popup

Report - build9.exe

Generic Malware Malicious Library PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.26 09:42 Machine s1_win7_x6403
Filename build9.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
4.6
ZERO API file : malware
VT API (file) 50 detected (AIDetectMalware, SleepObf, malicious, high confidence, score, GenericKD, Unsafe, Kryptik, Vc2e, Attribute, HighConfidence, Artemis, CrypterX, CLOUD, icaaj, AMADEY, YXEHTZ, moderate, Detected, ai score=82, Phonzy, Wacatac, TrojanX, Chgt, Gencirc, susgen, confidence, 100%, B9nj)
md5 4e18e7b1280ebf97a945e68cda93ce33
sha256 30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d
ssdeep 49152:8i1FLAGEVvj+rY5gisiOrG5Xa+y0qdrANNf5eKX:tMhqWBIQX
imphash 7ef8d58ff9037925d777e78c004fde83
impfuzzy 12:omdiw1Sm1w1XRJRJJcDn5ARZqRLAYPXJDCqV0MH/5XGXgEG6eGJNJmo:Fdv1/1w1BfjcDqcLV5X0Mf5XGe6Zpd
  Network IP location

Signature (10cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Queries for the computername

Rules (4cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://jirafasaltas.fun/b3-205451?um3ickbumck=jtrAm6FtGDmmrAtei2CBfxKwUe2D8I1G8jaRTth%2BhOJvhN50mwPlZBcgVsKnGVYei25HaV5GyBWUn1y8fD5lWg%3D%3D
whois
US CLOUDFLARENET 172.67.193.102 clean
jirafasaltas.fun
whois
US CLOUDFLARENET 172.67.193.102 clean
172.67.193.102
whois
US CLOUDFLARENET 172.67.193.102 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x14025d198 RegOpenKeyA
 0x14025d1a0 RegQueryInfoKeyA
 0x14025d1a8 RegQueryValueA
 0x14025d1b0 RegQueryValueExA
 0x14025d1b8 RegQueryValueExW
KERNEL32.dll
 0x14025d1c8 DeleteCriticalSection
 0x14025d1d0 EnterCriticalSection
 0x14025d1d8 GetLastError
 0x14025d1e0 GetProcAddress
 0x14025d1e8 GetStartupInfoA
 0x14025d1f0 InitializeCriticalSection
 0x14025d1f8 LeaveCriticalSection
 0x14025d200 LoadLibraryA
 0x14025d208 SetUnhandledExceptionFilter
 0x14025d210 Sleep
 0x14025d218 TlsAlloc
 0x14025d220 TlsGetValue
 0x14025d228 TlsSetValue
 0x14025d230 VirtualAlloc
 0x14025d238 VirtualFree
 0x14025d240 VirtualProtect
 0x14025d248 VirtualQuery
msvcrt.dll
 0x14025d258 __C_specific_handler
 0x14025d260 __initenv
 0x14025d268 __set_app_type
 0x14025d270 __setusermatherr
 0x14025d278 _acmdln
 0x14025d280 _commode
 0x14025d288 _fmode
 0x14025d290 _initterm
 0x14025d298 _ismbblead
 0x14025d2a0 _onexit
 0x14025d2a8 abort
 0x14025d2b0 calloc
 0x14025d2b8 free
 0x14025d2c0 memcpy
 0x14025d2c8 memset
 0x14025d2d0 strncmp

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure