ScreenShot
| Created | 2021.04.02 09:45 | Machine | s1_win7_x6401 |
| Filename | r.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 940e08782e5622986ca68e53220a47ce | ||
| sha256 | b5f8587f16630e50ea82e091dc2933bef0ccde97ba84b72e20d4310008e2a650 | ||
| ssdeep | 6144:aST677XMEF2w8DMdzYMQNjEHXux0yKuhXZGPvbhcTO:aO071FT8DgYTjay/toPvbhb | ||
| imphash | 4422cd285129af661d70fbc1279af032 | ||
| impfuzzy | 3:swBJAEPwS9KTXzhAXwEQaxRAAbsEBJJ67EGV21MO/GmSObuE9zbWzJdYpKSOgRNg:dBJAEHGDzyRlbRmVOZ/Gm3LVbSA/riX | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
Rules (1cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x495c84 LoadLibraryA
0x495c88 GetProcAddress
0x495c8c VirtualProtect
0x495c90 VirtualAlloc
0x495c94 VirtualFree
0x495c98 ExitProcess
COMDLG32.dll
0x495ca0 GetOpenFileNameW
SHELL32.dll
0x495ca8 SHGetMalloc
SHLWAPI.dll
0x495cb0 PathCompactPathExW
USER32.dll
0x495cb8 SetTimer
EAT(Export Address Table) is none
KERNEL32.DLL
0x495c84 LoadLibraryA
0x495c88 GetProcAddress
0x495c8c VirtualProtect
0x495c90 VirtualAlloc
0x495c94 VirtualFree
0x495c98 ExitProcess
COMDLG32.dll
0x495ca0 GetOpenFileNameW
SHELL32.dll
0x495ca8 SHGetMalloc
SHLWAPI.dll
0x495cb0 PathCompactPathExW
USER32.dll
0x495cb8 SetTimer
EAT(Export Address Table) is none