWjX+SIDKgUB3U7Kk8DOKw/GtTKhEmwqSjmItXDS9i2eb8Fhjph3IwM4PmyWCSQw+mgytZrpQ9sx2eLMjw=&cXM=MHHcxFFn5MCj
whois
US GOOGLE 35.192.39.194 clean
www.lphone-xl.com
whois
US SERVERCENTRAL 216.246.47.37 clean
www.3lock.fund
whois
US GOOGLE 35.192.39.194 clean
216.246.47.37
whois
US SERVERCENTRAL 216.246.47.37 clean
35.192.39.194
whois
US GOOGLE 35.192.39.194 clean
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure