Report - 20230120_2.bin

Generic Malware Malicious Packer PE File PE64
ScreenShot
Created 2024.10.18 10:09 Machine s1_win7_x6403
Filename 20230120_2.bin
Type PE32+ executable (native) x86-64, for MS Windows
AI Score
9
Behavior Score
1.8
ZERO API file : malware
VT API (file) 49 detected (AIDetectMalware, Hitbrovi, Malicious, score, Artemis, Ulise, Unsafe, Vhvi, confidence, 100%, high confidence, Agentb, kmqdmq, CLASSIC, edpvz, Tool, FakeCert, Compromised BEIJING XINDA HUANYU CodeSigningCert, Static AI, Malicious PE, R560727, 885UkWm3uEM, PossibleThreat, PALLAS)
md5 df090fc9db83229c47d072fca9b3da6b
sha256 9ea773e57823b2f3e65962546e6ae1e89f54c18baf581e8b1eb5e30388dcd67e
ssdeep 3072:cm+HmtKuvwA8M/6L053dFPE0TABxj3Ag9kbhjx9:cm9tKuvH8MN5rPwBx8h19
imphash 118a2343ba7a5763d9034e65dcc58b46
impfuzzy 24:bXIogQgEQXIkg8oJqBuqmiVrQ2qXdYLy8LJ6yPKnbgC8yPhIYO2UgBkMQaQze:kc1ku55TNqRJ6hOyp3
  Network IP location

Signature (3cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
notice The binary likely contains encrypted or compressed data indicative of a packer
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

cng.sys
 0x140003000 BCryptSetProperty
 0x140003008 BCryptCloseAlgorithmProvider
 0x140003010 BCryptGenerateSymmetricKey
 0x140003018 BCryptDecrypt
 0x140003020 BCryptDestroyKey
 0x140003028 BCryptOpenAlgorithmProvider
ntoskrnl.exe
 0x140003038 RtlInitUnicodeString
 0x140003040 KeWaitForSingleObject
 0x140003048 ExAllocatePoolWithTag
 0x140003050 ExFreePoolWithTag
 0x140003058 MmGetSystemRoutineAddress
 0x140003060 MmProtectMdlSystemAddress
 0x140003068 MmMapLockedPagesSpecifyCache
 0x140003070 MmAllocatePagesForMdlEx
 0x140003078 PsCreateSystemThread
 0x140003080 ObReferenceObjectByHandle
 0x140003088 ObReferenceObjectByHandleWithTag
 0x140003090 ObCloseHandle
 0x140003098 ObfDereferenceObject
 0x1400030a0 ZwCreateFile
 0x1400030a8 ZwReadFile
 0x1400030b0 ZwWriteFile
 0x1400030b8 ZwClose
 0x1400030c0 MmIsAddressValid
 0x1400030c8 IoCreateFileEx
 0x1400030d0 MmFlushImageSection
 0x1400030d8 ZwDeleteFile
 0x1400030e0 IoFileObjectType
 0x1400030e8 RtlGetVersion
 0x1400030f0 ZwQueryInformationFile
 0x1400030f8 MmGetVirtualForPhysical
 0x140003100 KeBugCheckEx

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure