ScreenShot
Created | 2021.05.04 11:21 | Machine | s1_win7_x6401 |
Filename | 46.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 38 detected (malicious, high confidence, Mint, Zard, Unsafe, Attribute, HighConfidence, Phorpiex, CoinminerX, EQE@80vxxy, Static AI, Malicious PE, XPACK, ai score=89, Caynamer, score, Dlder, BScope, dGZlOgUN9lLDNPuMzg, Outbreak, ZexaF, auW@a0A3T4li, confidence, 100%) | ||
md5 | 0a6569e45a3a38f7168f4c4aa0594627 | ||
sha256 | ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38 | ||
ssdeep | 96:L1YtYF8d/XFvRxR2xs9it95PtboynunSzCt4:L12jWbr5P1oynWSq | ||
imphash | 3cdafced2b335e7dc14e96cb2f655c00 | ||
impfuzzy | 12:I4sQGX5u4Gy+GXRzGy5hwBc7bwYLIS73ORB9OdCmEsy2ugW:cX50y+GdgBc6S73Ov9OS/2jW |
Network IP location
Signature (23cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | Disables Windows Security features |
danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
watch | Attempts to remove evidence of file being downloaded from the Internet |
watch | Communicates with host for which no DNS query was performed |
watch | Connects to an IRC server |
watch | Installs itself for autorun at Windows startup |
watch | Modifies security center warnings |
watch | Network activity contains more than one unique useragent |
watch | Network communications indicative of possible code injection originated from the process lsass.exe |
watch | One or more of the buffers contains an embedded PE file |
watch | Operates on local firewall's policies and settings |
notice | A process attempted to delay the analysis task. |
notice | An executable file was downloaded by the process 46.exe |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
info | The executable uses a known packer |
info | This executable has a PDB path |
info | Uses Windows APIs to generate a cryptographic key |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (19cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET POLICY External IP Lookup Attempt To Wipmania
ET TOR Known Tor Exit Node Traffic group 74
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75
ET COMPROMISED Known Compromised or Hostile Host Traffic group 109
ET INFO Executable Download from dotted-quad Host
SURICATA HTTP gzip decompression failed
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET P2P TOR 1.0 Server Key Retrieval
ET P2P Tor Get Server Request
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225
ET POLICY External IP Lookup Attempt To Wipmania
ET TOR Known Tor Exit Node Traffic group 74
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75
ET COMPROMISED Known Compromised or Hostile Host Traffic group 109
ET INFO Executable Download from dotted-quad Host
SURICATA HTTP gzip decompression failed
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET P2P TOR 1.0 Server Key Retrieval
ET P2P Tor Get Server Request
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x402084 PathFileExistsW
MSVCRT.dll
0x402038 __p__fmode
0x40203c __set_app_type
0x402040 __p__commode
0x402044 _controlfp
0x402048 _adjust_fdiv
0x40204c __setusermatherr
0x402050 _initterm
0x402054 __getmainargs
0x402058 _acmdln
0x40205c exit
0x402060 _XcptFilter
0x402064 _exit
0x402068 srand
0x40206c rand
0x402070 memset
0x402074 _except_handler3
WININET.dll
0x402094 InternetOpenW
0x402098 InternetOpenUrlW
0x40209c InternetCloseHandle
0x4020a0 InternetReadFile
urlmon.dll
0x4020a8 URLDownloadToFileW
KERNEL32.dll
0x402000 CopyFileA
0x402004 GetTickCount
0x402008 CloseHandle
0x40200c DeleteFileW
0x402010 CreateProcessW
0x402014 Sleep
0x402018 CopyFileW
0x40201c DeleteFileA
0x402020 GetModuleHandleA
0x402024 GetStartupInfoA
0x402028 CreateFileW
0x40202c ExpandEnvironmentStringsW
0x402030 WriteFile
USER32.dll
0x40208c wsprintfW
SHELL32.dll
0x40207c ShellExecuteW
EAT(Export Address Table) is none
SHLWAPI.dll
0x402084 PathFileExistsW
MSVCRT.dll
0x402038 __p__fmode
0x40203c __set_app_type
0x402040 __p__commode
0x402044 _controlfp
0x402048 _adjust_fdiv
0x40204c __setusermatherr
0x402050 _initterm
0x402054 __getmainargs
0x402058 _acmdln
0x40205c exit
0x402060 _XcptFilter
0x402064 _exit
0x402068 srand
0x40206c rand
0x402070 memset
0x402074 _except_handler3
WININET.dll
0x402094 InternetOpenW
0x402098 InternetOpenUrlW
0x40209c InternetCloseHandle
0x4020a0 InternetReadFile
urlmon.dll
0x4020a8 URLDownloadToFileW
KERNEL32.dll
0x402000 CopyFileA
0x402004 GetTickCount
0x402008 CloseHandle
0x40200c DeleteFileW
0x402010 CreateProcessW
0x402014 Sleep
0x402018 CopyFileW
0x40201c DeleteFileA
0x402020 GetModuleHandleA
0x402024 GetStartupInfoA
0x402028 CreateFileW
0x40202c ExpandEnvironmentStringsW
0x402030 WriteFile
USER32.dll
0x40208c wsprintfW
SHELL32.dll
0x40207c ShellExecuteW
EAT(Export Address Table) is none