Report - build.exe

[m] Generic Malware Generic Malware Suspicious_Script_Bin task schedule Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check
ScreenShot
Created 2024.06.26 10:16 Machine s1_win7_x6403
Filename build.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
13.2
ZERO API file : malware
VT API (file) 47 detected (AIDetectMalware, Strab, malicious, high confidence, score, Lockbit, Artemis, Unsafe, Save, Tepfer, Attribute, HighConfidence, Kryptik, HXJD, DropperX, Fareit, Yakes, CLOUD, InstaBot, rajyu, Pitou, SMOKELOADER, YXEFYZ, Real Protect, high, Stealc, Detected, STOP, SPON, LWKOWZ, Eldorado, R653711, ZexaF, 0q0@ae@LVKaG, BScope, Static AI, Suspicious PE, MxResIcn, HBBY, confidence, 100%)
md5 71b44c9a55f3b40681f6a5524ca9821d
sha256 9cea3ad8914836b158f4a3494c1b3b3dadc93af4d9a560cbec22742302de5439
ssdeep 12288:oFLV3SQMC2KjSnCs/urQO4VivUI6q9ulGvxnrgJMKut3KENjEhQEOuV:iSQaCsgUI6grzt3K4EWlu
imphash 97bf980f6daa00a62d02c8545f869c7f
impfuzzy 48:YOjFwU96rjknyvFtP3YUdFBI1tTQcf5YuuSBDS6:jPErjkyvFtoEfI1tTQcf54SBB
  Network IP location

Signature (27cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to create or modify system certificates
watch Installs itself for autorun at Windows startup
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process build.exe
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (30cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero_m [m] Generic Malware memory
warning Suspicious_Obfuscation_Script_2 Suspicious obfuscation script (e.g. executable files) binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch schtasks_Zero task schedule memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://defgyma.com/dl/build2.exe AR Telecom Argentina S.A. 186.137.126.27 clean
http://cajgtus.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true KR Korea Telecom 183.100.39.16 clean
http://cajgtus.com/files/1/build3.exe IR Information Technology Company (ITC) 93.118.137.82 malware
https://api.2ip.ua/geo.json US CLOUDFLARENET 104.21.65.24 clean
defgyma.com CO Telmex Colombia S.A. 190.159.138.51 malware
api.2ip.ua US CLOUDFLARENET 172.67.139.220 clean
cajgtus.com MX Mega Cable, S.A. de C.V. 189.195.132.134 malware
104.21.65.24 US CLOUDFLARENET 104.21.65.24 clean
93.118.137.82 IR Information Technology Company (ITC) 93.118.137.82 clean
201.191.99.134 CR Instituto Costarricense de Electricidad y Telecom. 201.191.99.134 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x414008 GetCommState
 0x41400c CreateJobObjectW
 0x414010 GetNamedPipeHandleStateA
 0x414014 SetVolumeMountPointW
 0x414018 GetTimeFormatA
 0x41401c GetCommProperties
 0x414020 GetModuleHandleW
 0x414024 GetTickCount
 0x414028 GetConsoleAliasesLengthA
 0x41402c FormatMessageA
 0x414030 ReadConsoleOutputA
 0x414034 GetUserDefaultLangID
 0x414038 GlobalAlloc
 0x41403c LoadLibraryW
 0x414040 GetLocaleInfoW
 0x414044 GetCalendarInfoW
 0x414048 lstrcpynW
 0x41404c LocalReAlloc
 0x414050 GetModuleFileNameW
 0x414054 RaiseException
 0x414058 GetConsoleAliasesW
 0x41405c GlobalAddAtomA
 0x414060 GetLastError
 0x414064 GetProcAddress
 0x414068 GetNumaHighestNodeNumber
 0x41406c LoadLibraryA
 0x414070 WriteConsoleA
 0x414074 RegisterWaitForSingleObject
 0x414078 AddAtomW
 0x41407c OpenJobObjectW
 0x414080 FoldStringA
 0x414084 lstrcatW
 0x414088 GetConsoleTitleW
 0x41408c BuildCommDCBA
 0x414090 GetShortPathNameW
 0x414094 FileTimeToLocalFileTime
 0x414098 FindFirstVolumeW
 0x41409c OpenFileMappingA
 0x4140a0 EnumCalendarInfoExA
 0x4140a4 AreFileApisANSI
 0x4140a8 InterlockedExchange
 0x4140ac SetDefaultCommConfigA
 0x4140b0 MultiByteToWideChar
 0x4140b4 HeapAlloc
 0x4140b8 HeapReAlloc
 0x4140bc Sleep
 0x4140c0 ExitProcess
 0x4140c4 GetStartupInfoW
 0x4140c8 RtlUnwind
 0x4140cc TerminateProcess
 0x4140d0 GetCurrentProcess
 0x4140d4 UnhandledExceptionFilter
 0x4140d8 SetUnhandledExceptionFilter
 0x4140dc IsDebuggerPresent
 0x4140e0 HeapFree
 0x4140e4 GetCPInfo
 0x4140e8 InterlockedIncrement
 0x4140ec InterlockedDecrement
 0x4140f0 GetACP
 0x4140f4 GetOEMCP
 0x4140f8 IsValidCodePage
 0x4140fc TlsGetValue
 0x414100 TlsAlloc
 0x414104 TlsSetValue
 0x414108 TlsFree
 0x41410c SetLastError
 0x414110 GetCurrentThreadId
 0x414114 DeleteCriticalSection
 0x414118 LeaveCriticalSection
 0x41411c EnterCriticalSection
 0x414120 VirtualFree
 0x414124 VirtualAlloc
 0x414128 HeapCreate
 0x41412c WriteFile
 0x414130 GetStdHandle
 0x414134 GetModuleFileNameA
 0x414138 WideCharToMultiByte
 0x41413c GetConsoleCP
 0x414140 GetConsoleMode
 0x414144 FlushFileBuffers
 0x414148 HeapSize
 0x41414c InitializeCriticalSectionAndSpinCount
 0x414150 FreeEnvironmentStringsW
 0x414154 GetEnvironmentStringsW
 0x414158 GetCommandLineW
 0x41415c SetHandleCount
 0x414160 GetFileType
 0x414164 GetStartupInfoA
 0x414168 QueryPerformanceCounter
 0x41416c GetCurrentProcessId
 0x414170 GetSystemTimeAsFileTime
 0x414174 LCMapStringA
 0x414178 LCMapStringW
 0x41417c GetStringTypeA
 0x414180 GetStringTypeW
 0x414184 GetLocaleInfoA
 0x414188 GetConsoleOutputCP
 0x41418c WriteConsoleW
 0x414190 SetFilePointer
 0x414194 SetStdHandle
 0x414198 ReadFile
 0x41419c CreateFileA
 0x4141a0 CloseHandle
 0x4141a4 GetModuleHandleA
USER32.dll
 0x4141ac LoadIconA
ADVAPI32.dll
 0x414000 GetSidSubAuthorityCount

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure