ScreenShot
Created | 2021.05.04 09:13 | Machine | s1_win7_x6402 |
Filename | explorer.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 54 detected (AIDetect, malware1, malicious, high confidence, MulDrop16, DeepScan, Rincux2, Unsafe, Farfli, ZexaF, zqW@aSaiSPgb, BYFY, Attribute, HighConfidence, GenKryptik, FCQT, Gh0stRAT, iudwcf, R + Mal, FakeAV, Magania, F@7jjkv4, Static AI, Suspicious PE, wfzk, ljbcq, ai score=100, kcloud, Kryptik, score, Zegost, R361328, R03AC0DDD21, CLOUD, GenAsa, UgP2HmBuAUY, Krypt, susgen, GdSda, confidence, 100%) | ||
md5 | 01c087629a99a6cb94700ae1f8f4d894 | ||
sha256 | ed5646b78d8d18ee534bb54d9708f5881d075c38d8f46dfa7e4c4a0783b01e27 | ||
ssdeep | 1536:siRtp/YdUQtzqeCNNzwft8dJHHRP+QAhYd13afFM1c7EHChiH0hLP+VVVVVVVVVQ:sAAdrt4Ot6dpgxfFMa7EHbH0hLNZ | ||
imphash | b1b0e62d3ddafa526052777d5f7706b2 | ||
impfuzzy | 12:mDzEMYAOovaZG2tPXJU3wXJYv8ERRvNu1Gbze6G9sAILFQLRJ:mDAMnOovuXd3iv8ERRvNuk/eJmtG |
Network IP location
Signature (14cnts)
Level | Description |
---|---|
danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | Network communications indicative of possible code injection originated from the process explorer.exe |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates a service |
notice | Creates executable files on the filesystem |
notice | Foreign language identified in PE resource |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
info | Checks amount of memory in system |
info | The executable uses a known packer |
Rules (2cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407000 GetProcAddress
0x407004 GetModuleHandleA
0x407008 RtlUnwind
0x40700c RaiseException
0x407010 GetStartupInfoA
0x407014 GetCommandLineA
0x407018 GetVersion
0x40701c ExitProcess
0x407020 HeapFree
0x407024 SetUnhandledExceptionFilter
0x407028 TerminateProcess
0x40702c GetCurrentProcess
0x407030 UnhandledExceptionFilter
0x407034 GetModuleFileNameA
0x407038 FreeEnvironmentStringsA
0x40703c FreeEnvironmentStringsW
0x407040 WideCharToMultiByte
0x407044 GetEnvironmentStrings
0x407048 GetEnvironmentStringsW
0x40704c SetHandleCount
0x407050 GetStdHandle
0x407054 GetFileType
0x407058 GetEnvironmentVariableA
0x40705c GetVersionExA
0x407060 HeapDestroy
0x407064 HeapCreate
0x407068 VirtualFree
0x40706c WriteFile
0x407070 HeapAlloc
0x407074 VirtualAlloc
0x407078 HeapReAlloc
0x40707c IsBadWritePtr
0x407080 IsBadReadPtr
0x407084 IsBadCodePtr
0x407088 GetCPInfo
0x40708c GetACP
0x407090 GetOEMCP
0x407094 LoadLibraryA
0x407098 MultiByteToWideChar
0x40709c LCMapStringA
0x4070a0 LCMapStringW
0x4070a4 GetStringTypeA
0x4070a8 GetStringTypeW
EAT(Export Address Table) is none
KERNEL32.dll
0x407000 GetProcAddress
0x407004 GetModuleHandleA
0x407008 RtlUnwind
0x40700c RaiseException
0x407010 GetStartupInfoA
0x407014 GetCommandLineA
0x407018 GetVersion
0x40701c ExitProcess
0x407020 HeapFree
0x407024 SetUnhandledExceptionFilter
0x407028 TerminateProcess
0x40702c GetCurrentProcess
0x407030 UnhandledExceptionFilter
0x407034 GetModuleFileNameA
0x407038 FreeEnvironmentStringsA
0x40703c FreeEnvironmentStringsW
0x407040 WideCharToMultiByte
0x407044 GetEnvironmentStrings
0x407048 GetEnvironmentStringsW
0x40704c SetHandleCount
0x407050 GetStdHandle
0x407054 GetFileType
0x407058 GetEnvironmentVariableA
0x40705c GetVersionExA
0x407060 HeapDestroy
0x407064 HeapCreate
0x407068 VirtualFree
0x40706c WriteFile
0x407070 HeapAlloc
0x407074 VirtualAlloc
0x407078 HeapReAlloc
0x40707c IsBadWritePtr
0x407080 IsBadReadPtr
0x407084 IsBadCodePtr
0x407088 GetCPInfo
0x40708c GetACP
0x407090 GetOEMCP
0x407094 LoadLibraryA
0x407098 MultiByteToWideChar
0x40709c LCMapStringA
0x4070a0 LCMapStringW
0x4070a4 GetStringTypeA
0x4070a8 GetStringTypeW
EAT(Export Address Table) is none