popup

Report - win.exe

Generic Malware Malicious Library Malicious Packer Antivirus UPX PE File ftp PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.08 09:52 Machine s1_win7_x6401
Filename win.exe
Type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
2
 Behavior Score
3.6
ZERO API file : clean
VT API (file) 41 detected (AIDetectMalware, ClipBanker, tscz, malicious, high confidence, Revhell, Marte, Unsafe, Hacktool, Reversessh, Vu10, Attribute, HighConfidence, a variant of WinGo, Artemis, FileRepMalware, Misc, SuperShell, CLASSIC, Generic Reputation PUA, WinGo, ai score=86, Patcher, R002H0DG724, Ymhl, Static AI, Suspicious PE, susgen)
md5 f0e6f9c7b9ddc461c6929d4765a15eaa
sha256 1dd95abfe38b356715b6c82c9163f67b155c4931a556c1347fa8c5576d1e8bc3
ssdeep 98304:MSLd7sR4eOzi3hJ7tzNhN8iHiYCFwwxRvfW:pwz3rhRhdIZb
imphash 9cbefe68f395e67356e2a5d8d1b285c0
impfuzzy 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Uses Windows utilities for basic Windows functionality
info Command line console output was observed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info ftp_command ftp command binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
82.157.80.216
whois
Unknown 82.157.80.216 clean

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xb4c460 WriteFile
 0xb4c464 WriteConsoleW
 0xb4c468 WaitForMultipleObjects
 0xb4c46c WaitForSingleObject
 0xb4c470 VirtualQuery
 0xb4c474 VirtualFree
 0xb4c478 VirtualAlloc
 0xb4c47c SwitchToThread
 0xb4c480 SuspendThread
 0xb4c484 SetWaitableTimer
 0xb4c488 SetUnhandledExceptionFilter
 0xb4c48c SetProcessPriorityBoost
 0xb4c490 SetEvent
 0xb4c494 SetErrorMode
 0xb4c498 SetConsoleCtrlHandler
 0xb4c49c ResumeThread
 0xb4c4a0 PostQueuedCompletionStatus
 0xb4c4a4 LoadLibraryA
 0xb4c4a8 LoadLibraryW
 0xb4c4ac SetThreadContext
 0xb4c4b0 GetThreadContext
 0xb4c4b4 GetSystemInfo
 0xb4c4b8 GetSystemDirectoryA
 0xb4c4bc GetStdHandle
 0xb4c4c0 GetQueuedCompletionStatusEx
 0xb4c4c4 GetProcessAffinityMask
 0xb4c4c8 GetProcAddress
 0xb4c4cc GetEnvironmentStringsW
 0xb4c4d0 GetConsoleMode
 0xb4c4d4 FreeEnvironmentStringsW
 0xb4c4d8 ExitProcess
 0xb4c4dc DuplicateHandle
 0xb4c4e0 CreateWaitableTimerExW
 0xb4c4e4 CreateThread
 0xb4c4e8 CreateIoCompletionPort
 0xb4c4ec CreateFileA
 0xb4c4f0 CreateEventA
 0xb4c4f4 CloseHandle
 0xb4c4f8 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure