popup

Report - random.exe

Emotet UPX Malicious Library PE File PE64 .NET EXE PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.03.16 09:19 Machine s1_win7_x6401
Filename random.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
7
 Behavior Score
10.8
ZERO API file : malware
VT API (file) 52 detected (Common, Khalesi, Malicious, score, Ghanarava, Unsafe, Mint, Zard, confidence, 100%, Cobalt, high confidence, CoinMiner, AGen, MalwareX, qnpu, kwacqi, Kryptik@AI, RDML, 7lCorl7H3DbvKpUxW0nQiQ, ucbcs, moderate, Static AI, Suspicious PE, Detected, ApplicUnwnt@#2zxvi8rxepqxv, Phonzy, ABTrojan, MHGY, Artemis, ZenMateVPN, R002H09C925, Iajl, susgen, PossibleThreat, qlix)
md5 6bbb3762b42f726dfc7c98e82828503e
sha256 8485d594346a4e1f7130ff9df286d01aaed2fd1b3954dbfd99d2c32f2641dc4f
ssdeep 12288:UdZ0kOMs+sFHLoE1X3MoAisNCtg+k2DAEJXRQSL4uxSKp6EvuBl+:YSxh+U7dMoBMeg+k2DAP6qKR2l
imphash c695b535738160caff17869fc0fadb08
impfuzzy 3:oTEKCROXvbsWBJAEPwsgqRlbsS9KTXzhAXwEQaxRGU0QZoWbW7uRWYNJlKS9JAwm:omRgdBJAEgqlb7GDzyRNLbGer9Owm
  Network IP location

Signature (23cnts)

Level Description
danger File has been identified by 52 AntiVirus engines on VirusTotal as malicious
watch Checks the presence of IDE drives in the registry
watch Creates an executable file in a user folder
watch Detects VirtualBox through the presence of a device
watch Detects VirtualBox through the presence of a file
watch Detects VirtualBox through the presence of a registry key
watch Detects VMWare through the presence of a registry key
watch Detects VMWare through the presence of various files
watch Drops a binary and executes it
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (9cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x4bbec8 RegCloseKey
KERNEL32.DLL
 0x4bbed8 LoadLibraryA
 0x4bbee0 CopyContext
 0x4bbee8 GetProcAddress
 0x4bbef0 VirtualProtect
msvcrt.dll
 0x4bbf00 exit
RPCRT4.dll
 0x4bbf10 UuidCreate
SHELL32.dll
 0x4bbf20 SHGetFolderPathA
SHLWAPI.dll
 0x4bbf30 PathFindFileNameA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure