popup

Report - pic5.jpg.exe

Generic Malware Malicious Library PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.04 17:45 Machine s1_win7_x6401
Filename pic5.jpg.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
4.0
ZERO API file : malware
VT API (file) 21 detected (AIDetectMalware, malicious, high confidence, Unsafe, V1u9, Kryptik, SleepObf, Kryptik@AI, RDML, FvvkDlCfmSj2WKWCy6wOUA, hemnz, SMOKELOADER, YXEHDZ, high, score, confidence, 100%)
md5 85b1854b81d15ac9116aa200304d7ca0
sha256 f1530d12529d8b0ed379457feee1a7cfc223596f455ea0d0771f414699bc88f5
ssdeep 49152:wv9EtY/18WmXsQyVOwJoNWu1vCHdrWTz+pmjjhnlQD38kF:uWm8sQF1vCMe
imphash f73673078cd62393b9d4c3d33642daf0
impfuzzy 12:omdyHXVhR9EZ1Sm1XRJRJJcDn5ARZqRLAYPXJDCqV0MH/5XGXgEG6eGJNJmo:FdIXV41/1BfjcDqcLV5X0Mf5XGe6Zpd
  Network IP location

Signature (9cnts)

Level Description
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system

Rules (4cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://mundoparachicas.space/imageFolio.cgi?qehii0w3ze9sn=nO6wgakvlUvUKyvVvRezNJaB0mAvGbPqVKo12a3LOUvhvPrA9eFcs3uIBjr2ICTAiCiRSrnI1BD1Zngf6t0fTw%3D%3D
whois
US CLOUDFLARENET 104.21.42.29 clean
mundoparachicas.space
whois
US CLOUDFLARENET 104.21.42.29 clean
104.21.42.29
whois
US CLOUDFLARENET 104.21.42.29 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x1402681a8 RegOpenKeyA
 0x1402681b0 RegOpenKeyExW
 0x1402681b8 RegOpenKeyW
 0x1402681c0 RegQueryInfoKeyW
 0x1402681c8 RegQueryMultipleValuesW
 0x1402681d0 RegQueryValueA
 0x1402681d8 RegQueryValueExW
KERNEL32.dll
 0x1402681e8 DeleteCriticalSection
 0x1402681f0 EnterCriticalSection
 0x1402681f8 GetLastError
 0x140268200 GetProcAddress
 0x140268208 GetStartupInfoA
 0x140268210 InitializeCriticalSection
 0x140268218 LeaveCriticalSection
 0x140268220 LoadLibraryA
 0x140268228 SetUnhandledExceptionFilter
 0x140268230 Sleep
 0x140268238 TlsAlloc
 0x140268240 TlsGetValue
 0x140268248 TlsSetValue
 0x140268250 VirtualAlloc
 0x140268258 VirtualFree
 0x140268260 VirtualProtect
 0x140268268 VirtualQuery
msvcrt.dll
 0x140268278 __C_specific_handler
 0x140268280 __initenv
 0x140268288 __set_app_type
 0x140268290 __setusermatherr
 0x140268298 _acmdln
 0x1402682a0 _commode
 0x1402682a8 _fmode
 0x1402682b0 _initterm
 0x1402682b8 _ismbblead
 0x1402682c0 _onexit
 0x1402682c8 abort
 0x1402682d0 calloc
 0x1402682d8 free
 0x1402682e0 memcpy
 0x1402682e8 memset
 0x1402682f0 strncmp

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure