popup

Report - plaza.exe

EnigmaProtector Malicious Packer PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.02.13 14:02 Machine s1_win7_x6401
Filename plaza.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
6.6
ZERO API file : clean
VT API (file) 37 detected (AIDetectMalware, Malicious, score, Save, confidence, 100%, GenericKDZ, Attribute, HighConfidence, high confidence, Enigma, TrojanX, RisePro, moderate, Detected, ai score=80, Wacatac, ZexaF, 9I0@a8CQExfk, Genetic, Probably Heur, ExeHeaderL, Static AI, Malicious PE, susgen)
md5 b391262d30720e42f884893464e82b01
sha256 6ff5c30cb8cd9f17edf1b00a2b4a5790795f59a3772a4810926f0d1df27922a1
ssdeep 49152:mcSFen9EqVEcrp9FT41tEwTw2+DISUTHB+Ayy0pIJ0CNFHYXhgBIFPsL7N7HdcxW:9QenzVJp7Mk5uSUV+Au6yCNFH2h9FPqC
imphash 59aeb10eab81e92b5597d86d6e338bce
impfuzzy 6:nERGDvZ/OiBJAEcXQwDLzRgSdn8BbMqtYbdicex/0yNCgyPVe6zA3MLe7+hZ:EcDvZGqA9AwDXRgKQcOx/0yNCPsKAJSn
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Looks up the external IP address
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
warning EnigmaProtector_IN EnigmaProtector binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.146.235 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.18.146.235 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
193.233.132.62
whois
RU JSC Redcom-lnternet 193.233.132.62 mailcious
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
104.18.146.235
whois
US CLOUDFLARENET 104.18.146.235 clean

Suricata ids

ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xceaf80 GetModuleHandleA
 0xceaf84 GetProcAddress
 0xceaf88 ExitProcess
 0xceaf8c LoadLibraryA
user32.dll
 0xceaf94 MessageBoxA
advapi32.dll
 0xceaf9c RegCloseKey
oleaut32.dll
 0xceafa4 SysFreeString
gdi32.dll
 0xceafac CreateFontA
shell32.dll
 0xceafb4 ShellExecuteA
version.dll
 0xceafbc GetFileVersionInfoA
ole32.dll
 0xceafc4 CoInitializeEx
WS2_32.dll
 0xceafcc WSAStartup
CRYPT32.dll
 0xceafd4 CryptUnprotectData
SHLWAPI.dll
 0xceafdc PathFindExtensionA
gdiplus.dll
 0xceafe4 GdiplusStartup
SETUPAPI.dll
 0xceafec SetupDiEnumDeviceInterfaces
ntdll.dll
 0xceaff4 RtlUnicodeStringToAnsiString

EAT(Export Address Table) Library


Similarity measure (PE file only) - Checking for service failure