Report - belarus.sct

Malicious Packer

ScreenShot

Info
Location map


Created	2021.04.02 16:15	Machine	s1_win7_x6402
Filename	belarus.sct
Type	XML document, ASCII text, with very long lines, with CRLF line terminators
AI Score	Not founds	Behavior Score	2.8
ZERO API	file : clean
VT API (file)	11 detected (Save, Squiblydoo, iacgm, Crypted, Wacatac, Malicious, score, qexvmc)
md5	6918c92ea578f2f6ce018b84670abcb3
sha256	20ea5dc760f248fd7c2344dce8fe41f9b132424dbf84dd1cc88aa7244a60f33f
ssdeep	6144:eMgPlxKRFYEkS2FgQWATRSPlxYnOeG8e68hVldL+H4e66RZb9:eMgPyFY2WXxSPwnOVKCVlS689
imphash
impfuzzy

Network IP location

Signature (6cnts)

Level	Description
watch	Communicates with host for which no DNS query was performed
watch	File has been identified by 11 AntiVirus engines on VirusTotal as malicious
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Yara rule detected in process memory
info	Checks amount of memory in system

Rules (14cnts)

Level	Name	Description	Collection
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
notice	anti_vm_detect	Possibly employs anti-virtualization techniques	binaries (upload)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	screenshot	Take screenshot	memory
info	win_files_operation	Affect private profile	memory
info	win_registry	Affect system registries	memory
info	win_token	Affect system token	memory

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure