Xcitium Cloud Verdict

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 496594c30db2456816e1acf7de35082c654be99a.exe, pid: 1488, offset: 0x00000000, length: 0x00001000
api_process_name	process: 496594c30db2456816e1acf7de35082c654be99a.exe, pid: 1488, offset: 0x00000080, length: 0x00000200

Networking

Attempts to connect to a dead IP:Port (2 unique times) Show sources

network_host_ip	185.254.240.73:80 (Japan)
network_host_ip	185.254.240.73:188 (Japan)

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: f\x1f#\x1c/%\x13X, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00008000, virtual_size: 0x00007fd4

Static Anomaly

Anomalous binary characteristics Show sources

static_pe_section_name

Unprintable characters found in section name

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name

496594c30db2456816e1acf7de35082c654be99a.exe tried to sleep 1103 seconds, actually delayed analysis time by 0 seconds

File Name: setup.exe

File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

SHA1: 496594c30db2456816e1acf7de35082c654be99a

MD5: bbfd8bb080208158050247626a5abcb2