popup

Report - OperaGXSetup.exe

Generic Malware PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.12.22 15:00 Machine s1_win7_x6401
Filename OperaGXSetup.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score Not founds Behavior Score
3.2
ZERO API file : malware
VT API (file) 47 detected (AIDetectMalware, Coins, ts97, malicious, high confidence, score, Lazy, unsafe, Save, Attribute, HighConfidence, Artemis, TrojanX, Stealerc, TrojanPSW, MarsStealer, ccmw, AHgOndhlWFN, XPACK, moderate, EncPk, Vidar, Detected, ai score=87, Vindor, BMST, ZexaF, @BZ@aSTMiMm, BScope, CoreBot, Static AI, Malicious PE, confidence, 100%)
md5 46431992aa566007949fc4acbc058856
sha256 846f5e52aa6b4f11a29cab1f505463938938c3c5ad8d753fe70a148200c8c446
ssdeep 3072:3+fKfLxPq+l/AGDF+FUN9TgPC543HaHJSp8Bb8EGF9N7:OfKfI+l4GDCACS4Kz8EGF9N
imphash 4e06c011d59529bff8e1f1c88254b928
impfuzzy 3:rTGdWWZIUWwr0Wq2:HwJA00R2
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.msk-post.com/server/init.php
whois
RU Bank Astany JSC 91.228.225.55 clean
www.msk-post.com
whois
RU Bank Astany JSC 91.228.225.55 clean
91.228.225.55
whois
RU Bank Astany JSC 91.228.225.55 clean

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x41e000 _mbsstr
 0x41e004 memset
 0x41e008 _mbsnbcpy

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure