popup

Report - Bjkm5hE.exe

Vidar Themida UPX PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.02.10 16:18 Machine s1_win7_x6403
Filename Bjkm5hE.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
8.6
ZERO API file : malware
VT API (file) 44 detected (AIDetectMalware, Stealerc, Themida, Unsafe, Zusy, Save, malicious, confidence, 100%, high confidence, score, TrojanPSW, kvnrcp, CLASSIC, AGEN, Real Protect, high, Stealc, Static AI, Malicious PE, Vidar, Malware@#2tzaiwlvvn9qy, Vigorf, Detected, MalwareX, R691620, Probably Heur, ExeHeaderL, Gencirc)
md5 0f2e0a4daa819b94536f513d8bb3bfe2
sha256 8afc16be658f69754cc0654864ffed46c97a7558db0c39e0f2d5b870c1ff6e39
ssdeep 49152:kvigLTTxYy9dxaAc73z4PQqLiy1jhDMBhKwnq2:kvi6hYy7YAI3ziLZA6wq
imphash 2eabe9054cad5152567f0699947a2c5b
impfuzzy 3:sBv:A
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 44 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Checks for the presence of known devices from debuggers and forensic tools
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the version of Bios
watch Communicates with host for which no DNS query was performed
watch Detects VMWare through the in instruction feature
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
warning themida_packer themida packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://steamcommunity.com/profiles/76561199824159981
whois
US Akamai International B.V. 104.75.33.105 43856 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
steamcommunity.com
whois
US Akamai International B.V. 104.76.74.15 mailcious
104.75.33.105
whois
US Akamai International B.V. 104.75.33.105 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
95.217.25.45
whois
FI Hetzner Online GmbH 95.217.25.45 mailcious

Suricata ids

ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x421035 lstrcpy

EAT(Export Address Table) Library

0x40f48a _UnhandledExceptionFilter@4

Similarity measure (PE file only) - Checking for service failure