Report - axx.exe

Malicious Library PE File PE64
ScreenShot
Created 2023.11.27 09:30 Machine s1_win7_x6401
Filename axx.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
10
Behavior Score
3.2
ZERO API file : malware
VT API (file) 52 detected (AIDetectMalware, Bulz, CobaltStrike, malicious, Genus, Cobalt, Windows, Artifact, Cobalstrike, AGEN, COBEACON, Static AI, Malicious PE, ai score=86, CozyDuke, Detected, Eldorado, Kryptik, score, R363496, GdSda, CLASSIC, susgen, confidence, 100%)
md5 37ef17ae6a134a55482b0d84126d2ab8
sha256 a38d5972dfa2fda1c5416ac91034c36462586575097d8b46775b2e689e5d9496
ssdeep 192:ZV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2B5vv7JOWF8qa1Dojjgi:7qaCF31cix+Dc4zjEJJvFF46gi
imphash 147442e63270e287ed57d33257638324
impfuzzy 24:Q2kfg1JlDzncJ9aa0mezlMG95XGDZykoDquQZn:gfg1jcJbezlRJGVykoqz
  Network IP location

Signature (4cnts)

Level Description
danger File has been identified by 52 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
1.94.97.134 CN China Unicom Beijing Province Network 1.94.97.134 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x409224 CloseHandle
 0x40922c ConnectNamedPipe
 0x409234 CreateFileA
 0x40923c CreateNamedPipeA
 0x409244 CreateThread
 0x40924c DeleteCriticalSection
 0x409254 EnterCriticalSection
 0x40925c GetCurrentProcess
 0x409264 GetCurrentProcessId
 0x40926c GetCurrentThreadId
 0x409274 GetLastError
 0x40927c GetModuleHandleA
 0x409284 GetProcAddress
 0x40928c GetStartupInfoA
 0x409294 GetSystemTimeAsFileTime
 0x40929c GetTickCount
 0x4092a4 InitializeCriticalSection
 0x4092ac LeaveCriticalSection
 0x4092b4 QueryPerformanceCounter
 0x4092bc ReadFile
 0x4092c4 RtlAddFunctionTable
 0x4092cc RtlCaptureContext
 0x4092d4 RtlLookupFunctionEntry
 0x4092dc RtlVirtualUnwind
 0x4092e4 SetUnhandledExceptionFilter
 0x4092ec Sleep
 0x4092f4 TerminateProcess
 0x4092fc TlsGetValue
 0x409304 UnhandledExceptionFilter
 0x40930c VirtualAlloc
 0x409314 VirtualProtect
 0x40931c VirtualQuery
 0x409324 WriteFile
msvcrt.dll
 0x409334 __C_specific_handler
 0x40933c __getmainargs
 0x409344 __initenv
 0x40934c __iob_func
 0x409354 __lconv_init
 0x40935c __set_app_type
 0x409364 __setusermatherr
 0x40936c _acmdln
 0x409374 _amsg_exit
 0x40937c _cexit
 0x409384 _fmode
 0x40938c _initterm
 0x409394 _onexit
 0x40939c abort
 0x4093a4 calloc
 0x4093ac exit
 0x4093b4 fprintf
 0x4093bc free
 0x4093c4 fwrite
 0x4093cc malloc
 0x4093d4 memcpy
 0x4093dc signal
 0x4093e4 sprintf
 0x4093ec strlen
 0x4093f4 strncmp
 0x4093fc vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure