popup

Report - b.exe

Malicious Packer Malicious Library UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.17 10:25 Machine s1_win7_x6401
Filename b.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
3
 Behavior Score
2.6
ZERO API file : clean
VT API (file) 39 detected (AIDetectMalware, Convagent, malicious, moderate confidence, score, Unsafe, Vzab, Attribute, HighConfidence, a variant of WinGo, Gomal, Generic@AI, RDML, y3xovI, YB4mn4C9dvZIYtQ, XPACK, Outbreak, Detected, Sabsik, Casdet, 6WPJIH, ABRisk, SYPB, CobaltStrike, BScope, Static AI, Malicious PE, susgen, confidence)
md5 ccd45a73d555f6a89b06924e150680e5
sha256 c86218367d0caf1b3939762afbb20f97e941da48d10725eb49239126dacd2422
ssdeep 49152:uh0L6UQC+fua+hyHdzy8XkH5DaJc9zOPoze8MoRwFS0bM1qck0zdB0VF1NVm:uyL6Uouxhf9zOPozzE0zqV
imphash 9cbefe68f395e67356e2a5d8d1b285c0
impfuzzy 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 39 AntiVirus engines on VirusTotal as malicious
watch Detects the presence of Wine emulator
notice Creates a suspicious process
notice Uses Windows utilities for basic Windows functionality
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://comprobacion-aerolineas.com:9090/status
whois
BG Terasyst Ltd 94.156.67.86 clean
http://comprobacion-aerolineas.com:9090/output
whois
BG Terasyst Ltd 94.156.67.86 clean
http://comprobacion-aerolineas.com:9090/getcmd
whois
BG Terasyst Ltd 94.156.67.86 clean
http://comprobacion-aerolineas.com:9090/register
whois
BG Terasyst Ltd 94.156.67.86 clean
comprobacion-aerolineas.com
whois
BG Terasyst Ltd 94.156.67.86 clean
94.156.67.86
whois
BG Terasyst Ltd 94.156.67.86 malware

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 15
ET USER_AGENTS Go HTTP Client User-Agent

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x7ea100 WriteFile
 0x7ea104 WriteConsoleW
 0x7ea108 WaitForMultipleObjects
 0x7ea10c WaitForSingleObject
 0x7ea110 VirtualQuery
 0x7ea114 VirtualFree
 0x7ea118 VirtualAlloc
 0x7ea11c SwitchToThread
 0x7ea120 SuspendThread
 0x7ea124 SetWaitableTimer
 0x7ea128 SetUnhandledExceptionFilter
 0x7ea12c SetProcessPriorityBoost
 0x7ea130 SetEvent
 0x7ea134 SetErrorMode
 0x7ea138 SetConsoleCtrlHandler
 0x7ea13c ResumeThread
 0x7ea140 PostQueuedCompletionStatus
 0x7ea144 LoadLibraryA
 0x7ea148 LoadLibraryW
 0x7ea14c SetThreadContext
 0x7ea150 GetThreadContext
 0x7ea154 GetSystemInfo
 0x7ea158 GetSystemDirectoryA
 0x7ea15c GetStdHandle
 0x7ea160 GetQueuedCompletionStatusEx
 0x7ea164 GetProcessAffinityMask
 0x7ea168 GetProcAddress
 0x7ea16c GetEnvironmentStringsW
 0x7ea170 GetConsoleMode
 0x7ea174 FreeEnvironmentStringsW
 0x7ea178 ExitProcess
 0x7ea17c DuplicateHandle
 0x7ea180 CreateWaitableTimerExW
 0x7ea184 CreateThread
 0x7ea188 CreateIoCompletionPort
 0x7ea18c CreateFileA
 0x7ea190 CreateEventA
 0x7ea194 CloseHandle
 0x7ea198 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure