popup

Report - Dpose.exe

Generic Malware Malicious Library Antivirus UPX PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.02.24 12:10 Machine s1_win7_x6401
Filename Dpose.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
3.8
ZERO API file : malware
VT API (file) 58 detected (Common, SPPk, malicious, high confidence, Unsafe, Agz6, Attribute, HighConfidence, Filecoder, MalwareX, score, StopCrypt, kvqbvh, Bundler, Stop, CLASSIC, Nekark, dvyvl, Static AI, Suspicious PE, StartSurf, cwmd, Detected, ai score=86, JEKP, R692586, Artemis, BScope, TrojanBanker, ChePro, Cactus, FileCrypter, GdSda, Gencirc, Rh1Zuy+zhBw, LockFile, confidence)
md5 331031dc04a856a1f9116494fae27339
sha256 1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc
ssdeep 12288:WjIYAaYXSsdwDP+OeO+OeNhBBhhBB6ulcZCIPCyOc9KnIIvHRWFRiUDjemFN4ask:WjIYAlXTw/rzIvHRnUjN4aMPsth309k
imphash d8a2b2b5ad092fdc7fca8d181f04a443
impfuzzy 48:FFT9XI029VwXxTviWa6GtIazVHe3z9FZ0OlOmK0ig/7gRN:FFTNI02rwXxT6Wa6GtIahH60kK0pSN
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 58 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
notice Allocates read-write-execute memory (usually to unpack itself)
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info This executable has a PDB path

Rules (7cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x48b02c CreateMutexW
 0x48b030 InitializeCriticalSectionEx
 0x48b034 FindClose
 0x48b038 WaitForSingleObject
 0x48b03c ReleaseMutex
 0x48b040 GetModuleHandleA
 0x48b044 OpenProcess
 0x48b048 HeapSize
 0x48b04c CreateToolhelp32Snapshot
 0x48b050 CreateEventW
 0x48b054 Sleep
 0x48b058 GetTempPathA
 0x48b05c FormatMessageW
 0x48b060 CopyFileA
 0x48b064 GetLastError
 0x48b068 Process32NextW
 0x48b06c SetEvent
 0x48b070 TerminateThread
 0x48b074 TlsAlloc
 0x48b078 Process32FirstW
 0x48b07c LeaveCriticalSection
 0x48b080 CloseHandle
 0x48b084 RaiseException
 0x48b088 ResetEvent
 0x48b08c HeapAlloc
 0x48b090 QueueUserAPC
 0x48b094 DecodePointer
 0x48b098 GetProcAddress
 0x48b09c LocalFree
 0x48b0a0 DeleteCriticalSection
 0x48b0a4 GetProcessHeap
 0x48b0a8 CreateProcessW
 0x48b0ac WideCharToMultiByte
 0x48b0b0 SleepEx
 0x48b0b4 TlsGetValue
 0x48b0b8 TlsFree
 0x48b0bc FormatMessageA
 0x48b0c0 IsDebuggerPresent
 0x48b0c4 WriteConsoleW
 0x48b0c8 CreateFileW
 0x48b0cc SetStdHandle
 0x48b0d0 InitializeCriticalSectionAndSpinCount
 0x48b0d4 WaitForMultipleObjects
 0x48b0d8 GetModuleFileNameW
 0x48b0dc TerminateProcess
 0x48b0e0 GetCurrentProcess
 0x48b0e4 FindNextFileW
 0x48b0e8 EnterCriticalSection
 0x48b0ec HeapFree
 0x48b0f0 TlsSetValue
 0x48b0f4 HeapReAlloc
 0x48b0f8 FindFirstFileW
 0x48b0fc SetEnvironmentVariableA
 0x48b100 FreeEnvironmentStringsW
 0x48b104 GetEnvironmentStringsW
 0x48b108 GetOEMCP
 0x48b10c IsValidCodePage
 0x48b110 FindNextFileA
 0x48b114 FindFirstFileExA
 0x48b118 SetFilePointerEx
 0x48b11c SetLastError
 0x48b120 QueryPerformanceCounter
 0x48b124 QueryPerformanceFrequency
 0x48b128 WaitForSingleObjectEx
 0x48b12c GetCurrentThreadId
 0x48b130 GetNativeSystemInfo
 0x48b134 InitializeConditionVariable
 0x48b138 WakeConditionVariable
 0x48b13c WakeAllConditionVariable
 0x48b140 SleepConditionVariableCS
 0x48b144 SleepConditionVariableSRW
 0x48b148 InitializeSRWLock
 0x48b14c ReleaseSRWLockExclusive
 0x48b150 AcquireSRWLockExclusive
 0x48b154 TryEnterCriticalSection
 0x48b158 GetSystemTimeAsFileTime
 0x48b15c GetModuleHandleW
 0x48b160 EncodePointer
 0x48b164 MultiByteToWideChar
 0x48b168 LCMapStringEx
 0x48b16c GetStringTypeW
 0x48b170 GetCPInfo
 0x48b174 OutputDebugStringW
 0x48b178 InitializeSListHead
 0x48b17c IsProcessorFeaturePresent
 0x48b180 UnhandledExceptionFilter
 0x48b184 SetUnhandledExceptionFilter
 0x48b188 GetStartupInfoW
 0x48b18c GetCurrentProcessId
 0x48b190 RtlUnwind
 0x48b194 InterlockedPushEntrySList
 0x48b198 FreeLibrary
 0x48b19c LoadLibraryExW
 0x48b1a0 CreateThread
 0x48b1a4 ExitThread
 0x48b1a8 FreeLibraryAndExitThread
 0x48b1ac GetModuleHandleExW
 0x48b1b0 ExitProcess
 0x48b1b4 GetModuleFileNameA
 0x48b1b8 GetStdHandle
 0x48b1bc WriteFile
 0x48b1c0 GetCommandLineA
 0x48b1c4 GetCommandLineW
 0x48b1c8 GetACP
 0x48b1cc GetFileType
 0x48b1d0 CompareStringW
 0x48b1d4 LCMapStringW
 0x48b1d8 GetLocaleInfoW
 0x48b1dc IsValidLocale
 0x48b1e0 GetUserDefaultLCID
 0x48b1e4 EnumSystemLocalesW
 0x48b1e8 FlushFileBuffers
 0x48b1ec GetConsoleCP
 0x48b1f0 GetConsoleMode
 0x48b1f4 DeleteFileW
 0x48b1f8 MoveFileExW
 0x48b1fc ReadFile
 0x48b200 ReadConsoleW
 0x48b204 SetEndOfFile
USER32.dll
 0x48b214 wsprintfW
ADVAPI32.dll
 0x48b000 LookupPrivilegeValueW
 0x48b004 AdjustTokenPrivileges
 0x48b008 RegCloseKey
 0x48b00c RegGetValueA
 0x48b010 RegCreateKeyExW
 0x48b014 RegSetValueExW
 0x48b018 OpenProcessToken
 0x48b01c RegOpenKeyExW
 0x48b020 RegCreateKeyW
 0x48b024 RegQueryValueExW
SHELL32.dll
 0x48b20c SHGetKnownFolderPath
ole32.dll
 0x48b238 CoTaskMemFree
WS2_32.dll
 0x48b21c WSACleanup
 0x48b220 WSAStartup
crypt.dll
 0x48b228 BCryptOpenAlgorithmProvider
 0x48b22c BCryptGenRandom
 0x48b230 BCryptCloseAlgorithmProvider

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure