Report - update.exe

Malicious Library PE File PE64
ScreenShot
Created 2024.09.30 09:37 Machine s1_win7_x6401
Filename update.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
10
Behavior Score
3.8
ZERO API file : malware
VT API (file) 56 detected (AIDetectMalware, Malicious, score, Dump, Marte, Unsafe, CobaltStrike, confidence, 100%, Genus, Cobalt, Windows, Artifact, CLASSIC, AGEN, COBEACON, Static AI, Malicious PE, CozyDuke, Detected, Kryptik, R363496, GdSda, Cobalstrike, susgen)
md5 dc66a0481a259a5c8820880822ff0b3a
sha256 a8a1a9e80fd7d0ce85227bafd2ec004d2cb52d7e37744cd37bd3641c946822ef
ssdeep 192:bV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2OcJWF8qa1Dojjgi:1qaCF31cix+Dc4zjbjFF46gi
imphash 147442e63270e287ed57d33257638324
impfuzzy 24:Q2kfg1JlDzncJ9aa0mezlMG95XGDZykoDquQZn:gfg1jcJbezlRJGVykoqz
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 56 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://47.239.242.141:9999/s9bO Unknown 47.239.242.141 clean
http://47.239.242.141:9999/updates.rss Unknown 47.239.242.141 clean
47.239.242.141 Unknown 47.239.242.141 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x409224 CloseHandle
 0x40922c ConnectNamedPipe
 0x409234 CreateFileA
 0x40923c CreateNamedPipeA
 0x409244 CreateThread
 0x40924c DeleteCriticalSection
 0x409254 EnterCriticalSection
 0x40925c GetCurrentProcess
 0x409264 GetCurrentProcessId
 0x40926c GetCurrentThreadId
 0x409274 GetLastError
 0x40927c GetModuleHandleA
 0x409284 GetProcAddress
 0x40928c GetStartupInfoA
 0x409294 GetSystemTimeAsFileTime
 0x40929c GetTickCount
 0x4092a4 InitializeCriticalSection
 0x4092ac LeaveCriticalSection
 0x4092b4 QueryPerformanceCounter
 0x4092bc ReadFile
 0x4092c4 RtlAddFunctionTable
 0x4092cc RtlCaptureContext
 0x4092d4 RtlLookupFunctionEntry
 0x4092dc RtlVirtualUnwind
 0x4092e4 SetUnhandledExceptionFilter
 0x4092ec Sleep
 0x4092f4 TerminateProcess
 0x4092fc TlsGetValue
 0x409304 UnhandledExceptionFilter
 0x40930c VirtualAlloc
 0x409314 VirtualProtect
 0x40931c VirtualQuery
 0x409324 WriteFile
msvcrt.dll
 0x409334 __C_specific_handler
 0x40933c __getmainargs
 0x409344 __initenv
 0x40934c __iob_func
 0x409354 __lconv_init
 0x40935c __set_app_type
 0x409364 __setusermatherr
 0x40936c _acmdln
 0x409374 _amsg_exit
 0x40937c _cexit
 0x409384 _fmode
 0x40938c _initterm
 0x409394 _onexit
 0x40939c abort
 0x4093a4 calloc
 0x4093ac exit
 0x4093b4 fprintf
 0x4093bc free
 0x4093c4 fwrite
 0x4093cc malloc
 0x4093d4 memcpy
 0x4093dc signal
 0x4093e4 sprintf
 0x4093ec strlen
 0x4093f4 strncmp
 0x4093fc vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure