Report - NamzScript.exe

Generic Malware Malicious Library WinRAR UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE64 OS Processor Check .NET EXE PE32
ScreenShot
Created 2024.08.12 09:04 Machine s1_win7_x6401
Filename NamzScript.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
2
Behavior Score
6.6
ZERO API file : mailcious
VT API (file) 21 detected (AIDetectMalware, malicious, high confidence, Unsafe, Artemis, FileRepMalware, Quasar, Miner, Wacatac, confidence)
md5 a8a06427783374441a977e9beb6560ee
sha256 fb32bf6a840558b8afa72b61e6c2a908f6fe8388c5c00f7b9342412ed97c8ddb
ssdeep 24576:xuDXTIGaPhEYzUzA0/0Qo2KzD9oFl6PeWa2uFAffZCl2bqAViWGZPl4eT69ZOTb:kDjlabwz9CRzG/6m12zLVql69ZIb
imphash b1c5b1beabd90d9fdabd1df0779ea832
impfuzzy 48:S9lOXR7cLbc1XFjsX1Pfc++6s1DCpt0/XyGBzX:Szc7cLbc1XFgX1Pfc++gpt0/XyGBzX
  Network IP location

Signature (15cnts)

Level Description
danger The process wscript.exe wrote an executable file to disk which it then attempted to execute
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
watch Drops a binary and executes it
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (24cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
watch Win32_WinRAR_SFX_Zero Win32 WinRAR SFX binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x140048000 LocalFree
 0x140048008 GetLastError
 0x140048010 SetLastError
 0x140048018 FormatMessageW
 0x140048020 GetCurrentProcess
 0x140048028 DeviceIoControl
 0x140048030 SetFileTime
 0x140048038 CloseHandle
 0x140048040 RemoveDirectoryW
 0x140048048 CreateFileW
 0x140048050 DeleteFileW
 0x140048058 CreateHardLinkW
 0x140048060 GetShortPathNameW
 0x140048068 GetLongPathNameW
 0x140048070 MoveFileW
 0x140048078 GetFileType
 0x140048080 GetStdHandle
 0x140048088 WriteFile
 0x140048090 ReadFile
 0x140048098 FlushFileBuffers
 0x1400480a0 SetEndOfFile
 0x1400480a8 SetFilePointer
 0x1400480b0 GetCurrentProcessId
 0x1400480b8 CreateDirectoryW
 0x1400480c0 SetFileAttributesW
 0x1400480c8 GetFileAttributesW
 0x1400480d0 FindClose
 0x1400480d8 FindFirstFileW
 0x1400480e0 FindNextFileW
 0x1400480e8 GetVersionExW
 0x1400480f0 GetModuleFileNameW
 0x1400480f8 SetCurrentDirectoryW
 0x140048100 GetCurrentDirectoryW
 0x140048108 GetFullPathNameW
 0x140048110 FoldStringW
 0x140048118 GetModuleHandleW
 0x140048120 FindResourceW
 0x140048128 FreeLibrary
 0x140048130 GetProcAddress
 0x140048138 ExpandEnvironmentStringsW
 0x140048140 ExitProcess
 0x140048148 SetThreadExecutionState
 0x140048150 Sleep
 0x140048158 LoadLibraryW
 0x140048160 GetSystemDirectoryW
 0x140048168 CompareStringW
 0x140048170 AllocConsole
 0x140048178 FreeConsole
 0x140048180 AttachConsole
 0x140048188 WriteConsoleW
 0x140048190 GetProcessAffinityMask
 0x140048198 CreateThread
 0x1400481a0 SetThreadPriority
 0x1400481a8 InitializeCriticalSection
 0x1400481b0 EnterCriticalSection
 0x1400481b8 LeaveCriticalSection
 0x1400481c0 DeleteCriticalSection
 0x1400481c8 SetEvent
 0x1400481d0 ResetEvent
 0x1400481d8 ReleaseSemaphore
 0x1400481e0 WaitForSingleObject
 0x1400481e8 CreateEventW
 0x1400481f0 CreateSemaphoreW
 0x1400481f8 GetSystemTime
 0x140048200 SystemTimeToTzSpecificLocalTime
 0x140048208 TzSpecificLocalTimeToSystemTime
 0x140048210 SystemTimeToFileTime
 0x140048218 FileTimeToLocalFileTime
 0x140048220 LocalFileTimeToFileTime
 0x140048228 FileTimeToSystemTime
 0x140048230 GetCPInfo
 0x140048238 IsDBCSLeadByte
 0x140048240 MultiByteToWideChar
 0x140048248 WideCharToMultiByte
 0x140048250 GlobalAlloc
 0x140048258 LockResource
 0x140048260 GlobalLock
 0x140048268 GlobalUnlock
 0x140048270 GlobalFree
 0x140048278 GlobalMemoryStatusEx
 0x140048280 LoadResource
 0x140048288 SizeofResource
 0x140048290 GetTimeFormatW
 0x140048298 GetDateFormatW
 0x1400482a0 GetExitCodeProcess
 0x1400482a8 GetLocalTime
 0x1400482b0 GetTickCount
 0x1400482b8 MapViewOfFile
 0x1400482c0 UnmapViewOfFile
 0x1400482c8 CreateFileMappingW
 0x1400482d0 OpenFileMappingW
 0x1400482d8 GetCommandLineW
 0x1400482e0 SetEnvironmentVariableW
 0x1400482e8 GetTempPathW
 0x1400482f0 MoveFileExW
 0x1400482f8 GetLocaleInfoW
 0x140048300 GetNumberFormatW
 0x140048308 SetFilePointerEx
 0x140048310 GetConsoleMode
 0x140048318 GetConsoleCP
 0x140048320 HeapSize
 0x140048328 SetStdHandle
 0x140048330 GetProcessHeap
 0x140048338 FreeEnvironmentStringsW
 0x140048340 GetEnvironmentStringsW
 0x140048348 GetCommandLineA
 0x140048350 GetOEMCP
 0x140048358 IsValidCodePage
 0x140048360 FindNextFileA
 0x140048368 RaiseException
 0x140048370 GetSystemInfo
 0x140048378 VirtualProtect
 0x140048380 VirtualQuery
 0x140048388 LoadLibraryExA
 0x140048390 RtlCaptureContext
 0x140048398 RtlLookupFunctionEntry
 0x1400483a0 RtlVirtualUnwind
 0x1400483a8 UnhandledExceptionFilter
 0x1400483b0 SetUnhandledExceptionFilter
 0x1400483b8 TerminateProcess
 0x1400483c0 IsProcessorFeaturePresent
 0x1400483c8 InitializeCriticalSectionAndSpinCount
 0x1400483d0 WaitForSingleObjectEx
 0x1400483d8 IsDebuggerPresent
 0x1400483e0 GetStartupInfoW
 0x1400483e8 QueryPerformanceCounter
 0x1400483f0 GetCurrentThreadId
 0x1400483f8 GetSystemTimeAsFileTime
 0x140048400 InitializeSListHead
 0x140048408 RtlPcToFileHeader
 0x140048410 RtlUnwindEx
 0x140048418 EncodePointer
 0x140048420 TlsAlloc
 0x140048428 TlsGetValue
 0x140048430 TlsSetValue
 0x140048438 TlsFree
 0x140048440 LoadLibraryExW
 0x140048448 QueryPerformanceFrequency
 0x140048450 GetModuleHandleExW
 0x140048458 GetModuleFileNameA
 0x140048460 GetACP
 0x140048468 HeapFree
 0x140048470 HeapAlloc
 0x140048478 GetStringTypeW
 0x140048480 HeapReAlloc
 0x140048488 LCMapStringW
 0x140048490 FindFirstFileExA
OLEAUT32.dll
 0x1400484a0 SysAllocString
 0x1400484a8 SysFreeString
 0x1400484b0 VariantClear
gdiplus.dll
 0x1400484c0 GdipCloneImage
 0x1400484c8 GdipFree
 0x1400484d0 GdipDisposeImage
 0x1400484d8 GdipCreateBitmapFromStream
 0x1400484e0 GdipCreateHBITMAPFromBitmap
 0x1400484e8 GdiplusStartup
 0x1400484f0 GdiplusShutdown
 0x1400484f8 GdipAlloc

EAT(Export Address Table) Library



Similarity measure (PE file only) - Checking for service failure