Xcitium Cloud Verdict

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: UPX1, entropy: 7.90, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000ae00, virtual_size: 0x0000b000

The executable is compressed using UPX Show sources

packer_section

name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00016000

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00000000, length: 0x00000007
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00000000, length: 0x00002000
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00000007, length: 0x0003fff0
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00001ff0, length: 0x00002000
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00003fe0, length: 0x00002000
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00005fd0, length: 0x00002000
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00007fc0, length: 0x00002000
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x00009fb0, length: 0x00002000
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x0000bfa0, length: 0x00002000
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x0000ce00, length: 0x00000037
api_process_name	process: 6ff269608201a97017590f0b7cc0081ad286ba3e.exe, pid: 2640, offset: 0x0000ce14, length: 0x0030c1d9

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped

C:\Users\user\AppData\Local\Temp\RarSFX0\LOADER.EXE

File Name: Instalar.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

SHA1: 6ff269608201a97017590f0b7cc0081ad286ba3e

MD5: eb2906a84808343685b26df16297d100