popup

Report - setup%E4%B8%8B%E8%BD%BD%E5%90%8D%E5%8D%95%E7%9B%AE%E5%BD%956001.exe

Generic Malware UPX PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.14 09:43 Machine s1_win7_x6401
Filename setup%E4%B8%8B%E8%BD%BD%E5%90%8D%E5%8D%95%E7%9B%AE%E5%BD%956001.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
10
 Behavior Score
4.0
ZERO API file : malware
VT API (file) 50 detected (AIDetectMalware, Convagent, malicious, moderate confidence, score, Artemis, Tedy, Unsafe, Save, Attribute, HighConfidence, CLOUD, bmmfl, R002C0XES24, moderate, Detected, Phonzy, Casdet, ABRisk, HKMG, Chgt, Oader, ai score=83, PossibleThreat, PALLAS, confidence)
md5 7ff7c6f0c4233bc3c77cdb833764af21
sha256 2230f123368eccb392a097b49de5787b01b9045da5f7f39790004f4714f6895a
ssdeep 24576:7rR64OP+8f3Xi81y598h4aUR2ioM0wD+Ec0xMkN8JsU3Aoh9lsGAFA:3RFOP+Z81yvqY2io/wO9ljAFA
imphash 6c29ae5aa6b6070da1952d552421e5b9
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGU653EWR:dBJAEoZ/OEGDzyRe3EWR
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Checks amount of memory in system
info One or more processes crashed

Rules (4cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
8.134.33.55
whois
Unknown 8.134.33.55 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x526a38 LoadLibraryA
 0x526a40 ExitProcess
 0x526a48 GetProcAddress
 0x526a50 VirtualProtect
msvcrt.dll
 0x526a60 exit
WINHTTP.dll
 0x526a70 WinHttpOpen

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure