ScreenShot
| Created | 2021.05.07 12:18 | Machine | s1_win7_x6401 |
| Filename | 20201117.rar | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (MokesC784TW, malicious, high confidence, PcClient, GenericKD, PcShare, Save, confidence, 100%, ZedlaF, 7R4@aq1Y8Jpi, JUJI, Attribute, HighConfidence, ifipzo, CLOUD, Malware@#4puj8zmfvw84, R + Mal, VMProtBad, letbd, ai score=100, KVMH008, kcloud, Ymacco, score, R191990, Artemis, TScope, Unsafe, Plaw, kTPiiRkXQM0, Static AI, Suspicious PE) | ||
| md5 | bdfa523e5a06c417e30f0daecb6215f3 | ||
| sha256 | 1e8441f0d32d3854e0b3801063f6015a9f09637d77b714f8e58fb8c198693a51 | ||
| ssdeep | 49152:MfLe1QLqYinLEOz6VaAY0mOmD+MK03LRkpdWGZo09AxnemERApAi4EuWlV1d:MC1PYinTz6Va8QXD3LoA4ohJERAii/L | ||
| imphash | ba244fcbc3516db06a5798ef9cfcebb2 | ||
| impfuzzy | 12:j7g8tW3EQ4Q5kBZGoQtXJxZGb9AJcDfA5kLfP9m:jsCmEQ4Q58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x10592000 recv
WTSAPI32.dll
0x10592008 WTSEnumerateSessionsA
KERNEL32.dll
0x10592010 WriteConsoleW
ADVAPI32.dll
0x10592018 RegOpenKeyExA
ole32.dll
0x10592020 CoTaskMemFree
OLEAUT32.dll
0x10592028 VariantClear
WTSAPI32.dll
0x10592030 WTSSendMessageW
KERNEL32.dll
0x10592038 VirtualQuery
USER32.dll
0x10592040 GetProcessWindowStation
KERNEL32.dll
0x10592048 LocalAlloc
0x1059204c LocalFree
0x10592050 GetModuleFileNameW
0x10592054 GetProcessAffinityMask
0x10592058 SetProcessAffinityMask
0x1059205c SetThreadAffinityMask
0x10592060 Sleep
0x10592064 ExitProcess
0x10592068 FreeLibrary
0x1059206c LoadLibraryA
0x10592070 GetModuleHandleA
0x10592074 GetProcAddress
USER32.dll
0x1059207c GetProcessWindowStation
0x10592080 GetUserObjectInformationW
EAT(Export Address Table) Library
0x10011470 ServiceMain
WS2_32.dll
0x10592000 recv
WTSAPI32.dll
0x10592008 WTSEnumerateSessionsA
KERNEL32.dll
0x10592010 WriteConsoleW
ADVAPI32.dll
0x10592018 RegOpenKeyExA
ole32.dll
0x10592020 CoTaskMemFree
OLEAUT32.dll
0x10592028 VariantClear
WTSAPI32.dll
0x10592030 WTSSendMessageW
KERNEL32.dll
0x10592038 VirtualQuery
USER32.dll
0x10592040 GetProcessWindowStation
KERNEL32.dll
0x10592048 LocalAlloc
0x1059204c LocalFree
0x10592050 GetModuleFileNameW
0x10592054 GetProcessAffinityMask
0x10592058 SetProcessAffinityMask
0x1059205c SetThreadAffinityMask
0x10592060 Sleep
0x10592064 ExitProcess
0x10592068 FreeLibrary
0x1059206c LoadLibraryA
0x10592070 GetModuleHandleA
0x10592074 GetProcAddress
USER32.dll
0x1059207c GetProcessWindowStation
0x10592080 GetUserObjectInformationW
EAT(Export Address Table) Library
0x10011470 ServiceMain