popup

Report - wintoolsone64.exe

Generic Malware Malicious Library Malicious Packer UPX Anti_VM PE File DllRegisterServer dll PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.30 09:33 Machine s1_win7_x6401
Filename wintoolsone64.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score Not founds Behavior Score
0.8
ZERO API file : clean
VT API (file) 12 detected (AIDetectMalware, Attribute, HighConfidence, malicious, high confidence, a variant of WinGo, CLASSIC, moderate, score, Detected, Sabsik, LummaC2, R666374, WinGo)
md5 3a408188540d593a618c37ff3b9fa378
sha256 883170fb01d121dd32d3de0c16f987429da0cf1d137e3ce6a92fef44947ae53a
ssdeep 98304:YTMOT3y46FsiZLgYkQlCOzOwEzN0Rpwro:w6JZLgpQlCsOjNP
imphash 4f2f006e2ecf7172ad368f8289dc96c1
impfuzzy 24:ibVjh9wO+VuT7boVaXOr6kwmDgUPMztxdEr6tP:AwO+VUjXOmokx0oP
  Network IP location

Signature (2cnts)

Level Description
watch File has been identified by 12 AntiVirus engines on VirusTotal as malicious
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (upload)
info DllRegisterServer_Zero execute regsvr32.exe binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xede380 WriteFile
 0xede384 WriteConsoleW
 0xede388 WerSetFlags
 0xede38c WerGetFlags
 0xede390 WaitForMultipleObjects
 0xede394 WaitForSingleObject
 0xede398 VirtualQuery
 0xede39c VirtualFree
 0xede3a0 VirtualAlloc
 0xede3a4 TlsAlloc
 0xede3a8 SwitchToThread
 0xede3ac SuspendThread
 0xede3b0 SetWaitableTimer
 0xede3b4 SetUnhandledExceptionFilter
 0xede3b8 SetProcessPriorityBoost
 0xede3bc SetEvent
 0xede3c0 SetErrorMode
 0xede3c4 SetConsoleCtrlHandler
 0xede3c8 ResumeThread
 0xede3cc RaiseFailFastException
 0xede3d0 PostQueuedCompletionStatus
 0xede3d4 LoadLibraryW
 0xede3d8 LoadLibraryExW
 0xede3dc SetThreadContext
 0xede3e0 GetThreadContext
 0xede3e4 GetSystemInfo
 0xede3e8 GetSystemDirectoryA
 0xede3ec GetStdHandle
 0xede3f0 GetQueuedCompletionStatusEx
 0xede3f4 GetProcessAffinityMask
 0xede3f8 GetProcAddress
 0xede3fc GetErrorMode
 0xede400 GetEnvironmentStringsW
 0xede404 GetCurrentThreadId
 0xede408 GetConsoleMode
 0xede40c FreeEnvironmentStringsW
 0xede410 ExitProcess
 0xede414 DuplicateHandle
 0xede418 CreateWaitableTimerExW
 0xede41c CreateThread
 0xede420 CreateIoCompletionPort
 0xede424 CreateFileA
 0xede428 CreateEventA
 0xede42c CloseHandle
 0xede430 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure