popup

Report - Updater.exe

Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.30 13:34 Machine s1_win7_x6401
Filename Updater.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
2
 Behavior Score
2.0
ZERO API file : mailcious
VT API (file) 33 detected (Common, Artemis, Rugmi, ABTrojan, VXOY, Malicious, score, FileRepMalware, Misc, arcs, ai score=80, Vidar, Detected, unsafe, CLOUD, susgen, PossibleThreat)
md5 67e741557eaa3124261105bff38bc62a
sha256 b2e6a04435ab8d41a5a259072b6c29dec30caa05ed1ec2a8bae2b2670573981e
ssdeep 12288:oVDH4arSas0SRUXA5S9ZgvlZW9AxBK8ctBGOKLDcEHDqYocAXrexgPlBo8Ker5+m:24arTs0S2Q5SgitBj+RacAXUUBLeJ4/
imphash f074e6ca80c6be1bf7a7c56645030fbd
impfuzzy 96:LTkaWQZXGoH0j3nmZc1vXXn3jxNq9GyDX1PJbyEgc4y3:LTkaWUdUjmU3CVF1rh
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 33 AntiVirus engines on VirusTotal as malicious
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
mayo.edu
whois
US MAYO 129.176.1.88 clean
129.176.1.88
whois
US MAYO 129.176.1.88 clean

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x1400d9c58 CreateProcessAsUserW
 0x1400d9c60 EventRegister
 0x1400d9c68 EventUnregister
 0x1400d9c70 EventWrite
 0x1400d9c78 RegCloseKey
 0x1400d9c80 RegOpenKeyExW
 0x1400d9c88 RegQueryValueExW
 0x1400d9c90 SystemFunction036
KERNEL32.dll
 0x1400d9ca0 AcquireSRWLockExclusive
 0x1400d9ca8 AssignProcessToJobObject
 0x1400d9cb0 CloseHandle
 0x1400d9cb8 CompareStringW
 0x1400d9cc0 CreateEventW
 0x1400d9cc8 CreateFileW
 0x1400d9cd0 CreateProcessW
 0x1400d9cd8 CreateThread
 0x1400d9ce0 DeleteCriticalSection
 0x1400d9ce8 DeleteFileW
 0x1400d9cf0 DeleteProcThreadAttributeList
 0x1400d9cf8 DuplicateHandle
 0x1400d9d00 EncodePointer
 0x1400d9d08 EnterCriticalSection
 0x1400d9d10 EnumSystemLocalesW
 0x1400d9d18 ExitProcess
 0x1400d9d20 ExitThread
 0x1400d9d28 ExpandEnvironmentStringsW
 0x1400d9d30 FindClose
 0x1400d9d38 FindFirstFileExW
 0x1400d9d40 FindNextFileW
 0x1400d9d48 FlsAlloc
 0x1400d9d50 FlsFree
 0x1400d9d58 FlsGetValue
 0x1400d9d60 FlsSetValue
 0x1400d9d68 FlushFileBuffers
 0x1400d9d70 FormatMessageA
 0x1400d9d78 FreeEnvironmentStringsW
 0x1400d9d80 FreeLibrary
 0x1400d9d88 FreeLibraryAndExitThread
 0x1400d9d90 GetACP
 0x1400d9d98 GetCPInfo
 0x1400d9da0 GetCommandLineA
 0x1400d9da8 GetCommandLineW
 0x1400d9db0 GetConsoleMode
 0x1400d9db8 GetConsoleOutputCP
 0x1400d9dc0 GetCurrentDirectoryW
 0x1400d9dc8 GetCurrentProcess
 0x1400d9dd0 GetCurrentProcessId
 0x1400d9dd8 GetCurrentThread
 0x1400d9de0 GetCurrentThreadId
 0x1400d9de8 GetDateFormatW
 0x1400d9df0 GetDriveTypeW
 0x1400d9df8 GetEnvironmentStringsW
 0x1400d9e00 GetExitCodeProcess
 0x1400d9e08 GetFileAttributesW
 0x1400d9e10 GetFileSizeEx
 0x1400d9e18 GetFileType
 0x1400d9e20 GetFullPathNameW
 0x1400d9e28 GetLastError
 0x1400d9e30 GetLocalTime
 0x1400d9e38 GetLocaleInfoW
 0x1400d9e40 GetModuleFileNameW
 0x1400d9e48 GetModuleHandleA
 0x1400d9e50 GetModuleHandleExW
 0x1400d9e58 GetModuleHandleW
 0x1400d9e60 GetNativeSystemInfo
 0x1400d9e68 GetOEMCP
 0x1400d9e70 GetProcAddress
 0x1400d9e78 GetProcessHeap
 0x1400d9e80 GetProcessId
 0x1400d9e88 GetProductInfo
 0x1400d9e90 GetStartupInfoW
 0x1400d9e98 GetStdHandle
 0x1400d9ea0 GetStringTypeW
 0x1400d9ea8 GetSystemDirectoryW
 0x1400d9eb0 GetSystemInfo
 0x1400d9eb8 GetSystemTimeAsFileTime
 0x1400d9ec0 GetTempPathW
 0x1400d9ec8 GetThreadId
 0x1400d9ed0 GetThreadPriority
 0x1400d9ed8 GetTickCount
 0x1400d9ee0 GetTimeFormatW
 0x1400d9ee8 GetTimeZoneInformation
 0x1400d9ef0 GetUserDefaultLCID
 0x1400d9ef8 GetVersionExW
 0x1400d9f00 GetWindowsDirectoryW
 0x1400d9f08 InitOnceExecuteOnce
 0x1400d9f10 InitializeCriticalSectionAndSpinCount
 0x1400d9f18 InitializeProcThreadAttributeList
 0x1400d9f20 InitializeSListHead
 0x1400d9f28 IsDebuggerPresent
 0x1400d9f30 IsProcessorFeaturePresent
 0x1400d9f38 IsValidCodePage
 0x1400d9f40 IsValidLocale
 0x1400d9f48 IsWow64Process
 0x1400d9f50 LCMapStringW
 0x1400d9f58 LeaveCriticalSection
 0x1400d9f60 LoadLibraryExA
 0x1400d9f68 LoadLibraryExW
 0x1400d9f70 LocalFree
 0x1400d9f78 MultiByteToWideChar
 0x1400d9f80 OutputDebugStringA
 0x1400d9f88 QueryPerformanceCounter
 0x1400d9f90 QueryPerformanceFrequency
 0x1400d9f98 QueryThreadCycleTime
 0x1400d9fa0 RaiseException
 0x1400d9fa8 ReadConsoleW
 0x1400d9fb0 ReadFile
 0x1400d9fb8 ReleaseSRWLockExclusive
 0x1400d9fc0 ResetEvent
 0x1400d9fc8 RtlCaptureContext
 0x1400d9fd0 RtlCaptureStackBackTrace
 0x1400d9fd8 RtlLookupFunctionEntry
 0x1400d9fe0 RtlPcToFileHeader
 0x1400d9fe8 RtlUnwind
 0x1400d9ff0 RtlUnwindEx
 0x1400d9ff8 RtlVirtualUnwind
 0x1400da000 SetEnvironmentVariableW
 0x1400da008 SetEvent
 0x1400da010 SetFilePointerEx
 0x1400da018 SetHandleInformation
 0x1400da020 SetLastError
 0x1400da028 SetStdHandle
 0x1400da030 SetThreadPriority
 0x1400da038 SetUnhandledExceptionFilter
 0x1400da040 Sleep
 0x1400da048 SleepConditionVariableSRW
 0x1400da050 TerminateProcess
 0x1400da058 TlsAlloc
 0x1400da060 TlsFree
 0x1400da068 TlsGetValue
 0x1400da070 TlsSetValue
 0x1400da078 TryAcquireSRWLockExclusive
 0x1400da080 UnhandledExceptionFilter
 0x1400da088 UnregisterWaitEx
 0x1400da090 UpdateProcThreadAttribute
 0x1400da098 VerSetConditionMask
 0x1400da0a0 VerifyVersionInfoW
 0x1400da0a8 VirtualAlloc
 0x1400da0b0 VirtualFree
 0x1400da0b8 VirtualProtect
 0x1400da0c0 VirtualQuery
 0x1400da0c8 WaitForSingleObject
 0x1400da0d0 WaitForSingleObjectEx
 0x1400da0d8 WakeAllConditionVariable
 0x1400da0e0 WakeConditionVariable
 0x1400da0e8 WideCharToMultiByte
 0x1400da0f0 WriteConsoleW
 0x1400da0f8 WriteFile
SHELL32.dll
 0x1400da108 CommandLineToArgvW
 0x1400da110 SHGetFolderPathW
 0x1400da118 SHGetKnownFolderPath
 0x1400da120 ShellExecuteExW
USERENV.dll
 0x1400da130 CreateEnvironmentBlock
 0x1400da138 DestroyEnvironmentBlock
USER32.dll
 0x1400da148 AllowSetForegroundWindow
 0x1400da150 GetActiveWindow
ole32.dll
 0x1400da160 CoInitializeEx
 0x1400da168 CoRegisterInitializeSpy
 0x1400da170 CoRevokeInitializeSpy
 0x1400da178 CoTaskMemFree
 0x1400da180 CoUninitialize
WINMM.dll
 0x1400da190 timeGetTime

EAT(Export Address Table) Library

0x14003fdb0 GetHandleVerifier

Similarity measure (PE file only) - Checking for service failure