popup

Report - voda.exe

Malicious Packer UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.19 17:15 Machine s1_win7_x6403
Filename voda.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
7.8
ZERO API file : clean
VT API (file) 45 detected (AIDetectMalware, VBKrypt, lwTF, malicious, high confidence, score, Zusy, Unsafe, Attribute, HighConfidence, Enigma, Blacked, Scar, RisePro, Real Protect, high, HackTool, Detected, RiseProStealer, 1JCNZHU, Threat, HLLIE, based, Maximus, ZexaF, qHW@aW5aZuhk, BScope, Bitrep, Genetic, Probably Heur, ExeHeaderL, ai score=86, susgen, confidence, 100%)
md5 61454bbf62a50d22bc3d52b44de73edd
sha256 9d5f4a74b19f2491dfa617e173bf010dd9e2220ee7da7e4073741ec8f426b93b
ssdeep 24576:CSL3X3QW7YPxce46SfcuXGXnpqwQN6icoEC68AXxK:/L39MPxcZPApqlMoEBxK
imphash b7ce6ea073161d3449ba26dd2c859ea1
impfuzzy 6:tmVtERGDvZ/OiBJAEcXQwDLzRgSdn8BbMqtYbdic9SvWx/0yNCgyPVe6XEAML+r6:c2cDvZGqA9AwDXRgKQcb/0yNCPsEEJPx
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 45 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Looks up the external IP address
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
147.45.47.126
whois
RU OOO FREEnet Group 147.45.47.126 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 23
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x894178 VirtualAlloc
 0x89417c VirtualFree
 0x894180 GetModuleHandleA
 0x894184 GetProcAddress
 0x894188 ExitProcess
 0x89418c LoadLibraryA
user32.dll
 0x894194 MessageBoxA
advapi32.dll
 0x89419c RegCloseKey
oleaut32.dll
 0x8941a4 SysFreeString
gdi32.dll
 0x8941ac CreateFontA
shell32.dll
 0x8941b4 ShellExecuteA
version.dll
 0x8941bc GetFileVersionInfoA
ole32.dll
 0x8941c4 CoInitialize
ws2_32.dll
 0x8941cc WSAStartup
crypt32.dll
 0x8941d4 CryptUnprotectData
shlwapi.dll
 0x8941dc PathFindExtensionA
gdiplus.dll
 0x8941e4 GdipGetImageEncoders
setupapi.dll
 0x8941ec SetupDiEnumDeviceInfo
ntdll.dll
 0x8941f4 RtlUnicodeStringToAnsiString
rstrtmgr.dll
 0x8941fc RmStartSession

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure