popup

Report - tool.exe

UPX PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.08 09:44 Machine s1_win7_x6403
Filename tool.exe
Type PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
5.2
ZERO API file : malware
VT API (file) 44 detected (AIDetectMalware, Supershell, malicious, moderate confidence, score, Unsafe, GenericKD, Save, Attribute, HighConfidence, a variant of WinGo, Kryptik, Artemis, CLOUD, Redcap, wjlfg, WinGo, Detected, GrayWare, Wacatac, YEO0LJ, Eldorado, ai score=87, susgen)
md5 34c704347497551c5593eeabebb7b6ce
sha256 e26d08daf79b80174a0f87cc85a1555ef493e71a83cd27d7511910e88045dafb
ssdeep 98304:kcRHAx+bwVIYz0mgOUqfeThiE3Ev+0MpUfNw50pNNOj1oUUL43BTFqy+qZnia/EJ:kSs+bwVIYz0mVf2iE3rsfDijul0hbHn6
imphash 6ed4f5f04d62b18d96b26d6db7c18840
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 44 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
notice Uses Windows utilities for basic Windows functionality
info Command line console output was observed

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
101.35.228.105
whois
Unknown 101.35.228.105 malware
162.0.236.122
whois
US NAMECHEAP-NET 162.0.236.122 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x1426028 LoadLibraryA
 0x1426030 ExitProcess
 0x1426038 GetProcAddress
 0x1426040 VirtualProtect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure