Report - zzzz1.exe

Gen1 Generic Malware Malicious Library UPX Antivirus Malicious Packer Anti_VM PE File PE64 DLL OS Processor Check ftp wget
ScreenShot
Created 2024.08.17 22:14 Machine s1_win7_x6401
Filename zzzz1.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
3.2
ZERO API file : malware
VT API (file) 41 detected (AIDetectMalware, Malicious, score, Tedy, Save, Attribute, HighConfidence, high confidence, AGen, D suspicious, MalwareX, tvakw, AMADEY, YXEHLZ, Static AI, Malicious PE, ai score=87, Python, Nuitka, Wacatac, R660067, Artemis, Chgt, Dkjl, KCtEEMJh1xI, confidence, 100%)
md5 a5c740eb48fafb9b25d06c22b6f4a7e9
sha256 93429472073d0794c411a71f2f161aa8d7b8c51606ab497175cc5863fea7fba8
ssdeep 196608:2eoNf7uyka/QRjnlhJPPyEhQVM1LPg8TFhaF08ckcNy9i4KuZp2E8rK:27NFEj3pHhQVEPg8TFhN8eOPKuX2EV
imphash ae21233514eb2e47a60a61ce2f15abb9
impfuzzy 48:p8XOst9nR3nZ+kNPlslEJGp6qJ8k3k1vkqqyesXh:eXdth9nZrNPlYEJGph6k3mkqqh2
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
watch Drops a binary and executes it
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system

Rules (16cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info ftp_command ftp command binaries (download)
info IsDLL (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info wget_command wget command binaries (download)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x140048378 CloseHandle
 0x140048380 CopyFileW
 0x140048388 CreateDirectoryW
 0x140048390 CreateFileMappingW
 0x140048398 CreateFileW
 0x1400483a0 CreateProcessW
 0x1400483a8 DeleteCriticalSection
 0x1400483b0 DeleteFileW
 0x1400483b8 EnterCriticalSection
 0x1400483c0 FindResourceA
 0x1400483c8 FormatMessageA
 0x1400483d0 FreeLibrary
 0x1400483d8 GenerateConsoleCtrlEvent
 0x1400483e0 GetCommandLineW
 0x1400483e8 GetCurrentProcessId
 0x1400483f0 GetEnvironmentVariableW
 0x1400483f8 GetExitCodeProcess
 0x140048400 GetFileAttributesW
 0x140048408 GetFileSize
 0x140048410 GetLastError
 0x140048418 GetModuleFileNameW
 0x140048420 GetModuleHandleA
 0x140048428 GetProcAddress
 0x140048430 GetProcessId
 0x140048438 GetStartupInfoW
 0x140048440 GetStdHandle
 0x140048448 GetSystemTimeAsFileTime
 0x140048450 GetTempPathW
 0x140048458 InitializeCriticalSection
 0x140048460 IsDBCSLeadByteEx
 0x140048468 LeaveCriticalSection
 0x140048470 LoadLibraryA
 0x140048478 LoadResource
 0x140048480 LockResource
 0x140048488 MapViewOfFile
 0x140048490 MultiByteToWideChar
 0x140048498 ReadFile
 0x1400484a0 SetConsoleCtrlHandler
 0x1400484a8 SetEnvironmentVariableW
 0x1400484b0 SetUnhandledExceptionFilter
 0x1400484b8 SizeofResource
 0x1400484c0 Sleep
 0x1400484c8 TerminateProcess
 0x1400484d0 TlsGetValue
 0x1400484d8 UnmapViewOfFile
 0x1400484e0 VirtualProtect
 0x1400484e8 VirtualQuery
 0x1400484f0 WaitForSingleObject
 0x1400484f8 WideCharToMultiByte
 0x140048500 WriteFile
msvcrt.dll
 0x140048510 __C_specific_handler
 0x140048518 ___lc_codepage_func
 0x140048520 ___mb_cur_max_func
 0x140048528 __iob_func
 0x140048530 __set_app_type
 0x140048538 __setusermatherr
 0x140048540 __wargv
 0x140048548 __wgetmainargs
 0x140048550 __winitenv
 0x140048558 _amsg_exit
 0x140048560 _cexit
 0x140048568 _commode
 0x140048570 _errno
 0x140048578 _fmode
 0x140048580 _initterm
 0x140048588 _lock
 0x140048590 _onexit
 0x140048598 _unlock
 0x1400485a0 _wcmdln
 0x1400485a8 _wcsdup
 0x1400485b0 _wcsicmp
 0x1400485b8 _wrename
 0x1400485c0 abort
 0x1400485c8 calloc
 0x1400485d0 exit
 0x1400485d8 fprintf
 0x1400485e0 fputc
 0x1400485e8 free
 0x1400485f0 fwrite
 0x1400485f8 localeconv
 0x140048600 malloc
 0x140048608 mbstowcs
 0x140048610 memcpy
 0x140048618 memmove
 0x140048620 memset
 0x140048628 puts
 0x140048630 signal
 0x140048638 strerror
 0x140048640 strlen
 0x140048648 strncmp
 0x140048650 vfprintf
 0x140048658 wcschr
 0x140048660 wcscmp
 0x140048668 wcslen
 0x140048670 wcsncmp
SHELL32.dll
 0x140048680 CommandLineToArgvW
 0x140048688 SHFileOperationW
 0x140048690 SHGetFolderPathW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure