Summary

51b75cfa31f65419_perfhost.exe

File 51b75cfa31f65419_perfhost.exe

Summary
Download Resubmit sample

Size 1.4MB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 2a129bea78e2c1530755efc0ccd30298
SHA1 c33dbc22f3b0b94e05989fef988b99c2a42a2637
SHA256 51b75cfa31f65419e4208f6975b3f1749da2f9ad3094b787c53c5f444d2c9390
SHA512
3b5dae9775baa4fd8019afae995586aca25e19e259955d46253883c9507e2fa72cf1567a1182033b24c7124e525df8e79c56e5ab2060cac8b4926b333656aac5
CRC32 8819A44E
ssdeep None
PDB Path PerfHost.pdb
Yara None matched

Score

This file is very suspicious, with a score of 9.4 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6432968

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE May 11, 2025, 4:11 a.m. May 11, 2025, 4:17 a.m. 368 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-05-05 11:35:09,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpblqbwr
2025-05-05 11:35:09,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\gatpRWauYyltJvmRsBJbufD
2025-05-05 11:35:09,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\BeQBwmSVETWIsGSVCQVL
2025-05-05 11:35:09,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-05-05 11:35:09,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-05-05 11:35:09,312 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-05 11:35:09,312 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-05 11:35:09,828 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-05 11:35:10,030 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-05-05 11:35:10,030 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-05 11:35:10,030 [analyzer] DEBUG: Started auxiliary module Human
2025-05-05 11:35:10,030 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-05 11:35:10,030 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-05 11:35:10,108 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-05 11:35:10,108 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-05 11:35:10,125 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-05 11:35:10,125 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-05 11:35:10,265 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\51b75cfa31f65419_perfhost.exe' with arguments '' and pid 1112
2025-05-05 11:35:10,453 [analyzer] DEBUG: Loaded monitor into process with pid 1112
2025-05-05 11:35:10,562 [analyzer] INFO: Added new file to list with pid 1112 and path C:\Users\Administrator\AppData\Roaming\404f86c457de1864.bin
2025-05-05 11:35:11,265 [analyzer] INFO: Process with pid 1112 has terminated
2025-05-05 11:35:11,265 [analyzer] INFO: Process list is empty, terminating analysis.
2025-05-05 11:35:12,421 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-05 11:35:12,437 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-11 04:11:23,338 [cuckoo.core.scheduler] INFO: Task #6433607: acquired machine win7x6418 (label=win7x6418)
2025-05-11 04:11:23,339 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.218 for task #6433607
2025-05-11 04:11:23,577 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3399694 (interface=vboxnet0, host=192.168.168.218)
2025-05-11 04:11:24,864 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6418
2025-05-11 04:11:25,351 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6418 to vmcloak
2025-05-11 04:14:21,457 [cuckoo.core.guest] INFO: Starting analysis #6433607 on guest (id=win7x6418, ip=192.168.168.218)
2025-05-11 04:14:22,462 [cuckoo.core.guest] DEBUG: win7x6418: not ready yet
2025-05-11 04:14:27,487 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6418, ip=192.168.168.218)
2025-05-11 04:14:27,556 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6418, ip=192.168.168.218, monitor=latest, size=6660546)
2025-05-11 04:14:28,865 [cuckoo.core.resultserver] DEBUG: Task #6433607: live log analysis.log initialized.
2025-05-11 04:14:29,840 [cuckoo.core.resultserver] DEBUG: Task #6433607 is sending a BSON stream
2025-05-11 04:14:30,262 [cuckoo.core.resultserver] DEBUG: Task #6433607 is sending a BSON stream
2025-05-11 04:14:31,099 [cuckoo.core.resultserver] DEBUG: Task #6433607: File upload for 'shots/0001.jpg'
2025-05-11 04:14:31,115 [cuckoo.core.resultserver] DEBUG: Task #6433607 uploaded file length: 133490
2025-05-11 04:14:32,213 [cuckoo.core.resultserver] DEBUG: Task #6433607: File upload for 'curtain/1746437712.33.curtain.log'
2025-05-11 04:14:32,217 [cuckoo.core.resultserver] DEBUG: Task #6433607 uploaded file length: 36
2025-05-11 04:14:32,299 [cuckoo.core.resultserver] DEBUG: Task #6433607: File upload for 'sysmon/1746437712.42.sysmon.xml'
2025-05-11 04:14:32,302 [cuckoo.core.resultserver] DEBUG: Task #6433607 uploaded file length: 86186
2025-05-11 04:14:32,305 [cuckoo.core.resultserver] DEBUG: Task #6433607: File upload for 'files/97a4af0738a62bcc_404f86c457de1864.bin'
2025-05-11 04:14:32,307 [cuckoo.core.resultserver] DEBUG: Task #6433607 uploaded file length: 12320
2025-05-11 04:14:33,183 [cuckoo.core.resultserver] DEBUG: Task #6433607 had connection reset for <Context for LOG>
2025-05-11 04:14:34,464 [cuckoo.core.guest] INFO: win7x6418: analysis completed successfully
2025-05-11 04:14:34,478 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-11 04:14:34,498 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-11 04:14:35,131 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6418 to path /srv/cuckoo/cwd/storage/analyses/6433607/memory.dmp
2025-05-11 04:14:35,132 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6418
2025-05-11 04:17:29,543 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.218 for task #6433607
2025-05-11 04:17:31,644 [cuckoo.core.scheduler] DEBUG: Released database task #6433607
2025-05-11 04:17:31,658 [cuckoo.core.scheduler] INFO: Task #6433607: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (1 event)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 421888
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
process_handle: 0xffffffff
1 0 0
Queries for the computername (2 events)
Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: ë»¯íº­
0 0

GetComputerNameW

 computer_name: YRKRCIHM
1 1 0
This executable has a PDB path (1 event)
pdb_path PerfHost.pdb
The file contains an unknown PE resource name possibly indicative of a packer (2 events)
resource name MUI
resource name WEVT_TEMPLATE
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
File has been identified by 11 AntiVirus engine on IRMA as malicious (11 events)
G Data Antivirus (Windows) Virus: Win32.Expiro.Gen.7 (Engine A)
Avast Core Security (Linux) Win32:Expiro-HG [Inf]
C4S ClamAV (Linux) Win.Malware.Expiro-9937504-0
WithSecure (Linux) Malware.W32/Infector.Gen
ESET Security (Windows) a variant of Win32/Expiro.NDP virus
Sophos Anti-Virus (Linux) W32/Moiva-A
DrWeb Antivirus (Linux) Win32.Expiro.153
ClamAV (Linux) Win.Malware.Expiro-9937504-0
Bitdefender Antivirus (Linux) Win32.Expiro.Gen.7
Kaspersky Standard (Windows) Virus.Win32.Moiva.a
Emsisoft Commandline Scanner (Windows) Win32.Expiro.Gen.7 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.