popup

Report - 66e571613a5a3_Server.exe

Generic Malware Malicious Library UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.09.22 17:52 Machine s1_win7_x6403
Filename 66e571613a5a3_Server.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
10
 Behavior Score
6.8
ZERO API file : malware
VT API (file) 61 detected (AIDetectMalware, BlackMoon, Malicious, score, Injuke, Graftor, Unsafe, Save, confidence, Attribute, HighConfidence, moderate confidence, A suspicious, TrojanX, Tiggre, hfiybo, Blamon, 4rHQxiKfRp, Siggen18, R002C0DIK24, Real Protect, high, CoinMiner, APosT, Detected, C2Lop, Eldorado, R342429, GenericRXAA, BScope, Gencirc, GenAsa, u1i10E6671M, MalBehav, susgen)
md5 d42e570ec9cf6757af9fbd23f251bdbc
sha256 05659d0fc78d1c952a81863433e7d9cc1570d84e931d19ff5a771627e77c8e1a
ssdeep 3072:/dCkuIzYSve0+BYJC+mcg5ARtOd/nV2aSQbWe:/dCfIBve0+BYJ/mj5A/Y2ahK
imphash 166f31882ac75763588d61777cc50545
impfuzzy 6:om1BJAEoZ/OEGDzyRHCJughdzGbKNEWzT1n:om9ABZG/DzwCMgDmWrzhn
  Network IP location

Signature (12cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 61 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Installs itself for autorun at Windows startup
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Queries for the computername

Rules (7cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (12cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://downapp.baidu.com/appsearch/AndroidPhone/1.0.65.172/1/1012271b/20171027150542/appsearch_AndroidPhone_1-0-65-172_1012271b.apk?responseContentDisposition=attachment%3Bfilename%3D%22appsearch_AndroidPhone_v8.0.3%281.0.65.172%29_1012271b.apk%22&respons
whois
CN Chinanet 60.190.116.35 clean
http://downapp.baidu.com/
whois
CN Chinanet 60.190.116.35 clean
https://en.ipip.net/
whois
US CLOUDFLARENET 104.22.31.153 clean
win.ust.cx
whois
US Shanghai Anchang Network Security Technology Co.,Ltd. 154.91.34.235 clean
downapp.baidu.com
whois
CN Chinanet 60.190.116.35 clean
luoyefeihua.site
whois
Unknown clean
www.ipip.net
whois
US CLOUDFLARENET 172.67.22.102 clean
en.ipip.net
whois
US CLOUDFLARENET 104.22.30.153 clean
60.190.116.35
whois
CN Chinanet 60.190.116.35 clean
154.91.34.235
whois
US Shanghai Anchang Network Security Technology Co.,Ltd. 154.91.34.235 clean
104.22.30.153
whois
US CLOUDFLARENET 104.22.30.153 clean
104.22.31.153
whois
US CLOUDFLARENET 104.22.31.153 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x45e0b4 RegOpenKeyA
KERNEL32.DLL
 0x45e0bc LoadLibraryA
 0x45e0c0 ExitProcess
 0x45e0c4 GetProcAddress
 0x45e0c8 VirtualProtect
MSVCRT.dll
 0x45e0d0 rand
ole32.dll
 0x45e0d8 OleRun
OLEAUT32.dll
 0x45e0e0 SafeArrayDestroy
USER32.dll
 0x45e0e8 wsprintfA
WINHTTP.dll
 0x45e0f0 WinHttpOpen
WS2_32.dll
 0x45e0f8 send

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure