ScreenShot
Created | 2021.05.24 09:18 | Machine | s1_win7_x6401 |
Filename | wnspxzq@_27899.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 31 detected (Zusy, Artemis, Unsafe, Wacatac, Duote, Malicious, dGZlOgVvnaLNC0yWXw, Score, Delphi, Gen4, Tiggre, ai score=100, TScope, Delf, R002H0CEI21, confidence, 100%) | ||
md5 | 9d24f3afa9e996bb1d87fbf12263c53f | ||
sha256 | 379a4afe5d418429ba1bb2e484a0672137325262f55473d007e72ebe4879a036 | ||
ssdeep | 24576:54J2QS/Mo6TVg2UldBeAGNI5blPIZgibbtSBTbfj2ZSUWSej/Qde:54wQSkhT5UPEMqtq72Z1erQde | ||
imphash | 0fd1ae9dc2ff93ef397166b3a1a3fa90 | ||
impfuzzy | 12:VA/DzqYOZ9VJ4LGGxaZC3E7ZZSIAITQQLKxn:V0DBa9VJ9EoKEvSIArn |
Network IP location
Signature (13cnts)
Level | Description |
---|---|
danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Foreign language identified in PE resource |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
info | The executable uses a known packer |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PNG_Format_Zero | PNG Format | binaries (download) |
Network (9cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x863b54 LoadLibraryA
0x863b58 GetProcAddress
0x863b5c VirtualProtect
0x863b60 VirtualAlloc
0x863b64 VirtualFree
0x863b68 ExitProcess
advapi32.dll
0x863b70 RegFlushKey
comctl32.dll
0x863b78 ImageList_Add
gdi32.dll
0x863b80 Pie
gdiplus.dll
0x863b88 GdipFree
msvcrt.dll
0x863b90 _gcvt
netapi32.dll
0x863b98 Netbios
ole32.dll
0x863ba0 IsEqualGUID
oleaut32.dll
0x863ba8 VariantCopy
shell32.dll
0x863bb0 ShellExecuteW
shlwapi.dll
0x863bb8 PathCombineW
URLMON.DLL
0x863bc0 URLDownloadToFileW
user32.dll
0x863bc8 GetDC
version.dll
0x863bd0 VerQueryValueW
wininet.dll
0x863bd8 InternetOpenA
wsock32.dll
0x863be0 send
EAT(Export Address Table) is none
KERNEL32.DLL
0x863b54 LoadLibraryA
0x863b58 GetProcAddress
0x863b5c VirtualProtect
0x863b60 VirtualAlloc
0x863b64 VirtualFree
0x863b68 ExitProcess
advapi32.dll
0x863b70 RegFlushKey
comctl32.dll
0x863b78 ImageList_Add
gdi32.dll
0x863b80 Pie
gdiplus.dll
0x863b88 GdipFree
msvcrt.dll
0x863b90 _gcvt
netapi32.dll
0x863b98 Netbios
ole32.dll
0x863ba0 IsEqualGUID
oleaut32.dll
0x863ba8 VariantCopy
shell32.dll
0x863bb0 ShellExecuteW
shlwapi.dll
0x863bb8 PathCombineW
URLMON.DLL
0x863bc0 URLDownloadToFileW
user32.dll
0x863bc8 GetDC
version.dll
0x863bd0 VerQueryValueW
wininet.dll
0x863bd8 InternetOpenA
wsock32.dll
0x863be0 send
EAT(Export Address Table) is none