Report - bin.exe

Formbook Malicious Library Malicious Packer PE32 PE File

ScreenShot

Info
Location map


Created	2024.01.25 08:56	Machine	s1_win7_x6403
Filename	bin.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	10	Behavior Score	3.6
ZERO API	file : malware
VT API (file)	53 detected (AIDetectMalware, Formbook, Windows, Diceloader, Malicious, score, GenericPMF, S31790698, GenericRXCD, unsafe, Lazy, Save, ccmw, CLASSIC, ZPACK, Siggen9, SMYXDDE, Detected, ai score=81, 100IPS, Eldorado, X2185, BScope, TrojanPSW, Mqil, Static AI, Malicious PE, susgen, GenKryptik, AYEB, confidence, 100%)
md5	d36b9ed936c51fc667d67cb5fa419a94
sha256	74af268a3cc5fe46f85426eb5896ecd93384185bbd2df9274363166308921460
ssdeep	3072:XrNO0kCgRx0pGY3RdK52rOlwFhhVD+joLtVzLP6WFB2v:NgVWRA4rOlwFh5r+2B2v
imphash
impfuzzy	3::

Network IP location

Signature (7cnts)

Level	Description
danger	File has been identified by 53 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	The binary likely contains encrypted or compressed data indicative of a packer

Rules (7cnts)

Level	Name	Description	Collection
danger	win_formbook_auto	Detects win.formbook.	binaries (upload)
danger	win_formbook_w0	(no description)	binaries (upload)
danger	Win_Trojan_Formbook_Zero	Used Formbook	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (13cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://www.zhangnational.site/b21s/?LZa0=y0Dj+cpzYNB0KREV3i9vRRBmemYalAwO39f2/WBFUnsbQy2Uen8j2v8X32Jt1Fp/TC7TXkMI&uTux=njoTZ26xmz whois		CLOUDFLARENET	104.21.49.198		clean
http://www.gattgraphic.com/b21s/?LZa0=EodxxVnP6AALhCm6PMojoLYK50H/6a9ovP9+wbqeR1Lo4rltyls8iqRv+JR8KYWFAhTe4tyj&uTux=njoTZ26xmz whois			34.149.87.45		clean
http://www.family-doctor-79417.com/b21s/?LZa0=Mxt8ckLWX1wN0TXkckU8PS2/S2ul7U/m+MSjsB7vFpbxPb8t47jkcaQcBHmi0NSFrzd3m2nN&uTux=njoTZ26xmz whois		Trellian Pty. Limited	103.224.212.213		clean
http://www.martinkeyword.top/b21s/?LZa0=0tEjvMOQZ1u+KiVdVD9NMdDqyg4NNl7IsBZDKOPbb44psP0R1uri9OUTuHQ9LNmBSi0J17UR&uTux=njoTZ26xmz whois		CLOUDFLARENET	172.67.154.225		clean
www.bruderhertz.art whois					clean
www.gattgraphic.com whois			34.149.87.45		clean
www.family-doctor-79417.com whois		Trellian Pty. Limited	103.224.212.213		clean
www.zhangnational.site whois		CLOUDFLARENET	104.21.49.198		clean
www.martinkeyword.top whois		CLOUDFLARENET	172.67.154.225		clean
34.149.87.45 whois			34.149.87.45		phishing
104.21.6.136 whois		CLOUDFLARENET	104.21.6.136		clean
103.224.212.213 whois		Trellian Pty. Limited	103.224.212.213		clean
172.67.166.205 whois		CLOUDFLARENET	172.67.166.205		clean

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure