popup

Report - pei.exe

Generic Malware Downloader Admin Tool (Sysinternals etc ...) UPX Malicious Library Malicious Packer PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.16 11:01 Machine s1_win7_x6401
Filename pei.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
12.4
ZERO API file : clean
VT API (file) 57 detected (AIDetectMalware, Phorpiex, malicious, high confidence, score, Artemis, Unsafe, Mint, Zard, Vou2, Attribute, HighConfidence, GenKryptik, GPGJ, CrypterX, ClipBanker, TrojanBanker, knavfq, CLASSIC, hesfh, DownLoader46, DLDER, Detected, ai score=86, HeurC, KVMH017, Eldorado, ZexaCO, auW@aSv79Qii, BScope, Caynamer, GdSda, Gencirc, lKXkZXT+0Hk, Static AI, Malicious PE, susgen, confidence, RK8PHU)
md5 8d8e6c7952a9dc7c0c73911c4dbc5518
sha256 feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
ssdeep 96:zMn7AN23D0TXraYgnY1dTNDiIp+BYA8vrcVO15uJxGE9YUBz2qh3C7tCEkC:A7ANUYhUYPtp+OFMJxTmUBzthckC
imphash 7fda7734b056db13fe95f35927509e47
impfuzzy 12:I4sspNKR4yAaw1DGZ4GnXf3D1FW297t7xCmQLIMLjubw6LYrSjPXJYQAEsy2uORq:BGqaNnv5FFCmoLrSLTN/2uOnX8+hUdbL
  Network IP location

Signature (20cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 57 AntiVirus engines on VirusTotal as malicious
danger Disables Windows Security features
danger Stops Windows services
warning Generates some ICMP traffic
watch Attempts to disable Windows Auto Updates
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Modifies security center warnings
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice An executable file was downloaded by the process pei.exe
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info Checks if process is being debugged by a debugger

Rules (13cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Network_Downloader File Downloader binaries (download)
watch Network_Downloader File Downloader binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (21cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://twizt.net/newtpp.exe
whois
Unknown 185.215.113.66 clean
http://185.215.113.66/3
whois
Unknown 185.215.113.66 26696 mailcious
http://185.215.113.66/2
whois
Unknown 185.215.113.66 26695 mailcious
http://twizt.net/peinstall.php
whois
Unknown 185.215.113.66 clean
http://185.215.113.66/1
whois
Unknown 185.215.113.66 26694 mailcious
twizt.net
whois
Unknown 185.215.113.66 malware
www.update.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.72.235.82 clean
188.240.99.47
whois
YE Public Telecommunication Corporation 188.240.99.47 clean
46.167.131.62
whois
IR Dadeh Gostar Asr Novin P.J.S. Co. 46.167.131.62 clean
2.183.107.200
whois
IR Iran Telecommunication Company PJS 2.183.107.200 clean
78.39.225.27
whois
IR Iran Telecommunication Company PJS 78.39.225.27 clean
31.25.131.226
whois
IR Asiatech Data Transmission company 31.25.131.226 clean
20.72.235.82
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.72.235.82 clean
178.90.117.247
whois
KZ JSC Kazakhtelecom 178.90.117.247 clean
151.233.182.0
whois
IR Iran Telecommunication Company PJS 151.233.182.0 clean
188.212.185.135
whois
IR Iran Telecommunication Company PJS 188.212.185.135 clean
5.104.215.231
whois
IR Iran Telecommunication Company PJS 5.104.215.231 clean
151.243.192.202
whois
IR Aria Shatel Company Ltd 151.243.192.202 clean
5.200.174.76
whois
IR Iran Telecommunication Company PJS 5.200.174.76 clean
43.246.243.120
whois
IN Omkar Infotech 43.246.243.120 clean
185.215.113.66
whois
Unknown 185.215.113.66 malware

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
ET POLICY PE EXE or DLL Windows file download HTTP

PE API

IAT(Import Address Table) Library

SHLWAPI.dll
 0x4020d0 PathFileExistsW
MSVCR90.dll
 0x402054 __set_app_type
 0x402058 ?terminate@@YAXXZ
 0x40205c _unlock
 0x402060 _encode_pointer
 0x402064 _lock
 0x402068 _onexit
 0x40206c _decode_pointer
 0x402070 _except_handler4_common
 0x402074 _invoke_watson
 0x402078 _controlfp_s
 0x40207c __p__fmode
 0x402080 __p__commode
 0x402084 _adjust_fdiv
 0x402088 __setusermatherr
 0x40208c _configthreadlocale
 0x402090 _initterm_e
 0x402094 _initterm
 0x402098 _acmdln
 0x40209c exit
 0x4020a0 _ismbblead
 0x4020a4 _XcptFilter
 0x4020a8 _exit
 0x4020ac _cexit
 0x4020b0 __getmainargs
 0x4020b4 _amsg_exit
 0x4020b8 srand
 0x4020bc rand
 0x4020c0 memset
 0x4020c4 __dllonexit
 0x4020c8 _crt_debugger_hook
WININET.dll
 0x4020e0 InternetOpenA
 0x4020e4 InternetOpenUrlA
 0x4020e8 InternetOpenW
 0x4020ec InternetOpenUrlW
 0x4020f0 InternetReadFile
 0x4020f4 InternetCloseHandle
urlmon.dll
 0x4020fc URLDownloadToFileW
KERNEL32.dll
 0x402000 SetUnhandledExceptionFilter
 0x402004 GetStartupInfoA
 0x402008 GetTickCount
 0x40200c ExpandEnvironmentStringsW
 0x402010 CreateFileW
 0x402014 WriteFile
 0x402018 CloseHandle
 0x40201c DeleteFileW
 0x402020 CreateProcessW
 0x402024 Sleep
 0x402028 QueryPerformanceCounter
 0x40202c GetCurrentThreadId
 0x402030 GetCurrentProcessId
 0x402034 GetSystemTimeAsFileTime
 0x402038 TerminateProcess
 0x40203c GetCurrentProcess
 0x402040 UnhandledExceptionFilter
 0x402044 IsDebuggerPresent
 0x402048 InterlockedCompareExchange
 0x40204c InterlockedExchange
USER32.dll
 0x4020d8 wsprintfW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure