popup

Report - random.exe

Themida UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.01.13 16:08 Machine s1_win7_x6403
Filename random.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
7.8
ZERO API
VT API (file) 35 detected (AIDetectMalware, Themida, Malicious, score, Ghanarava, Unsafe, confidence, VenomRAT, Attribute, HighConfidence, high confidence, CLOUD, AGEN, Real Protect, high, Static AI, Malicious PE, Detected, Vidar, Eldorado, Amadey, Probably Heur, ExeHeaderL, Deyma, susgen)
md5 38a3db1b2362bfb8e0e0537f4299796a
sha256 5e8d457a37ad2335f9ebddf695bd870f4222e943d2e747d66689fe86070e262a
ssdeep 49152:MspG5MAzgqvijHN9PEx7fH5ppYzNRTWDd00p:Mspavij3PQfHq2
imphash 2eabe9054cad5152567f0699947a2c5b
impfuzzy 3:sBv:A
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
watch Checks for the presence of known devices from debuggers and forensic tools
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the version of Bios
watch Communicates with host for which no DNS query was performed
watch Detects VMWare through the in instruction feature
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
warning themida_packer themida packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
whois
US GTT Communications Inc. 184.27.185.80
https://steamcommunity.com/profiles/76561199816275252
whois
US Akamai International B.V. 104.76.74.15
t.me
whois
GB Telegram Messenger Inc 149.154.167.99
steamcommunity.com
whois
US AKAMAI-AS 23.49.154.73
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99
104.76.74.15
whois
US Akamai International B.V. 104.76.74.15
49.12.115.0
whois
DE Hetzner Online GmbH 49.12.115.0

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x457034 lstrcpy

EAT(Export Address Table) Library

0x424b28 _UnhandledExceptionFilter@4

Similarity measure (PE file only) - Checking for service failure