ScreenShot
| Created | 2021.04.10 08:56 | Machine | s1_win7_x6401 |
| Filename | pixe-updater.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (AIDetectVM, malware1, malicious, high confidence, GenericKD, ScriptSH, R002C0PK820, TrojanAitInject, GrayWare, Autoit, Execute, score, ai score=82, CLASSIC, susgen, PossibleThreat, confidence) | ||
| md5 | ba4658b682eba9d58ba10f74da68b5a5 | ||
| sha256 | c6b31af6aad49b0f8296d01b15e821f1821d585083bc7a2c55ccc4528844b0b0 | ||
| ssdeep | 24576:SBXu9HGaXlcekC612T/OeLXg7hzgkIFLS/CB:Sw9X2pH12T/OeLXuWtFLY | ||
| imphash | 712f4a29c405ecb576101d367b2180fb | ||
| impfuzzy | 12:ovKDHLdABZG/DzpM78r4B3ExjLAkcOaiTQQnd3mxCHH:HHLdC+DFM7PxExjLAkcOV2kn | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Connects to an IRC server |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process pixe-updater.exe |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (22cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | network_smtp_raw | Communications smtp | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | network_udp_sock | Communications over UDP network | binaries (download) |
| info | screenshot | Take screenshot | binaries (upload) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_token | Affect system token | binaries (download) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x53aab0 GetAce
COMCTL32.dll
0x53aab8 ImageList_Remove
COMDLG32.dll
0x53aac0 GetOpenFileNameW
GDI32.dll
0x53aac8 LineTo
IPHLPAPI.DLL
0x53aad0 IcmpSendEcho
KERNEL32.DLL
0x53aad8 LoadLibraryA
0x53aadc ExitProcess
0x53aae0 GetProcAddress
0x53aae4 VirtualProtect
MPR.dll
0x53aaec WNetUseConnectionW
ole32.dll
0x53aaf4 CoGetObject
OLEAUT32.dll
0x53aafc VariantInit
PSAPI.DLL
0x53ab04 GetProcessMemoryInfo
SHELL32.dll
0x53ab0c DragFinish
USER32.dll
0x53ab14 GetDC
USERENV.dll
0x53ab1c LoadUserProfileW
UxTheme.dll
0x53ab24 IsThemeActive
VERSION.dll
0x53ab2c VerQueryValueW
WININET.dll
0x53ab34 FtpOpenFileW
WINMM.dll
0x53ab3c timeGetTime
WSOCK32.dll
0x53ab44 connect
EAT(Export Address Table) is none
ADVAPI32.dll
0x53aab0 GetAce
COMCTL32.dll
0x53aab8 ImageList_Remove
COMDLG32.dll
0x53aac0 GetOpenFileNameW
GDI32.dll
0x53aac8 LineTo
IPHLPAPI.DLL
0x53aad0 IcmpSendEcho
KERNEL32.DLL
0x53aad8 LoadLibraryA
0x53aadc ExitProcess
0x53aae0 GetProcAddress
0x53aae4 VirtualProtect
MPR.dll
0x53aaec WNetUseConnectionW
ole32.dll
0x53aaf4 CoGetObject
OLEAUT32.dll
0x53aafc VariantInit
PSAPI.DLL
0x53ab04 GetProcessMemoryInfo
SHELL32.dll
0x53ab0c DragFinish
USER32.dll
0x53ab14 GetDC
USERENV.dll
0x53ab1c LoadUserProfileW
UxTheme.dll
0x53ab24 IsThemeActive
VERSION.dll
0x53ab2c VerQueryValueW
WININET.dll
0x53ab34 FtpOpenFileW
WINMM.dll
0x53ab3c timeGetTime
WSOCK32.dll
0x53ab44 connect
EAT(Export Address Table) is none