popup

Report - tools.exe

Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.10 12:58 Machine s1_win7_x6401
Filename tools.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
6
 Behavior Score
3.2
ZERO API file : malware
VT API (file) 62 detected (AIDetectMalware, CobaltStrike, Windows, Malicious, score, Cobtstrike, S30482629, tCW@IDoAGBp, Unsafe, CobalStrike, Cobalt, Artifact, GenericRXGK, HacktoolX, Countermeasure, LoaderWinGeneric, Cometer, Rozena, v6hmll7VkYC, AGEN, Static AI, Malicious PE, Detected, ai score=83, HexzoneT, NRPH, R415758, BScope, GdSda, susgen, confidence, 100%)
md5 f2bb9263e5a42975fcaab9b11293d7b2
sha256 fd1b4e248d92c3aa8f5d6e76a7a8b8b5c04ca3e208a39d3effcc7901f5d03e7f
ssdeep 6144:YNbsm37slE8J0vpdNawM8H3cG76A2qMsQYxKlwDba:YbL2JJ00wzHMGMqtQYxxba
imphash f6243a15fa8eee8ee96b5e1144d461f6
impfuzzy 12:QB8wRJR+5TZnJ2cDnWiiARZqRJh7jPXJNiXJGqYUkJGX5XGXKYIk6lTpJquxiZn:Q2kfg1JlDzncJ9LezjX5XGKkoDquQZn
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 62 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://106.15.184.255:8001/ga.js
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 106.15.184.255 mailcious
106.15.184.255
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 106.15.184.255 malware

Suricata ids

ET MALWARE Cobalt Strike Beacon Observed

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x45111c CloseHandle
 0x451120 ConnectNamedPipe
 0x451124 CreateFileA
 0x451128 CreateNamedPipeA
 0x45112c CreateThread
 0x451130 DeleteCriticalSection
 0x451134 EnterCriticalSection
 0x451138 GetCurrentProcess
 0x45113c GetCurrentProcessId
 0x451140 GetCurrentThreadId
 0x451144 GetLastError
 0x451148 GetModuleHandleA
 0x45114c GetProcAddress
 0x451150 GetStartupInfoA
 0x451154 GetSystemTimeAsFileTime
 0x451158 GetTickCount
 0x45115c InitializeCriticalSection
 0x451160 LeaveCriticalSection
 0x451164 QueryPerformanceCounter
 0x451168 ReadFile
 0x45116c SetUnhandledExceptionFilter
 0x451170 Sleep
 0x451174 TerminateProcess
 0x451178 TlsGetValue
 0x45117c UnhandledExceptionFilter
 0x451180 VirtualAlloc
 0x451184 VirtualProtect
 0x451188 VirtualQuery
 0x45118c WriteFile
msvcrt.dll
 0x451194 __getmainargs
 0x451198 __initenv
 0x45119c __lconv_init
 0x4511a0 __p__acmdln
 0x4511a4 __p__fmode
 0x4511a8 __set_app_type
 0x4511ac __setusermatherr
 0x4511b0 _amsg_exit
 0x4511b4 _cexit
 0x4511b8 _initterm
 0x4511bc _iob
 0x4511c0 _onexit
 0x4511c4 abort
 0x4511c8 calloc
 0x4511cc exit
 0x4511d0 fprintf
 0x4511d4 free
 0x4511d8 fwrite
 0x4511dc malloc
 0x4511e0 memcpy
 0x4511e4 signal
 0x4511e8 sprintf
 0x4511ec strlen
 0x4511f0 strncmp
 0x4511f4 vfprintf

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure