Report - 3344.exe

UPX PE File PE64
ScreenShot
Created 2024.12.19 08:47 Machine s1_win7_x6403
Filename 3344.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
6
Behavior Score
5.0
ZERO API file : clean
VT API (file) 56 detected (Common, Meterpreter, Malicious, score, Ghanarava, Artemis, Unsafe, V8m0, confidence, 100%, Attribute, HighConfidence, high confidence, MalwareX, kubrks, baL3ryrDOYN, nutfd, SWRORT, YXELKZ, Detected, ABTrojan, TQSS, Chgt, Lflw, ShellLoader, susgen)
md5 c2fd049f5e4af19811db14b28e1d9bdc
sha256 a908193949c9b3f45f3b409d4b28949014ae27e9bb1e962fd5e65ebbc97fb89e
ssdeep 3072:6Pm7brhtbDKROb953j/wmIIrXt8i8NI/FDjV/+1EdB/:6Pm7brhVWa953j/bIwXt8xEjV/+1EdB/
imphash 5b928a8f4e4a094efc0701738c18f7f0
impfuzzy 48:nlUMgmpeFRujjO9GXiX1PnNj+RJGk0AT4qTj6A:n2MgmKRujjO9GXiX1PNj+RJGy0qTjp
  Network IP location

Signature (7cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 56 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Manipulates memory of a non-child process indicative of process injection
watch Potential code injection by writing to the memory of another process
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
info One or more processes crashed

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
45.43.36.223 TW UCloud (HK) Holdings Group Limited 45.43.36.223 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x411358 AddVectoredExceptionHandler
 0x411360 CloseHandle
 0x411368 CreateEventA
 0x411370 CreateSemaphoreA
 0x411378 DeleteCriticalSection
 0x411380 DuplicateHandle
 0x411388 EnterCriticalSection
 0x411390 GetCurrentProcess
 0x411398 GetCurrentProcessId
 0x4113a0 GetCurrentThread
 0x4113a8 GetCurrentThreadId
 0x4113b0 GetHandleInformation
 0x4113b8 GetLastError
 0x4113c0 GetProcAddress
 0x4113c8 GetProcessAffinityMask
 0x4113d0 GetStartupInfoA
 0x4113d8 GetSystemTimeAsFileTime
 0x4113e0 GetThreadContext
 0x4113e8 GetThreadPriority
 0x4113f0 GetTickCount
 0x4113f8 InitializeCriticalSection
 0x411400 IsDebuggerPresent
 0x411408 LeaveCriticalSection
 0x411410 LoadLibraryA
 0x411418 OutputDebugStringA
 0x411420 QueryPerformanceCounter
 0x411428 RaiseException
 0x411430 ReleaseSemaphore
 0x411438 RemoveVectoredExceptionHandler
 0x411440 ResetEvent
 0x411448 ResumeThread
 0x411450 RtlAddFunctionTable
 0x411458 RtlCaptureContext
 0x411460 RtlLookupFunctionEntry
 0x411468 RtlVirtualUnwind
 0x411470 SetEvent
 0x411478 SetLastError
 0x411480 SetProcessAffinityMask
 0x411488 SetThreadContext
 0x411490 SetThreadPriority
 0x411498 SetUnhandledExceptionFilter
 0x4114a0 Sleep
 0x4114a8 SuspendThread
 0x4114b0 TerminateProcess
 0x4114b8 TlsAlloc
 0x4114c0 TlsGetValue
 0x4114c8 TlsSetValue
 0x4114d0 TryEnterCriticalSection
 0x4114d8 UnhandledExceptionFilter
 0x4114e0 VirtualAlloc
 0x4114e8 VirtualFree
 0x4114f0 VirtualProtect
 0x4114f8 VirtualQuery
 0x411500 WaitForMultipleObjects
 0x411508 WaitForSingleObject
msvcrt.dll
 0x411518 __C_specific_handler
 0x411520 __getmainargs
 0x411528 __initenv
 0x411530 __iob_func
 0x411538 __lconv_init
 0x411540 __set_app_type
 0x411548 __setusermatherr
 0x411550 _acmdln
 0x411558 _amsg_exit
 0x411560 _beginthreadex
 0x411568 _cexit
 0x411570 _endthreadex
 0x411578 _fileno
 0x411580 _fmode
 0x411588 _initterm
 0x411590 _onexit
 0x411598 _setjmp
 0x4115a0 _setmode
 0x4115a8 _strdup
 0x4115b0 _ultoa
 0x4115b8 abort
 0x4115c0 calloc
 0x4115c8 exit
 0x4115d0 fflush
 0x4115d8 fprintf
 0x4115e0 free
 0x4115e8 fwrite
 0x4115f0 longjmp
 0x4115f8 malloc
 0x411600 memcpy
 0x411608 memmove
 0x411610 memset
 0x411618 printf
 0x411620 realloc
 0x411628 signal
 0x411630 strlen
 0x411638 strncmp
 0x411640 vfprintf
USER32.dll
 0x411650 MessageBoxA

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure