popup

Report - my.exe

Generic Malware Malicious Library Malicious Packer Antivirus UPX PE File PE64 ftp OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.08 09:52 Machine s1_win7_x6403
Filename my.exe
Type PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
4.0
ZERO API file : clean
VT API (file) 27 detected (AIDetectMalware, malicious, high confidence, Revhell, Marte, a variant of WinGo, HackTool, ReverseSsh, HacktoolX, CLASSIC, AGEN, WinGo, Clipbanker, Detected, ai score=89, SuperShell, R610370, susgen)
md5 6470b936622d9502880cae6452d1bb48
sha256 8dff8555a5960f7dd9b5915c7046d006eafabe9181627d0ee7f56aeddfc727af
ssdeep 98304:t3WBP9loEChXVFmEiZGZBRA5RACWiOxg:tm9oFxiI/C5CLp
imphash f0ea7b7844bbc5bfa9bb32efdcea957c
impfuzzy 24:UbVjh9wO+VuT2oLtXOr6kwmDruMztxdEr6tP:GwO+VAXOmGx0oP
  Network IP location

Signature (6cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
info Command line console output was observed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info ftp_command ftp command binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
60.251.145.96
whois
TW Data Communication Business Group 60.251.145.96 mailcious
91.238.203.71
whois
NL Cloud Management LLC 91.238.203.71 malware

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xe93620 WriteFile
 0xe93628 WriteConsoleW
 0xe93630 WaitForMultipleObjects
 0xe93638 WaitForSingleObject
 0xe93640 VirtualQuery
 0xe93648 VirtualFree
 0xe93650 VirtualAlloc
 0xe93658 TlsAlloc
 0xe93660 SwitchToThread
 0xe93668 SuspendThread
 0xe93670 SetWaitableTimer
 0xe93678 SetUnhandledExceptionFilter
 0xe93680 SetProcessPriorityBoost
 0xe93688 SetEvent
 0xe93690 SetErrorMode
 0xe93698 SetConsoleCtrlHandler
 0xe936a0 ResumeThread
 0xe936a8 PostQueuedCompletionStatus
 0xe936b0 LoadLibraryA
 0xe936b8 LoadLibraryW
 0xe936c0 SetThreadContext
 0xe936c8 GetThreadContext
 0xe936d0 GetSystemInfo
 0xe936d8 GetSystemDirectoryA
 0xe936e0 GetStdHandle
 0xe936e8 GetQueuedCompletionStatusEx
 0xe936f0 GetProcessAffinityMask
 0xe936f8 GetProcAddress
 0xe93700 GetEnvironmentStringsW
 0xe93708 GetConsoleMode
 0xe93710 FreeEnvironmentStringsW
 0xe93718 ExitProcess
 0xe93720 DuplicateHandle
 0xe93728 CreateWaitableTimerExW
 0xe93730 CreateThread
 0xe93738 CreateIoCompletionPort
 0xe93740 CreateFileA
 0xe93748 CreateEventA
 0xe93750 CloseHandle
 0xe93758 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure