ScreenShot
| Created | 2021.04.16 18:08 | Machine | s1_win7_x6401 |
| Filename | TinyTake_v_5_2_19.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 13 detected (malicious, high confidence, Unsafe, MdeClass, ET#77%, RDMK, cmRtazrfphQBIiuXBGJXy8DkQRfP, Static AI, Malicious PE, score, ZexaF, @VX@aWW3dae, InvalidSig) | ||
| md5 | 6f6ef1b4659a3e4724c20f551541161b | ||
| sha256 | 1323a36dcdb2fb1d4b3db599aae14d129abb52ab35f92c1b63cae9eda4c143bb | ||
| ssdeep | 196608:5KWsXRNhZ2kwvBuworNg7US1iuFjo5/dGTFdMS6:knRcg0d7MS6 | ||
| imphash | 898d2213a85b483d34c574804fb124bd | ||
| impfuzzy | 12:oHQZpQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:YmpQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.DLL
0xfeb000 GetUserNameW
KERNEL32.dll
0xfeb008 CreateThread
msvcrt.dll
0xfeb010 _strdup
msvcrt.dll
0xfeb018 __getmainargs
USER32.dll
0xfeb020 BeginPaint
WTSAPI32.dll
0xfeb028 WTSSendMessageW
KERNEL32.dll
0xfeb030 VirtualQuery
USER32.dll
0xfeb038 GetProcessWindowStation
KERNEL32.dll
0xfeb040 LocalAlloc
0xfeb044 LocalFree
0xfeb048 GetModuleFileNameW
0xfeb04c GetProcessAffinityMask
0xfeb050 SetProcessAffinityMask
0xfeb054 SetThreadAffinityMask
0xfeb058 Sleep
0xfeb05c ExitProcess
0xfeb060 FreeLibrary
0xfeb064 LoadLibraryA
0xfeb068 GetModuleHandleA
0xfeb06c GetProcAddress
USER32.dll
0xfeb074 GetProcessWindowStation
0xfeb078 GetUserObjectInformationW
EAT(Export Address Table) is none
ADVAPI32.DLL
0xfeb000 GetUserNameW
KERNEL32.dll
0xfeb008 CreateThread
msvcrt.dll
0xfeb010 _strdup
msvcrt.dll
0xfeb018 __getmainargs
USER32.dll
0xfeb020 BeginPaint
WTSAPI32.dll
0xfeb028 WTSSendMessageW
KERNEL32.dll
0xfeb030 VirtualQuery
USER32.dll
0xfeb038 GetProcessWindowStation
KERNEL32.dll
0xfeb040 LocalAlloc
0xfeb044 LocalFree
0xfeb048 GetModuleFileNameW
0xfeb04c GetProcessAffinityMask
0xfeb050 SetProcessAffinityMask
0xfeb054 SetThreadAffinityMask
0xfeb058 Sleep
0xfeb05c ExitProcess
0xfeb060 FreeLibrary
0xfeb064 LoadLibraryA
0xfeb068 GetModuleHandleA
0xfeb06c GetProcAddress
USER32.dll
0xfeb074 GetProcessWindowStation
0xfeb078 GetUserObjectInformationW
EAT(Export Address Table) is none