ScreenShot
Created | 2021.04.23 18:59 | Machine | s1_win7_x6401 |
Filename | mg20201223-1.exe | ||
Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 58 detected (FsysnaAgentPTE, malicious, high confidence, SpyBot, GenericKD, Windigo, GenericRXMW, Unsafe, RanumBot, confidence, 100%, BCOB, Attribute, HighConfidence, a variant of WinGo, ihpkmp, Gencirc, R + Troj, Steal, Malware@#29k7207sblpub, GoCloudnet2, arvsg, SYFV, ai score=80, kcloud, Wacatac, Phonzy, trAI, score, R359997, TrojanSpyBot, CLOUD, 9whGXmiAsl8, susgen) | ||
md5 | 0a13d106fa3997a0c911edd5aa0e147a | ||
sha256 | 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af | ||
ssdeep | 49152:jLqvVZ/eGM+wK8XY/IsL1i3dX5DJEe9kbTvbfGj4JF1P3KNsmewuuwEtJPcT3Vvq:jW9Re7qISi3dpDJMDF1P6/iF | ||
imphash | 93a138801d9601e4c36e6274c8b9d111 | ||
impfuzzy | 24:UbVjhNwO+VuTnvYzoLtXOr6kwmDruMztir6UP:KwO+VIc+XOmG8nP |
Network IP location
Signature (5cnts)
Level | Description |
---|---|
danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Detects the presence of Wine emulator |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | escalate_priv | Escalade priviledges | binaries (upload) |
info | IsConsole | (no description) | binaries (upload) |
info | network_dns | Communications use DNS | binaries (upload) |
info | network_tcp_listen | Listen for incoming communication | binaries (upload) |
info | network_tcp_socket | Communications over RAW socket | binaries (upload) |
info | network_udp_sock | Communications over UDP network | binaries (upload) |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
info | win_files_operation | Affect private profile | binaries (upload) |
info | win_registry | Affect system registries | binaries (upload) |
info | win_token | Affect system token | binaries (upload) |
Network (896cnts) ?
Suricata ids
ET SCAN Potential SSH Scan OUTBOUND
PE API
IAT(Import Address Table) Library
kernel32.dll
0x673020 WriteFile
0x673024 WriteConsoleW
0x673028 WaitForMultipleObjects
0x67302c WaitForSingleObject
0x673030 VirtualQuery
0x673034 VirtualFree
0x673038 VirtualAlloc
0x67303c SwitchToThread
0x673040 SuspendThread
0x673044 SetWaitableTimer
0x673048 SetUnhandledExceptionFilter
0x67304c SetProcessPriorityBoost
0x673050 SetEvent
0x673054 SetErrorMode
0x673058 SetConsoleCtrlHandler
0x67305c ResumeThread
0x673060 QueryFullProcessImageNameA
0x673064 ProcessIdToSessionId
0x673068 PostQueuedCompletionStatus
0x67306c OpenProcess
0x673070 LoadLibraryA
0x673074 LoadLibraryW
0x673078 SetThreadContext
0x67307c GetThreadContext
0x673080 GetSystemInfo
0x673084 GetSystemDirectoryA
0x673088 GetStdHandle
0x67308c GetQueuedCompletionStatusEx
0x673090 GetProcessAffinityMask
0x673094 GetProcAddress
0x673098 GetEnvironmentStringsW
0x67309c GetConsoleMode
0x6730a0 FreeEnvironmentStringsW
0x6730a4 ExitProcess
0x6730a8 DuplicateHandle
0x6730ac CreateThread
0x6730b0 CreateIoCompletionPort
0x6730b4 CreateEventA
0x6730b8 CloseHandle
0x6730bc AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x673020 WriteFile
0x673024 WriteConsoleW
0x673028 WaitForMultipleObjects
0x67302c WaitForSingleObject
0x673030 VirtualQuery
0x673034 VirtualFree
0x673038 VirtualAlloc
0x67303c SwitchToThread
0x673040 SuspendThread
0x673044 SetWaitableTimer
0x673048 SetUnhandledExceptionFilter
0x67304c SetProcessPriorityBoost
0x673050 SetEvent
0x673054 SetErrorMode
0x673058 SetConsoleCtrlHandler
0x67305c ResumeThread
0x673060 QueryFullProcessImageNameA
0x673064 ProcessIdToSessionId
0x673068 PostQueuedCompletionStatus
0x67306c OpenProcess
0x673070 LoadLibraryA
0x673074 LoadLibraryW
0x673078 SetThreadContext
0x67307c GetThreadContext
0x673080 GetSystemInfo
0x673084 GetSystemDirectoryA
0x673088 GetStdHandle
0x67308c GetQueuedCompletionStatusEx
0x673090 GetProcessAffinityMask
0x673094 GetProcAddress
0x673098 GetEnvironmentStringsW
0x67309c GetConsoleMode
0x6730a0 FreeEnvironmentStringsW
0x6730a4 ExitProcess
0x6730a8 DuplicateHandle
0x6730ac CreateThread
0x6730b0 CreateIoCompletionPort
0x6730b4 CreateEventA
0x6730b8 CloseHandle
0x6730bc AddVectoredExceptionHandler
EAT(Export Address Table) is none