Report - Session.exe

Malicious Library PE File PE64
ScreenShot
Created 2024.09.30 11:34 Machine s1_win7_x6401
Filename Session.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
10
Behavior Score
4.0
ZERO API file : malware
VT API (file) 56 detected (AIDetectMalware, CobaltStrike, Malicious, score, Dump, Marte, Unsafe, confidence, 100%, Genus, Cobalt, Windows, Artifact, CLASSIC, AGEN, COBEACON, CozyDuke, Detected, Kryptik, R363496, GdSda, Cobalstrike)
md5 370dcc1d0729d93d08255de011febaa4
sha256 722359ebd46ace2d25802959791ae3f6af433451d81b915cdb72890cbba357ef
ssdeep 192:yV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/28pZkEtNx/WF8qa1Dojjgi:8qaCF31cix+Dc4zjPwFFF46gi
imphash 147442e63270e287ed57d33257638324
impfuzzy 24:Q2kfg1JlDzncJ9aa0mezlMG95XGDZykoDquQZn:gfg1jcJbezlRJGVykoqz
  Network IP location

Signature (5cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 56 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info One or more processes crashed

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
89.197.154.115 GB Virtual1 Limited 89.197.154.115 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x409224 CloseHandle
 0x40922c ConnectNamedPipe
 0x409234 CreateFileA
 0x40923c CreateNamedPipeA
 0x409244 CreateThread
 0x40924c DeleteCriticalSection
 0x409254 EnterCriticalSection
 0x40925c GetCurrentProcess
 0x409264 GetCurrentProcessId
 0x40926c GetCurrentThreadId
 0x409274 GetLastError
 0x40927c GetModuleHandleA
 0x409284 GetProcAddress
 0x40928c GetStartupInfoA
 0x409294 GetSystemTimeAsFileTime
 0x40929c GetTickCount
 0x4092a4 InitializeCriticalSection
 0x4092ac LeaveCriticalSection
 0x4092b4 QueryPerformanceCounter
 0x4092bc ReadFile
 0x4092c4 RtlAddFunctionTable
 0x4092cc RtlCaptureContext
 0x4092d4 RtlLookupFunctionEntry
 0x4092dc RtlVirtualUnwind
 0x4092e4 SetUnhandledExceptionFilter
 0x4092ec Sleep
 0x4092f4 TerminateProcess
 0x4092fc TlsGetValue
 0x409304 UnhandledExceptionFilter
 0x40930c VirtualAlloc
 0x409314 VirtualProtect
 0x40931c VirtualQuery
 0x409324 WriteFile
msvcrt.dll
 0x409334 __C_specific_handler
 0x40933c __getmainargs
 0x409344 __initenv
 0x40934c __iob_func
 0x409354 __lconv_init
 0x40935c __set_app_type
 0x409364 __setusermatherr
 0x40936c _acmdln
 0x409374 _amsg_exit
 0x40937c _cexit
 0x409384 _fmode
 0x40938c _initterm
 0x409394 _onexit
 0x40939c abort
 0x4093a4 calloc
 0x4093ac exit
 0x4093b4 fprintf
 0x4093bc free
 0x4093c4 fwrite
 0x4093cc malloc
 0x4093d4 memcpy
 0x4093dc signal
 0x4093e4 sprintf
 0x4093ec strlen
 0x4093f4 strncmp
 0x4093fc vfprintf

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure