Report - %E5%9B%BD%E5%BA%86%E5%BB%B6%E8%BF%9F%E6%94%BE%E5%81%87%E9%80%9A%E7%9F%A5.exe

Malicious Library PE File PE64
ScreenShot
Created 2024.06.28 12:46 Machine s1_win7_x6403
Filename %E5%9B%BD%E5%BA%86%E5%BB%B6%E8%BF%9F%E6%94%BE%E5%81%87%E9%80%9A%E7%9F%A5.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
9
Behavior Score
4.0
ZERO API file : malware
VT API (file) 63 detected (AIDetectMalware, Shelma, tsgG, Windows, CobaltStrike, Malicious, score, CobaltStr, S17675256, GenericKDZ, Unsafe, Genus, Cobalt, gen1, Artifact, EVTS, CozyDuke, CLASSIC, lhumd, Tool, COBEACON, fsibr, Detected, ai score=81, Bulz, SPVV, NDUP, R360995, GenAsa, ZICJWVi3Ujg, Static AI, Malicious PE, susgen, confidence, 100%, Hacktool)
md5 d0e72468c01cf13b48c0a5ee2a310cb2
sha256 6419aa3ff941635038f6ed18b64b59c413076d33e59782154fa59c65936e3915
ssdeep 192:aDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4+mrCyBUbOj6kxiY:aDMAoKz6WtKEj7aBDiKmybAY
imphash 17b461a082950fc6332228572138b80c
impfuzzy 24:Q2kfg1JlDzncLb9aa0mezlMC95XGDZ8k1koDquQZn:gfg1jc/bezlzJGV8k1koqz
  Network IP location

Signature (5cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 63 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info One or more processes crashed

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
110.41.14.58 Unknown 110.41.14.58 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x409244 CloseHandle
 0x40924c ConnectNamedPipe
 0x409254 CreateFileA
 0x40925c CreateNamedPipeA
 0x409264 CreateThread
 0x40926c DeleteCriticalSection
 0x409274 EnterCriticalSection
 0x40927c GetCurrentProcess
 0x409284 GetCurrentProcessId
 0x40928c GetCurrentThreadId
 0x409294 GetLastError
 0x40929c GetModuleHandleA
 0x4092a4 GetProcAddress
 0x4092ac GetStartupInfoA
 0x4092b4 GetSystemTimeAsFileTime
 0x4092bc GetTickCount
 0x4092c4 InitializeCriticalSection
 0x4092cc LeaveCriticalSection
 0x4092d4 LoadLibraryW
 0x4092dc QueryPerformanceCounter
 0x4092e4 ReadFile
 0x4092ec RtlAddFunctionTable
 0x4092f4 RtlCaptureContext
 0x4092fc RtlLookupFunctionEntry
 0x409304 RtlVirtualUnwind
 0x40930c SetUnhandledExceptionFilter
 0x409314 Sleep
 0x40931c TerminateProcess
 0x409324 TlsGetValue
 0x40932c UnhandledExceptionFilter
 0x409334 VirtualAlloc
 0x40933c VirtualProtect
 0x409344 VirtualQuery
 0x40934c WriteFile
msvcrt.dll
 0x40935c __C_specific_handler
 0x409364 __dllonexit
 0x40936c __getmainargs
 0x409374 __initenv
 0x40937c __iob_func
 0x409384 __lconv_init
 0x40938c __set_app_type
 0x409394 __setusermatherr
 0x40939c _acmdln
 0x4093a4 _amsg_exit
 0x4093ac _cexit
 0x4093b4 _fmode
 0x4093bc _initterm
 0x4093c4 _lock
 0x4093cc _onexit
 0x4093d4 _unlock
 0x4093dc abort
 0x4093e4 calloc
 0x4093ec exit
 0x4093f4 fprintf
 0x4093fc free
 0x409404 fwrite
 0x40940c malloc
 0x409414 memcpy
 0x40941c signal
 0x409424 sprintf
 0x40942c strlen
 0x409434 strncmp
 0x40943c vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure