popup

Report - j-13

Malicious Library Downloader UPX PE32 PE File DLL JPEG Format ZIP Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.11 16:43 Machine s1_win7_x6401
Filename j-13
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
6.8
ZERO API file : malware
VT API (file)
md5 2d56b2af47d1e3575ccd27b406f59d03
sha256 85c95c1ce01c89703131a749128e28fd2a35691e66b4af78349393200f66e816
ssdeep 1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGphK5O:awsAik1a4pGphK5O
imphash f61b3498a024e1606e5633ff05e57b42
impfuzzy 24:414ywa/2/2Jej0DC8lrMU7Kt0G7POovgk3cfS7yv5FQHOT4CrnQnAdATIij3wkgZ:22+8t0G7mccfSINcCrnBGTIy3/grdL
  Network IP location

Signature (16cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Attempts to modify UAC prompt behavior
watch Communicates with host for which no DNS query was performed
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process rundll32.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (11cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info zip_file_format ZIP file format binaries (download)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://216.83.53.161:8000/2
whois
US BGPNET Global ASN 216.83.53.161 clean
http://216.83.53.161:8000/3
whois
US BGPNET Global ASN 216.83.53.161 clean
http://216.83.53.161:8000/1
whois
US BGPNET Global ASN 216.83.53.161 clean
http://216.83.53.161:8000/4
whois
US BGPNET Global ASN 216.83.53.161 clean
216.83.53.161
whois
US BGPNET Global ASN 216.83.53.161 malware

Suricata ids

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/WSF Downloader Dec 08 2016 M7
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x1000e008 WriteFile
 0x1000e00c CreateFileA
 0x1000e010 LocalReAlloc
 0x1000e014 LocalAlloc
 0x1000e018 Sleep
 0x1000e01c Process32Next
 0x1000e020 Process32First
 0x1000e024 CreateToolhelp32Snapshot
 0x1000e028 GetLastError
 0x1000e02c CreateDirectoryA
 0x1000e030 GetFileAttributesA
 0x1000e034 ExpandEnvironmentStringsA
 0x1000e038 CreateMutexA
 0x1000e03c OpenMutexA
 0x1000e040 SetLastError
 0x1000e044 VirtualAlloc
 0x1000e048 VirtualFree
 0x1000e04c LoadLibraryA
 0x1000e050 GetProcAddress
 0x1000e054 LocalFree
 0x1000e058 HeapAlloc
 0x1000e05c FlushFileBuffers
 0x1000e060 WriteConsoleW
 0x1000e064 GetConsoleOutputCP
 0x1000e068 WriteConsoleA
 0x1000e06c SetStdHandle
 0x1000e070 InitializeCriticalSectionAndSpinCount
 0x1000e074 GetConsoleMode
 0x1000e078 GetConsoleCP
 0x1000e07c SetFilePointer
 0x1000e080 HeapSize
 0x1000e084 HeapFree
 0x1000e088 CloseHandle
 0x1000e08c GetSystemTimeAsFileTime
 0x1000e090 TerminateProcess
 0x1000e094 GetCurrentProcess
 0x1000e098 UnhandledExceptionFilter
 0x1000e09c SetUnhandledExceptionFilter
 0x1000e0a0 IsDebuggerPresent
 0x1000e0a4 RaiseException
 0x1000e0a8 RtlUnwind
 0x1000e0ac HeapReAlloc
 0x1000e0b0 MultiByteToWideChar
 0x1000e0b4 WideCharToMultiByte
 0x1000e0b8 GetCurrentThreadId
 0x1000e0bc GetCommandLineA
 0x1000e0c0 GetModuleHandleW
 0x1000e0c4 TlsGetValue
 0x1000e0c8 TlsAlloc
 0x1000e0cc TlsSetValue
 0x1000e0d0 TlsFree
 0x1000e0d4 InterlockedIncrement
 0x1000e0d8 InterlockedDecrement
 0x1000e0dc GetCPInfo
 0x1000e0e0 GetACP
 0x1000e0e4 GetOEMCP
 0x1000e0e8 IsValidCodePage
 0x1000e0ec DeleteCriticalSection
 0x1000e0f0 LeaveCriticalSection
 0x1000e0f4 EnterCriticalSection
 0x1000e0f8 HeapCreate
 0x1000e0fc HeapDestroy
 0x1000e100 ExitProcess
 0x1000e104 GetStdHandle
 0x1000e108 GetModuleFileNameA
 0x1000e10c SetHandleCount
 0x1000e110 GetFileType
 0x1000e114 GetStartupInfoA
 0x1000e118 FreeEnvironmentStringsA
 0x1000e11c GetEnvironmentStrings
 0x1000e120 FreeEnvironmentStringsW
 0x1000e124 GetEnvironmentStringsW
 0x1000e128 QueryPerformanceCounter
 0x1000e12c GetTickCount
 0x1000e130 GetCurrentProcessId
 0x1000e134 LCMapStringA
 0x1000e138 LCMapStringW
 0x1000e13c GetStringTypeA
 0x1000e140 GetStringTypeW
 0x1000e144 GetLocaleInfoA
USER32.dll
 0x1000e154 PostQuitMessage
 0x1000e158 TranslateMessage
 0x1000e15c DispatchMessageA
 0x1000e160 KillTimer
 0x1000e164 SetTimer
 0x1000e168 GetMessageA
 0x1000e16c MessageBoxW
 0x1000e170 GetDesktopWindow
SHELL32.dll
 0x1000e14c ShellExecuteExA
WININET.dll
 0x1000e178 InternetReadFile
 0x1000e17c InternetOpenA
 0x1000e180 InternetOpenUrlA
 0x1000e184 InternetCloseHandle
CRYPT32.dll
 0x1000e000 CryptStringToBinaryA

EAT(Export Address Table) Library

0x100029b0 Edge

Similarity measure (PE file only) - Checking for service failure