popup

Report - setup.exe

Malicious Library UPX DNS AntiDebug AntiVM PE File .NET EXE PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.28 12:59 Machine s1_win7_x6401
Filename setup.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
7
 Behavior Score
8.2
ZERO API file : malware
VT API (file) 32 detected (AIDetectMalware, malicious, high confidence, MSILHeracles, Unsafe, Attribute, HighConfidence, FileRepMalware, Cryp, Strab, MSIL@AI, MSIL2, POHGWC00ez3467hOv+26Mw, moderate, score, MalwareCrypter, Detected, ai score=83, Wacatac, ZemsilF, jC0@aqIgTBhO, MachineLearning, Anomalous, 100%, Static AI, Suspicious PE, confidence)
md5 578b99fc6beb29265631e1dffe80a719
sha256 33f01b338b4e0492a81dc68e12f177a6717910f3789f30edaf9ed946d6b8e0ff
ssdeep 1536:5NB0m1Hk7HcDZiOp2blQHDW86L6FIsATqAr1lGLrG60f9u6jV44P29HyaNX:50uZvpalQHDW862FIsAeA3+G6G9hpZU
imphash c49c1289bbcf26a8cd62a5c41f8a01db
impfuzzy 48:2Nnxk+0e56dahV8UKCxAzKVLEkNh+kuwg4coTpPbpZYN/2:0OJ82ahV8Eh8wg4coTpPbpZYN/2
  Network IP location

Signature (17cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Deletes executed files from disk
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice One or more potentially interesting buffers were extracted
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (15cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice Network_DNS Communications use DNS memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

MSVCR90.dll
 0x40309c _encode_pointer
 0x4030a0 __p__fmode
 0x4030a4 __p__commode
 0x4030a8 _adjust_fdiv
 0x4030ac __setusermatherr
 0x4030b0 __FrameUnwindFilter
 0x4030b4 _encoded_null
 0x4030b8 scanf
 0x4030bc __set_app_type
 0x4030c0 _configthreadlocale
 0x4030c4 _initterm_e
 0x4030c8 _initterm
 0x4030cc _wcmdln
 0x4030d0 exit
 0x4030d4 _XcptFilter
 0x4030d8 _exit
 0x4030dc _cexit
 0x4030e0 __wgetmainargs
 0x4030e4 vsprintf
 0x4030e8 ?terminate@@YAXXZ
 0x4030ec _unlock
 0x4030f0 _amsg_exit
 0x4030f4 __dllonexit
 0x4030f8 _lock
 0x4030fc _onexit
 0x403100 _decode_pointer
 0x403104 _except_handler4_common
 0x403108 _invoke_watson
 0x40310c _controlfp_s
 0x403110 free
 0x403114 _crt_debugger_hook
KERNEL32.dll
 0x403024 VirtualProtect
 0x403028 LocalAlloc
 0x40302c SetLastError
 0x403030 ReleaseSemaphore
 0x403034 FileTimeToSystemTime
 0x403038 LoadLibraryW
 0x40303c GetSystemTimes
 0x403040 CompareFileTime
 0x403044 GetFileSize
 0x403048 IsDebuggerPresent
 0x40304c UnhandledExceptionFilter
 0x403050 GetCurrentProcess
 0x403054 InterlockedExchange
 0x403058 Sleep
 0x40305c InterlockedCompareExchange
 0x403060 GetStartupInfoW
 0x403064 SetUnhandledExceptionFilter
 0x403068 QueryPerformanceCounter
 0x40306c GetTickCount
 0x403070 GetCurrentThreadId
 0x403074 GetCurrentProcessId
 0x403078 GetSystemTimeAsFileTime
 0x40307c TerminateProcess
USER32.dll
 0x403128 ShowWindow
 0x40312c UpdateWindow
 0x403130 CreateCaret
 0x403134 SetCursor
 0x403138 SetSystemCursor
 0x40313c AdjustWindowRect
GDI32.dll
 0x403008 CreateDIBPatternBrush
 0x40300c CloseFigure
 0x403010 GetPath
 0x403014 SetPolyFillMode
 0x403018 FillPath
 0x40301c SetWinMetaFileBits
SHELL32.dll
 0x40311c DragFinish
 0x403120 ShellExecuteW
MSIMG32.dll
 0x403084 AlphaBlend
 0x403088 TransparentBlt
COMCTL32.dll
 0x403000 None
WINHTTP.dll
 0x403144 WinHttpOpen
 0x403148 WinHttpConnect
MSVCP90.dll
 0x403090 ??0?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@H@Z
 0x403094 ??_D?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
msvcm90.dll
 0x403158 ?RegisterModuleUninitializer@@@YAXP$AAVEventHandler@System@@@Z
 0x40315c ?DoDllLanguageSupportValidation@@@YAXXZ
 0x403160 ?ThrowModuleLoadException@@@YAXP$AAVString@System@@P$AAVException@3@@Z
 0x403164 ?ThrowModuleLoadException@@@YAXP$AAVString@System@@@Z
 0x403168 ?ThrowNestedModuleLoadException@@@YAXP$AAVException@System@@0@Z
 0x40316c ?DoCallBackInDefaultDomain@@@YAXP6GJPAX@Z0@Z
mscoree.dll
 0x403150 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure