popup

Report - bin.exe

Generic Malware Malicious Packer Malicious Library UPX .NET framework(MSIL) PE File PE32 OS Processor Check PE64 .NET EXE JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.19 09:59 Machine s1_win7_x6403
Filename bin.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
7.4
ZERO API file : mailcious
VT API (file) 59 detected (Deyma, Windows, Threat, Malicious, score, Zusy, Unsafe, Save, Delf, Attribute, HighConfidence, Amadey, Artemis, BotX, Redcap, koqimc, 5qH3vzGUSkV, blcoe, DownLoader47, YXEFQZ, Real Protect, high, Outbreak, Detected, ai score=87, Casdet, Eldorado, R653644, ZexaF, AuW@aOikWCoi, BScope, Chgt, Gencirc, Static AI, Suspicious PE, confidence, 100%)
md5 13e5872e9b7c47090e035dc228c5589f
sha256 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
ssdeep 6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz
imphash 17fdfd4b0f74c4632463578cbbe1a2a0
impfuzzy 96:AX3DGKnh5Edcg+JU0tWmuX17fysX+kXpEi0ZFRLnYMI:AKM8hF7fHOk5EbSMI
  Network IP location

Signature (15cnts)

Level Description
danger File has been identified by 59 AntiVirus engines on VirusTotal as malicious
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process hkbsse.exe
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method

Rules (18cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://o7labs.top/visual/skins/index.php
whois
BG Natskovi & Sie Ltd. 91.92.240.234 clean
http://o7labs.top/visual/skins/index.php?scr=1
whois
BG Natskovi & Sie Ltd. 91.92.240.234 clean
http://o7labs.top/visual/blob.exe
whois
BG Natskovi & Sie Ltd. 91.92.240.234 malware
http://o7labs.top/visual/build.exe
whois
BG Natskovi & Sie Ltd. 91.92.240.234 clean
pool.hashvault.pro
whois
US 1GSERVERS 142.202.242.43 mailcious
o7labs.top
whois
BG Natskovi & Sie Ltd. 91.92.240.234 mailcious
47.76.164.119
whois
Unknown 47.76.164.119 mailcious
91.92.240.234
whois
BG Natskovi & Sie Ltd. 91.92.240.234 mailcious
91.92.244.178
whois
BG Natskovi & Sie Ltd. 91.92.244.178 clean
125.253.92.50
whois
AU FireNet Pty Ltd 125.253.92.50 clean

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET POLICY Cryptocurrency Miner Checkin
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x45204c GetSystemInfo
 0x452050 CreateThread
 0x452054 GetLocalTime
 0x452058 GetThreadContext
 0x45205c GetProcAddress
 0x452060 VirtualAllocEx
 0x452064 RemoveDirectoryA
 0x452068 CloseHandle
 0x45206c CreateProcessA
 0x452070 CreateDirectoryA
 0x452074 SetThreadContext
 0x452078 SetEndOfFile
 0x45207c DecodePointer
 0x452080 ReadConsoleW
 0x452084 HeapReAlloc
 0x452088 HeapSize
 0x45208c CreateFileA
 0x452090 GetFileAttributesA
 0x452094 GetLastError
 0x452098 GetTempPathA
 0x45209c SetCurrentDirectoryA
 0x4520a0 Sleep
 0x4520a4 GetModuleHandleA
 0x4520a8 ResumeThread
 0x4520ac GetComputerNameExW
 0x4520b0 GetVersionExW
 0x4520b4 WaitForSingleObject
 0x4520b8 CreateMutexA
 0x4520bc VirtualAlloc
 0x4520c0 WriteFile
 0x4520c4 VirtualFree
 0x4520c8 WriteProcessMemory
 0x4520cc GetModuleFileNameA
 0x4520d0 ReadProcessMemory
 0x4520d4 ReadFile
 0x4520d8 GetTimeZoneInformation
 0x4520dc GetConsoleMode
 0x4520e0 GetConsoleCP
 0x4520e4 FlushFileBuffers
 0x4520e8 GetStringTypeW
 0x4520ec GetProcessHeap
 0x4520f0 SetEnvironmentVariableW
 0x4520f4 FreeEnvironmentStringsW
 0x4520f8 GetEnvironmentStringsW
 0x4520fc GetCPInfo
 0x452100 GetOEMCP
 0x452104 GetACP
 0x452108 IsValidCodePage
 0x45210c FindNextFileW
 0x452110 FindFirstFileExW
 0x452114 FindClose
 0x452118 SetFilePointerEx
 0x45211c SetStdHandle
 0x452120 GetFullPathNameW
 0x452124 GetCurrentDirectoryW
 0x452128 DeleteFileW
 0x45212c LCMapStringW
 0x452130 CompareStringW
 0x452134 MultiByteToWideChar
 0x452138 HeapAlloc
 0x45213c HeapFree
 0x452140 GetCommandLineW
 0x452144 GetCommandLineA
 0x452148 GetStdHandle
 0x45214c FileTimeToSystemTime
 0x452150 SystemTimeToTzSpecificLocalTime
 0x452154 PeekNamedPipe
 0x452158 GetFileType
 0x45215c GetFileInformationByHandle
 0x452160 GetDriveTypeW
 0x452164 RaiseException
 0x452168 GetCurrentThreadId
 0x45216c IsProcessorFeaturePresent
 0x452170 QueueUserWorkItem
 0x452174 GetModuleHandleExW
 0x452178 FormatMessageW
 0x45217c WideCharToMultiByte
 0x452180 EnterCriticalSection
 0x452184 LeaveCriticalSection
 0x452188 TryEnterCriticalSection
 0x45218c DeleteCriticalSection
 0x452190 SetLastError
 0x452194 InitializeCriticalSectionAndSpinCount
 0x452198 CreateEventW
 0x45219c SwitchToThread
 0x4521a0 TlsAlloc
 0x4521a4 TlsGetValue
 0x4521a8 TlsSetValue
 0x4521ac TlsFree
 0x4521b0 GetSystemTimeAsFileTime
 0x4521b4 GetTickCount
 0x4521b8 GetModuleHandleW
 0x4521bc WaitForSingleObjectEx
 0x4521c0 QueryPerformanceCounter
 0x4521c4 SetEvent
 0x4521c8 ResetEvent
 0x4521cc UnhandledExceptionFilter
 0x4521d0 SetUnhandledExceptionFilter
 0x4521d4 GetCurrentProcess
 0x4521d8 TerminateProcess
 0x4521dc IsDebuggerPresent
 0x4521e0 GetStartupInfoW
 0x4521e4 GetCurrentProcessId
 0x4521e8 InitializeSListHead
 0x4521ec CreateTimerQueue
 0x4521f0 SignalObjectAndWait
 0x4521f4 SetThreadPriority
 0x4521f8 GetThreadPriority
 0x4521fc GetLogicalProcessorInformation
 0x452200 CreateTimerQueueTimer
 0x452204 ChangeTimerQueueTimer
 0x452208 DeleteTimerQueueTimer
 0x45220c GetNumaHighestNodeNumber
 0x452210 GetProcessAffinityMask
 0x452214 SetThreadAffinityMask
 0x452218 RegisterWaitForSingleObject
 0x45221c UnregisterWait
 0x452220 EncodePointer
 0x452224 GetCurrentThread
 0x452228 GetThreadTimes
 0x45222c FreeLibrary
 0x452230 FreeLibraryAndExitThread
 0x452234 GetModuleFileNameW
 0x452238 LoadLibraryExW
 0x45223c VirtualProtect
 0x452240 DuplicateHandle
 0x452244 ReleaseSemaphore
 0x452248 InterlockedPopEntrySList
 0x45224c InterlockedPushEntrySList
 0x452250 InterlockedFlushSList
 0x452254 QueryDepthSList
 0x452258 UnregisterWaitEx
 0x45225c LoadLibraryW
 0x452260 RtlUnwind
 0x452264 ExitProcess
 0x452268 CreateFileW
 0x45226c WriteConsoleW
USER32.dll
 0x452288 GetSystemMetrics
 0x45228c ReleaseDC
 0x452290 GetDC
GDI32.dll
 0x452034 CreateCompatibleBitmap
 0x452038 SelectObject
 0x45203c CreateCompatibleDC
 0x452040 DeleteObject
 0x452044 BitBlt
ADVAPI32.dll
 0x452000 RegCloseKey
 0x452004 RegQueryInfoKeyW
 0x452008 RegGetValueA
 0x45200c RegQueryValueExA
 0x452010 GetSidSubAuthorityCount
 0x452014 GetSidSubAuthority
 0x452018 GetUserNameA
 0x45201c LookupAccountNameA
 0x452020 RegSetValueExA
 0x452024 RegOpenKeyExA
 0x452028 RegEnumValueW
 0x45202c GetSidIdentifierAuthority
SHELL32.dll
 0x452274 SHGetFolderPathA
 0x452278 ShellExecuteA
 0x45227c None
 0x452280 SHFileOperationA
ole32.dll
 0x452318 CoUninitialize
 0x45231c CoCreateInstance
 0x452320 CoInitialize
WININET.dll
 0x452298 HttpOpenRequestA
 0x45229c InternetWriteFile
 0x4522a0 InternetOpenUrlA
 0x4522a4 InternetOpenW
 0x4522a8 HttpEndRequestW
 0x4522ac HttpAddRequestHeadersA
 0x4522b0 HttpSendRequestExA
 0x4522b4 InternetOpenA
 0x4522b8 InternetCloseHandle
 0x4522bc HttpSendRequestA
 0x4522c0 InternetConnectA
 0x4522c4 InternetReadFile
gdiplus.dll
 0x4522f8 GdipGetImageEncodersSize
 0x4522fc GdipDisposeImage
 0x452300 GdiplusStartup
 0x452304 GdiplusShutdown
 0x452308 GdipGetImageEncoders
 0x45230c GdipSaveImageToFile
 0x452310 GdipCreateBitmapFromHBITMAP
WS2_32.dll
 0x4522cc closesocket
 0x4522d0 inet_pton
 0x4522d4 getaddrinfo
 0x4522d8 WSAStartup
 0x4522dc send
 0x4522e0 socket
 0x4522e4 connect
 0x4522e8 recv
 0x4522ec htons
 0x4522f0 freeaddrinfo

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure