popup

Report - tdrp.exe

UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.12 18:47 Machine s1_win7_x6401
Filename tdrp.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
3.4
ZERO API file : malware
VT API (file) 50 detected (AIDetectMalware, CliptoShuffler, Malicious, score, Artemis, Lazy, Attribute, HighConfidence, high confidence, Phorpiex, TrojanBanker, CLOUD, AGEN, Siggen29, Detected, Wacatac, ABTrojan, QLHS, FCEQ, Chgt, R002H09J924, Wdkl, PossibleThreat)
md5 21b61b3680c5e66f9f7b1f3026327757
sha256 8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a
ssdeep 192:MNUGDWCn+rYeumelDB2JkknJxTqth7cccccccccccccccccccccccccccccccccA:AU5C+rU9lDAJnuz
imphash 45a55f64fd35b86e579e491145bcda68
impfuzzy 12:wpNKRkHGnyAaw1ic4GnXf3D1FW297t7RXJwdqzTZvhPPXJYsTd9wd9CA/DK89tL:wGkmhiqnv5F171v9vUdI0DK89tL
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice An executable file was downloaded by the process tdrp.exe
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.66/tdrpl.exe
whois
Unknown 185.215.113.66 39702 mailcious
185.215.113.66
whois
Unknown 185.215.113.66 malware
125.253.92.50
whois
AU FireNet Pty Ltd 125.253.92.50 mailcious

Suricata ids

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

MSVCR90.dll
 0x402048 _encode_pointer
 0x40204c __set_app_type
 0x402050 ?terminate@@YAXXZ
 0x402054 _unlock
 0x402058 __dllonexit
 0x40205c __p__fmode
 0x402060 _onexit
 0x402064 _decode_pointer
 0x402068 _except_handler4_common
 0x40206c _invoke_watson
 0x402070 _controlfp_s
 0x402074 _crt_debugger_hook
 0x402078 __p__commode
 0x40207c _adjust_fdiv
 0x402080 __setusermatherr
 0x402084 _configthreadlocale
 0x402088 _initterm_e
 0x40208c _initterm
 0x402090 _acmdln
 0x402094 exit
 0x402098 _ismbblead
 0x40209c _XcptFilter
 0x4020a0 _exit
 0x4020a4 _cexit
 0x4020a8 __getmainargs
 0x4020ac _amsg_exit
 0x4020b0 srand
 0x4020b4 rand
 0x4020b8 _lock
 0x4020bc mbstowcs
KERNEL32.dll
 0x402000 UnhandledExceptionFilter
 0x402004 GetCurrentProcess
 0x402008 TerminateProcess
 0x40200c GetSystemTimeAsFileTime
 0x402010 GetCurrentProcessId
 0x402014 GetCurrentThreadId
 0x402018 QueryPerformanceCounter
 0x40201c SetUnhandledExceptionFilter
 0x402020 GetStartupInfoA
 0x402024 InterlockedCompareExchange
 0x402028 InterlockedExchange
 0x40202c Sleep
 0x402030 LoadLibraryA
 0x402034 GetProcAddress
 0x402038 GetTickCount
 0x40203c FreeLibrary
 0x402040 IsDebuggerPresent
USER32.dll
 0x4020c4 wsprintfW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure