ScreenShot
| Created | 2021.04.08 18:27 | Machine | s1_win7_x6402 |
| Filename | updatedata.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 27 detected (malicious, high confidence, GenericKD, Unsafe, Wacatac, TrojanPSW, Agensla, FileRepMalware, Blocker, CLOUD, Artemis, ai score=81, Ilgergop, BCALTY, Miner, InvalidSig, PossibleThreat, confidence) | ||
| md5 | 1e949d5238fbf2ade45c91bb54de22ea | ||
| sha256 | 01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358 | ||
| ssdeep | 6144:Mmrb/itFCWlItHUvApF2RFj9ChhPRA1xI05Wq8nWmnxa6Trtvdxo1HdP9vYc7R56:n7iuUvUF2JcpqcqqWmomtVK19Pqcl5e | ||
| imphash | caa5e6a2892587c2324418efee31c648 | ||
| impfuzzy | 6:nERGDm14CLPMeTc5suVMlEtiLWvGm3LKRgKLbBnaZr4BSo:EcDm1JL0eTQilnL6LKRgCor4BSo | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasModified_DOS_Message | DOS Message Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | screenshot | Take screenshot | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32
0x14013e118 GetModuleHandleA
0x14013e120 GetProcAddress
WSOCK32.dll
0x14013e130 WSACleanup
WINMM.dll
0x14013e140 mixerOpen
VERSION.dll
0x14013e150 VerQueryValueW
COMCTL32.dll
0x14013e160 ImageList_Create
PSAPI.DLL
0x14013e170 GetModuleBaseNameW
USER32.dll
0x14013e180 GetDC
GDI32.dll
0x14013e190 BitBlt
COMDLG32.dll
0x14013e1a0 GetOpenFileNameW
ADVAPI32.dll
0x14013e1b0 RegCloseKey
SHELL32.dll
0x14013e1c0 DragFinish
ole32.dll
0x14013e1d0 CoGetObject
OLEAUT32.dll
0x14013e1e0 SafeArrayGetLBound
EAT(Export Address Table) is none
KERNEL32
0x14013e118 GetModuleHandleA
0x14013e120 GetProcAddress
WSOCK32.dll
0x14013e130 WSACleanup
WINMM.dll
0x14013e140 mixerOpen
VERSION.dll
0x14013e150 VerQueryValueW
COMCTL32.dll
0x14013e160 ImageList_Create
PSAPI.DLL
0x14013e170 GetModuleBaseNameW
USER32.dll
0x14013e180 GetDC
GDI32.dll
0x14013e190 BitBlt
COMDLG32.dll
0x14013e1a0 GetOpenFileNameW
ADVAPI32.dll
0x14013e1b0 RegCloseKey
SHELL32.dll
0x14013e1c0 DragFinish
ole32.dll
0x14013e1d0 CoGetObject
OLEAUT32.dll
0x14013e1e0 SafeArrayGetLBound
EAT(Export Address Table) is none