popup

Report - sWsmPty.exe

Generic Malware Malicious Library PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.09.03 09:06 Machine s1_win7_x6403
Filename sWsmPty.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
4.4
ZERO API file : malware
VT API (file) 48 detected (AIDetectMalware, SleepObf, malicious, high confidence, score, Qakbot, GenericKD, Unsafe, Kryptik, Vyf6, Attribute, HighConfidence, Artemis, CrypterX, CLOUD, gnqru, GenKD, Detected, ai score=81, Wacatac, Casdet, R664519, Outbreak, Bdhl, confidence, B9nj)
md5 478124644da5f82d2c803238a413cd96
sha256 33083ee177bd4115c68c1ef987ab692855fbd1b621a852239a125a32a8775d1f
ssdeep 49152:HbbLnamXhOeAUFyHeZNIsx/h8MZlzYJON6mnsoi874bNO5t7J:mUnZHz
imphash 45139a94dafe252fbbb16ac605dbb6f7
impfuzzy 12:omhRmhR9EZ1ORJRxOovLJcDn5ARZqRLAYPXJDCqV0MH/5XGXgEG6eGJNJmo:FG41+fxOov1cDqcLV5X0Mf5XGe6Zpd
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system

Rules (4cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://animalesfans.space/park?jpkr7rxhi=LXc8pXq%2B90Dqtjn83Fl3FLo0pHPLDPLaSKYnB%2FH72B5yCdr0JCJOZKWkStPG67hyYHv9uiy27egbaPaFEIaCVQ%3D%3D
whois
US CLOUDFLARENET 172.67.180.170 clean
animalesfans.space
whois
US CLOUDFLARENET 172.67.180.170 clean
172.67.180.170
whois
US CLOUDFLARENET 172.67.180.170 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x140262190 RegQueryMultipleValuesA
 0x140262198 RegQueryMultipleValuesW
 0x1402621a0 RegQueryValueA
KERNEL32.dll
 0x1402621b0 DeleteCriticalSection
 0x1402621b8 EnterCriticalSection
 0x1402621c0 GetCommandLineA
 0x1402621c8 GetLastError
 0x1402621d0 GetProcAddress
 0x1402621d8 GetStartupInfoA
 0x1402621e0 InitializeCriticalSection
 0x1402621e8 LeaveCriticalSection
 0x1402621f0 LoadLibraryA
 0x1402621f8 SetUnhandledExceptionFilter
 0x140262200 Sleep
 0x140262208 TlsAlloc
 0x140262210 TlsGetValue
 0x140262218 TlsSetValue
 0x140262220 VirtualAlloc
 0x140262228 VirtualFree
 0x140262230 VirtualProtect
 0x140262238 VirtualQuery
msvcrt.dll
 0x140262248 __C_specific_handler
 0x140262250 __initenv
 0x140262258 __set_app_type
 0x140262260 __setusermatherr
 0x140262268 _acmdln
 0x140262270 _commode
 0x140262278 _fmode
 0x140262280 _initterm
 0x140262288 _ismbblead
 0x140262290 _onexit
 0x140262298 abort
 0x1402622a0 calloc
 0x1402622a8 free
 0x1402622b0 memcpy
 0x1402622b8 memset
 0x1402622c0 strncmp

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure