Report - ExtExport2.exe

Suspicious_Script_Bin UPX PE File PE32
ScreenShot
Created 2024.06.25 07:44 Machine s1_win7_x6403
Filename ExtExport2.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
8
Behavior Score
9.4
ZERO API file : malware
VT API (file) 40 detected (AIDetectMalware, Autoit, malicious, moderate confidence, score, TrojanAitInject, Unsafe, Save, Artemis, FileRepMalware, fgnl, CLASSIC, moderate, GPCX, Detected, RedLine, lvmpx, Sabsik, Strab, AZWT7U, Eldorado, R002H01FO24, MxResIcn, confidence, 100%, GXI#3DGW)
md5 901a623dbccaa22525373cd36195ee14
sha256 b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
ssdeep 12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcN6S5UesUInNnpo2R2:hBXu9HGaVHN6S5U5Rn/Y
imphash fc6683d30d9f25244a50fd5357825e79
impfuzzy 12:VA/DzqYOZkKDHLB78r4B3ExjLAkcOaiTQQnd3mxCHH:V0DBaPHLB7PxExjLAkcOV2kn
  Network IP location

Signature (22cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local FTP client softwares
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (4cnts)

Level Name Description Collection
warning Suspicious_Obfuscation_Script_2 Suspicious obfuscation script (e.g. executable files) binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c US Akamai International B.V. 23.44.173.113 clean
http://185.38.142.10:7474/ PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 185.38.142.10 clean
ipinfo.io US GOOGLE 34.117.186.192 clean
api.ipify.org US CLOUDFLARENET 172.67.74.152 clean
api.ip.sb US CLOUDFLARENET 104.26.13.31 clean
172.67.75.172 US CLOUDFLARENET 172.67.75.172 mailcious
34.117.186.192 US GOOGLE 34.117.186.192 clean
104.26.12.205 US CLOUDFLARENET 104.26.12.205 clean
185.38.142.10 PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 185.38.142.10 clean
114.108.166.82 KR LG DACOM Corporation 114.108.166.82 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x5668c0 LoadLibraryA
 0x5668c4 GetProcAddress
 0x5668c8 VirtualProtect
 0x5668cc VirtualAlloc
 0x5668d0 VirtualFree
 0x5668d4 ExitProcess
ADVAPI32.dll
 0x5668dc GetAce
COMCTL32.dll
 0x5668e4 ImageList_Remove
COMDLG32.dll
 0x5668ec GetOpenFileNameW
GDI32.dll
 0x5668f4 LineTo
IPHLPAPI.DLL
 0x5668fc IcmpSendEcho
MPR.dll
 0x566904 WNetUseConnectionW
ole32.dll
 0x56690c CoGetObject
OLEAUT32.dll
 0x566914 VariantInit
PSAPI.DLL
 0x56691c GetProcessMemoryInfo
SHELL32.dll
 0x566924 DragFinish
USER32.dll
 0x56692c GetDC
USERENV.dll
 0x566934 LoadUserProfileW
UxTheme.dll
 0x56693c IsThemeActive
VERSION.dll
 0x566944 VerQueryValueW
WININET.dll
 0x56694c FtpOpenFileW
WINMM.dll
 0x566954 timeGetTime
WSOCK32.dll
 0x56695c connect

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure