popup

Report - ow.exe

PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.20 10:42 Machine s1_win7_x6401
Filename ow.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
AI Score
9
 Behavior Score
7.4
ZERO API file : clean
VT API (file) 51 detected (AIDetect, malware2, Malicious, score, GenericRI, S28495932, Artemis, Barys, Unsafe, Gulpix, Vjy5, Eldorado, Attribute, HighConfidence, high confidence, TrojanX, jswfot, CLOUD, Siggen17, R011C0DK622, GenericRXSX, moderate, A + Mal, Behav, AGEN, ai score=86, ASMalwS, Wacatac, 1DDXPNX, Detected, Osmw, susgen, Genetic)
md5 1a29969a7538662884fffe237d32fbc1
sha256 e2ec72032cfefee79fa379698041762175aeca8d7c3801951e5bd8f4c8d47e89
ssdeep 6144:DOL6crmZTR//VYHBS+9iqVZcuMuyI5GwWAbBh4RurNtN3IVi/sFvhOwoXd1m4Rmn:zcSjMFII5bbERu7N3h6n4Rj
imphash 09d0478591d4f788cb3e5ea416c25237
impfuzzy 3:swBJAEPwS9KTXzhAXwEBJJ67EGVn:dBJAEHGDymVn
  Network IP location

Signature (16cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
watch Deletes executed files from disk
watch Detects VMWare through the in instruction feature
watch Network activity contains more than one unique useragent
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Drops an executable to the user AppData folder
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info One or more processes crashed
info The executable uses a known packer

Rules (4cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (27cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://cdn.qqb3.com/API/General/lsrpu
whois
US NAMECHEAP-NET 198.54.117.242 clean
http://cdn.cuilet.com/http://cdn.cuilet.com/api/filegoto1/d76b29f56b8bed99
whois
US CNSERVERS 23.225.34.75 clean
http://cdn.qqb3.com/api/filegoto1/d76b29f56b8bed99
whois
US NAMECHEAP-NET 198.54.117.242 clean
http://cdn.cuilet.com/api/filegoto1/d76b29f56b8bed99
whois
US CNSERVERS 23.225.34.75 clean
http://cdn.qqb3.com/API/General/client_log_user
whois
US NAMECHEAP-NET 198.54.117.242 clean
http://cdn.sackow.com/api/filegoto1/d76b29f56b8bed99
whois
US CNSERVERS 23.225.34.75 clean
http://apps.game.qq.com/comm-htdocs/ip/get_ip.php
whois
Unknown 43.129.139.164 clean
https://ip.cn/api/index?ip=cdn.cuilet.com&type=1
whois
US CLOUDFLARENET 104.21.64.12 clean
https://site.ip138.com/domain/read.do?domain=cdn.cuilet.com&time=1724129865281
whois
HK Tencent Building, Kejizhongyi Avenue 124.156.105.121 clean
ip.cn
whois
US CLOUDFLARENET 172.67.174.23 clean
cdn.qqb3.com
whois
US NAMECHEAP-NET 198.54.117.242 clean
21yp37sq.sched.sma.tdnsv5.com
whois
CN CHINA UNICOM China169 Backbone 60.13.97.138 clean
site.ip138.com
whois
HK Tencent Building, Kejizhongyi Avenue 124.156.105.121 clean
d76b29f56b8bed99.gazigz.cn
whois
Unknown clean
58.common.gazigz.cn
whois
Unknown clean
apps.game.qq.com
whois
Unknown 43.129.139.164 clean
cdn.cuilet.com
whois
US CNSERVERS 23.225.34.75 clean
sp0.baidu.com
whois
JP Baidu, Inc. 119.63.197.139 clean
cdn.sackow.com
whois
US CNSERVERS 23.225.34.75 clean
104.21.64.12
whois
US CLOUDFLARENET 104.21.64.12 clean
223.5.5.5
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 223.5.5.5 clean
43.129.138.220
whois
Unknown 43.129.138.220 clean
124.156.105.121
whois
HK Tencent Building, Kejizhongyi Avenue 124.156.105.121 clean
119.63.197.139
whois
JP Baidu, Inc. 119.63.197.139 clean
198.54.117.242
whois
US NAMECHEAP-NET 198.54.117.242 mailcious
119.176.27.237
whois
CN CHINA UNICOM China169 Backbone 119.176.27.237 clean
23.225.34.75
whois
US CNSERVERS 23.225.34.75 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Check Domain in DNS Lookup (ip .cn)
ET INFO Observed External IP Lookup Domain (ip .cn in TLS SNI)
ET Threatview.io High Confidence Cobalt Strike C2 IP group 4

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x4b43e0 LoadLibraryA
 0x4b43e4 GetProcAddress
 0x4b43e8 VirtualAlloc
 0x4b43ec VirtualFree

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure