popup

Report - Hooks.jpg.exe

Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Downloader Malicious Packer .NET framework(MSIL) UPX Antivirus PE File PE32 DLL OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.01 11:03 Machine s1_win7_x6402
Filename Hooks.jpg.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score Not founds Behavior Score
11.2
ZERO API file : malware
VT API (file) 60 detected (AIDetectMalware, malicious, moderate confidence, score, Zusy, Unsafe, Save, CryptoMiner, Attribute, HighConfidence, CoinMiner, Artemis, Gh0stRAT, Zegost, kogggh, ZJ9JS4CoS8B, AGEN, R03BC0DFA24, high, Detected, Blamon, MUPX, Gen@24tbus, Farfli, ZexaF, @pKfae9LWmkb, BScope, Miancha, Gencirc, I6xxh9DQ, ai score=88, susgen, Blackmoon, confidence)
md5 422f3763021f8f9bfc31a9a7e4b049f9
sha256 a1871f4f0149065abab263411d6afdd8ae962060db732e740e956898b62cee0b
ssdeep 196608:uBF+gGI892vAQENcXbc7zdgZpbHgCDoZ86F8l/SflHdINv2/sD/afUAbKs8hC3+q:uBvtlEhdwlHgCDoC6F8lYGJgspAbKs88
imphash 3222c3f44785a4ac7520003a95ac4f46
impfuzzy 6:omElyP1BJAEoZ/OEGDzyRMbK1/QbXqVqE:omVVABZG/Dz0QbXu/
  Network IP location

Signature (24cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 60 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Connects to an IRC server
watch Installs itself for autorun at Windows startup
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a service
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername
info The executable uses a known packer
info Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Network_Downloader File Downloader binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://down.ftp21.cc/64.jpg
whois
KR Korea Telecom 119.203.212.165 malware
http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe
whois
US AKAMAI-AS 23.207.40.161 clean
http://43.198.152.240:8080/api/node/ip_validate
whois
Unknown 43.198.152.240 clean
http://down.ftp21.cc/Update.txt
whois
KR Korea Telecom 119.203.212.165 mailcious
gtxvdqvuweqs.com
whois
Unknown 16.162.201.176 mailcious
ipv6-api.iproyal.com
whois
Unknown clean
down.ftp21.cc
whois
KR Korea Telecom 119.203.212.165 malware
download.microsoft.com
whois
US AKAMAI-AS 23.207.40.161 clean
api6.my-ip.io
whois
Unknown clean
www.362-com.com
whois
KR SK Broadband Co Ltd 1.226.84.135 clean
www.4i7i.com
whois
KR SK Broadband Co Ltd 1.226.84.135 clean
api.iproyal.com
whois
GB Clouvider Limited 193.228.196.69 clean
worldtimeapi.org
whois
Unknown 213.188.196.246 clean
23.45.52.224
whois
US AKAMAI-AS 23.45.52.224 clean
93.189.62.83
whois
DE Melbikomas UAB 93.189.62.83 clean
213.188.196.246
whois
Unknown 213.188.196.246 clean
193.228.196.69
whois
GB Clouvider Limited 193.228.196.69 clean
51.161.196.188
whois
Unknown 51.161.196.188 clean
43.198.152.240
whois
Unknown 43.198.152.240 clean
16.162.201.176
whois
Unknown 16.162.201.176 mailcious
1.226.84.135
whois
KR SK Broadband Co Ltd 1.226.84.135 clean
119.203.212.165
whois
KR Korea Telecom 119.203.212.165 malware

Suricata ids

ET DNS Query for .cc TLD
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET INFO SSH-2.0-Go version string Observed in Network Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x1bf3350 RegOpenKeyA
COMCTL32.dll
 0x1bf3358 None
GDI32.dll
 0x1bf3360 Escape
KERNEL32.DLL
 0x1bf3368 LoadLibraryA
 0x1bf336c ExitProcess
 0x1bf3370 GetProcAddress
 0x1bf3374 VirtualProtect
SHELL32.dll
 0x1bf337c SHGetSpecialFolderPathA
USER32.dll
 0x1bf3384 GetDC
WINSPOOL.DRV
 0x1bf338c OpenPrinterA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure