ScreenShot
| Created | 2021.05.13 08:26 | Machine | s1_win7_x6402 |
| Filename | update201703280212.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 27 detected (AIDetectVM, malware1, Artemis, Unsafe, Fugrafa, Eldorado, Malicious, AGEN, DownLoad4, Generic PUA BD, gssa, Score, Presenoker, GenAsa, DPzVoG23Lus, susgen) | ||
| md5 | 3ccd1b5d4ea318d18cde4f03a6624679 | ||
| sha256 | 5b0a167d886fc4a3f6db12efc525f2a68df7132da2964fd4ccbe393701d9d254 | ||
| ssdeep | 12288:oY8+1sxs5qh9uycgoGnHB5l0XQyWiRmd18A40bCGi0rj8mp9ATPs:PdpDVgJHBv0geRmddx250v8GYPs | ||
| imphash | 8aef394188446c3df5eb3941b57d0414 | ||
| impfuzzy | 6:dBJAEHGDvZ/EwRgsuVM4PiKOaxaZC3EQMbtG:VA/DvZ9Rgi4K2xaZC3EQCG | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4bc67c LoadLibraryA
0x4bc680 GetProcAddress
0x4bc684 ExitProcess
advapi32.dll
0x4bc68c RegCloseKey
comctl32.dll
0x4bc694 ImageList_Add
gdi32.dll
0x4bc69c SaveDC
ole32.dll
0x4bc6a4 IsEqualGUID
oleaut32.dll
0x4bc6ac VariantClear
shell32.dll
0x4bc6b4 ShellExecuteA
user32.dll
0x4bc6bc GetDC
EAT(Export Address Table) is none
KERNEL32.DLL
0x4bc67c LoadLibraryA
0x4bc680 GetProcAddress
0x4bc684 ExitProcess
advapi32.dll
0x4bc68c RegCloseKey
comctl32.dll
0x4bc694 ImageList_Add
gdi32.dll
0x4bc69c SaveDC
ole32.dll
0x4bc6a4 IsEqualGUID
oleaut32.dll
0x4bc6ac VariantClear
shell32.dll
0x4bc6b4 ShellExecuteA
user32.dll
0x4bc6bc GetDC
EAT(Export Address Table) is none