popup

Report - DNS1.exe

PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.12.15 18:18 Machine s1_win7_x6401
Filename DNS1.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
9
 Behavior Score
6.4
ZERO API file : malware
VT API (file) 59 detected (AIDetectMalware, Zegost, Mauvaise, Save, malicious, confidence, 100%, moderate confidence, hgxz, dygxrv, Aujl, SM14, high, score, Static AI, Malicious PE, ai score=81, batqb, Detected, Eldorado, BigBadWolf, Farfli, Redosdru, FG@6j5x7c, R147282, GenericRXAA, unsafe, Lebag, CLOUD, GenAsa, D02KaQdmbtM, susgen)
md5 6a23b6e2536f7027a8506c87245eea5d
sha256 7d044f688c9c50f08f18bcda8ac384edc065d498b6ef1b1ff84c413da3bba75e
ssdeep 192:y+8o9QKLn4omNPhjg8BPP5rsls4I1E6SnYe+PjPQu7qrPyIAm+vy6QEr9ZCspE+z:hFLshjg8BPhgTq5SnYPLQjyIANweM
imphash ec35fdc32140e96ba0e398fab5903c80
impfuzzy 3:swBJAEPwS9KTXzhAXwEQaxRAAbsEBJJ67EGV21MO/MMASyhnfXL4LARLMabd:dBJAEHGDzyRlbRmVOZ/M5Syhf946d
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 59 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a service
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
whois
Unknown 43.159.233.101 clean
http://www.996-m2.xyz:1881/logng.dll
whois
US PEGTECHINC 163.197.245.130 clean
users.qzone.qq.com
whois
Unknown 43.159.233.101 mailcious
www.996m2m2.top
whois
US PEGTECHINC 163.197.245.240 clean
www.996-m2.xyz
whois
US PEGTECHINC 163.197.245.130 clean
163.197.245.130
whois
US PEGTECHINC 163.197.245.130 clean
163.197.245.240
whois
US PEGTECHINC 163.197.245.240 clean
43.129.2.81
whois
Unknown 43.129.2.81 clean

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 16
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
ET HUNTING Rejetto HTTP File Sever Response

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x407064 LoadLibraryA
 0x407068 GetProcAddress
 0x40706c VirtualProtect
 0x407070 VirtualAlloc
 0x407074 VirtualFree
 0x407078 ExitProcess
imagehlp.dll
 0x407080 MakeSureDirectoryPathExists
MSVCRT.dll
 0x407088 exit
WININET.dll
 0x407090 InternetOpenA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure