ScreenShot
| Created | 2021.04.09 16:58 | Machine | s1_win7_x6402 |
| Filename | 10r3.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (malicious, high confidence, Razy, Bazar, Wacapew, Zenpak, FileRepMetagen, CLOUD, CoinMiner, ai score=86, kcloud, Wacatac, score, Bazarcall, PossibleThreat, confidence, HgEASSYA) | ||
| md5 | ffdff96a587983deae1c67bb1299b004 | ||
| sha256 | 536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959 | ||
| ssdeep | 3072:WsuSnuXytaiXqILGXV/Lao5nekWoTwfAixq3C:fuSnuXyDGXVTao4kWZpxqy | ||
| imphash | bf8338aa9f07a8242c78c62743e9832c | ||
| impfuzzy | 12:feCqZYPXJ1XJMzFizHtroNypcMwQoOu3kyIJngTpI1uh:fegL6zFytrMMVLyTpNh | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14000e028 HeapFree
0x14000e030 lstrcpynA
0x14000e038 GetEnvironmentStrings
0x14000e040 VirtualProtect
0x14000e048 GetProcessHeap
0x14000e050 GetCurrentProcess
0x14000e058 SetUnhandledExceptionFilter
0x14000e060 UnhandledExceptionFilter
0x14000e068 RtlVirtualUnwind
0x14000e070 RtlLookupFunctionEntry
0x14000e078 RtlCaptureContext
0x14000e080 HeapAlloc
0x14000e088 VirtualAlloc
0x14000e090 VirtualFree
0x14000e098 TerminateProcess
0x14000e0a0 IsProcessorFeaturePresent
USER32.dll
0x14000e0e0 GetSystemMenu
0x14000e0e8 ImpersonateDdeClientWindow
0x14000e0f0 EnumDisplayMonitors
ole32.dll
0x14000e100 HENHMETAFILE_UserFree
0x14000e108 CoFreeUnusedLibrariesEx
GDI32.dll
0x14000e000 GdiFlush
0x14000e008 D3DKMTCloseAdapter
0x14000e010 D3DKMTQueryAllocationResidency
0x14000e018 D3DKMTCheckMultiPlaneOverlaySupport
SHELL32.dll
0x14000e0b0 SHInvokePrinterCommandA
0x14000e0b8 SHGetIDListFromObject
0x14000e0c0 None
0x14000e0c8 None
0x14000e0d0 SHGetFolderPathW
EAT(Export Address Table) Library
KERNEL32.dll
0x14000e028 HeapFree
0x14000e030 lstrcpynA
0x14000e038 GetEnvironmentStrings
0x14000e040 VirtualProtect
0x14000e048 GetProcessHeap
0x14000e050 GetCurrentProcess
0x14000e058 SetUnhandledExceptionFilter
0x14000e060 UnhandledExceptionFilter
0x14000e068 RtlVirtualUnwind
0x14000e070 RtlLookupFunctionEntry
0x14000e078 RtlCaptureContext
0x14000e080 HeapAlloc
0x14000e088 VirtualAlloc
0x14000e090 VirtualFree
0x14000e098 TerminateProcess
0x14000e0a0 IsProcessorFeaturePresent
USER32.dll
0x14000e0e0 GetSystemMenu
0x14000e0e8 ImpersonateDdeClientWindow
0x14000e0f0 EnumDisplayMonitors
ole32.dll
0x14000e100 HENHMETAFILE_UserFree
0x14000e108 CoFreeUnusedLibrariesEx
GDI32.dll
0x14000e000 GdiFlush
0x14000e008 D3DKMTCloseAdapter
0x14000e010 D3DKMTQueryAllocationResidency
0x14000e018 D3DKMTCheckMultiPlaneOverlaySupport
SHELL32.dll
0x14000e0b0 SHInvokePrinterCommandA
0x14000e0b8 SHGetIDListFromObject
0x14000e0c0 None
0x14000e0c8 None
0x14000e0d0 SHGetFolderPathW
EAT(Export Address Table) Library