popup

Report - DownYGX.exe

CoinMiner Emotet AutoIt Generic Malware UPX Malicious Library Malicious Packer PE File PE32 DLL MSOffice File OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.19 14:36 Machine s1_win7_x6401
Filename DownYGX.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
5
 Behavior Score
5.4
ZERO API file : malware
VT API (file) 48 detected (AIDetectMalware, lNoD, malicious, moderate confidence, score, GenericKD, V63a, Autoit, NBT suspicious, Artemis, Siggen5, high, Detected, ai score=82, CoinMiner, Hider, REXR@5364l6, Wacapew, R2WKDE, IJBN, IMWorm, Sohanad, R002H09ET24, confidence, 100%)
md5 36f62b7cdf6f360b0eec74c5a371a102
sha256 203ae82caf5a03e9867245a48cc55b15ce30a0b5407a31207713b44d6c7b9bad
ssdeep 24576:GfK9zUHFpi8/L9fpHsigMWTDHHa6zfQ8RmOVdlPDDSzF05dQK6+:GfKtqFpiulplgTDa6zfZRNfSzuDB6+
imphash 6058ac660564f64af764bdf1e4fe5d2b
impfuzzy 12:VA/DzqYOZkKDD75maKxLAkcOcTQQnd3mxCHXT:V0DBaPD7VKxLAkcOs2k3T
  Network IP location

Signature (13cnts)

Level Description
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
watch Deletes executed files from disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info The executable uses a known packer

Rules (15cnts)

Level Name Description Collection
danger CoinMiner_IN CoinMiner binaries (upload)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
warning AutoIt autoit binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://static.yungengxin.com/Soft/Download/Standard_x64_2021.8.15.15832.zip
whois
CN CHINA UNICOM China169 Backbone 42.177.83.87 clean
static.yungengxin.com
whois
CN CHINA UNICOM China169 Backbone 36.249.92.207 clean
42.177.83.87
whois
CN CHINA UNICOM China169 Backbone 42.177.83.87 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x4cf18c LoadLibraryA
 0x4cf190 GetProcAddress
 0x4cf194 VirtualProtect
 0x4cf198 VirtualAlloc
 0x4cf19c VirtualFree
 0x4cf1a0 ExitProcess
ADVAPI32.dll
 0x4cf1a8 GetAce
COMCTL32.dll
 0x4cf1b0 ImageList_Remove
COMDLG32.dll
 0x4cf1b8 GetSaveFileNameW
GDI32.dll
 0x4cf1c0 LineTo
MPR.dll
 0x4cf1c8 WNetUseConnectionW
ole32.dll
 0x4cf1d0 CoInitialize
OLEAUT32.dll
 0x4cf1d8 SysFreeString
PSAPI.DLL
 0x4cf1e0 EnumProcesses
SHELL32.dll
 0x4cf1e8 DragFinish
USER32.dll
 0x4cf1f0 GetDC
USERENV.dll
 0x4cf1f8 LoadUserProfileW
VERSION.dll
 0x4cf200 VerQueryValueW
WININET.dll
 0x4cf208 FtpOpenFileW
WINMM.dll
 0x4cf210 timeGetTime
WSOCK32.dll
 0x4cf218 recv

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure