Report - 2paodhpl52.exe

Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus Anti_VM PE File PE64 DLL OS Processor Check ftp wget DllRegisterServer dll
ScreenShot
Created 2025.04.03 10:09 Machine s1_win7_x6401
Filename 2paodhpl52.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
3.2
ZERO API file : clean
VT API (file) 40 detected (AIDetectMalware, Nuitka, Malicious, score, Ghanarava, Unsafe, confidence, 100%, high confidence, a variant of Python, Y suspicious, Disco, Generic Reputation PUA, Static AI, Suspicious PE, Detected, Sabsik, ABApplication, BTNA, Artemis, Python, QQPass, QQRob, Kflw, susgen, AGen)
md5 7b5f98de297dfb4e0430e04d806f641b
sha256 a85112eb95fdabb423f95ec3d4dbdeee8c5b262d3ac1d6013ff1e6fc03b9f9ba
ssdeep 393216:N9zZmHIWR5xhwNNiSaJ/PGlux5Pre2LNINriLgC:NE6NN6J3GI5P5KrY
imphash ae21233514eb2e47a60a61ce2f15abb9
impfuzzy 48:p8XOst9nR3nZ+kNPlslEJGp6qJ8k3k1vkqqyesXh:eXdth9nZrNPlYEJGph6k3mkqqh2
  No network connection information

Signature (6cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
watch Drops a binary and executes it
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system

Rules (18cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info ftp_command ftp command binaries (download)
info IsDLL (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info wget_command wget command binaries (download)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x14004a378 CloseHandle
 0x14004a380 CopyFileW
 0x14004a388 CreateDirectoryW
 0x14004a390 CreateFileMappingW
 0x14004a398 CreateFileW
 0x14004a3a0 CreateProcessW
 0x14004a3a8 DeleteCriticalSection
 0x14004a3b0 DeleteFileW
 0x14004a3b8 EnterCriticalSection
 0x14004a3c0 FindResourceA
 0x14004a3c8 FormatMessageA
 0x14004a3d0 FreeLibrary
 0x14004a3d8 GenerateConsoleCtrlEvent
 0x14004a3e0 GetCommandLineW
 0x14004a3e8 GetCurrentProcessId
 0x14004a3f0 GetEnvironmentVariableW
 0x14004a3f8 GetExitCodeProcess
 0x14004a400 GetFileAttributesW
 0x14004a408 GetFileSize
 0x14004a410 GetLastError
 0x14004a418 GetModuleFileNameW
 0x14004a420 GetModuleHandleA
 0x14004a428 GetProcAddress
 0x14004a430 GetProcessId
 0x14004a438 GetStartupInfoW
 0x14004a440 GetStdHandle
 0x14004a448 GetSystemTimeAsFileTime
 0x14004a450 GetTempPathW
 0x14004a458 InitializeCriticalSection
 0x14004a460 IsDBCSLeadByteEx
 0x14004a468 LeaveCriticalSection
 0x14004a470 LoadLibraryA
 0x14004a478 LoadResource
 0x14004a480 LockResource
 0x14004a488 MapViewOfFile
 0x14004a490 MultiByteToWideChar
 0x14004a498 ReadFile
 0x14004a4a0 SetConsoleCtrlHandler
 0x14004a4a8 SetEnvironmentVariableW
 0x14004a4b0 SetUnhandledExceptionFilter
 0x14004a4b8 SizeofResource
 0x14004a4c0 Sleep
 0x14004a4c8 TerminateProcess
 0x14004a4d0 TlsGetValue
 0x14004a4d8 UnmapViewOfFile
 0x14004a4e0 VirtualProtect
 0x14004a4e8 VirtualQuery
 0x14004a4f0 WaitForSingleObject
 0x14004a4f8 WideCharToMultiByte
 0x14004a500 WriteFile
msvcrt.dll
 0x14004a510 __C_specific_handler
 0x14004a518 ___lc_codepage_func
 0x14004a520 ___mb_cur_max_func
 0x14004a528 __iob_func
 0x14004a530 __set_app_type
 0x14004a538 __setusermatherr
 0x14004a540 __wargv
 0x14004a548 __wgetmainargs
 0x14004a550 __winitenv
 0x14004a558 _amsg_exit
 0x14004a560 _cexit
 0x14004a568 _commode
 0x14004a570 _errno
 0x14004a578 _fmode
 0x14004a580 _initterm
 0x14004a588 _lock
 0x14004a590 _onexit
 0x14004a598 _unlock
 0x14004a5a0 _wcmdln
 0x14004a5a8 _wcsdup
 0x14004a5b0 _wcsicmp
 0x14004a5b8 _wrename
 0x14004a5c0 abort
 0x14004a5c8 calloc
 0x14004a5d0 exit
 0x14004a5d8 fprintf
 0x14004a5e0 fputc
 0x14004a5e8 free
 0x14004a5f0 fwrite
 0x14004a5f8 localeconv
 0x14004a600 malloc
 0x14004a608 mbstowcs
 0x14004a610 memcpy
 0x14004a618 memmove
 0x14004a620 memset
 0x14004a628 puts
 0x14004a630 signal
 0x14004a638 strerror
 0x14004a640 strlen
 0x14004a648 strncmp
 0x14004a650 vfprintf
 0x14004a658 wcschr
 0x14004a660 wcscmp
 0x14004a668 wcslen
 0x14004a670 wcsncmp
SHELL32.dll
 0x14004a680 CommandLineToArgvW
 0x14004a688 SHFileOperationW
 0x14004a690 SHGetFolderPathW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure