ScreenShot
| Created | 2021.05.26 09:31 | Machine | s1_win7_x6401 |
| Filename | %E6%9A%97%E5%B7%B7%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%8A%A9%E6%89%8B.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 61 detected (AIDetect, malware1, Occamy, Eldorado, malicious, high confidence, GenericKD, Dorv, Artemis, Unsafe, Blamon, confidence, 100%, ZexaF, YmKfaikBAmlb, BBYK, DropperX, Razy, drhzfg, lpZC, Gencirc, OV@6e1pyh, 0NA103HU19, Static AI, Malicious PE, ayzp, ASMalwS, kcloud, Mintluks, score, BScope, MulDrop, CLOUD, MhQIceDbprY, ai score=100, Genetic) | ||
| md5 | dab5d970f5261b346185007f25d3e5db | ||
| sha256 | f19106fe86c7fee8a0c981bfe98937b43c2c818fac6e2fa85f831ddf906ff6bc | ||
| ssdeep | 12288:RoHZNzEtcggJyCCUZH27oGuoHTqXFvU+Hz0MjP54KmU34BZlfRWHjzkQWc:mbzXgx3UZW7DuoHuXFTj754rlfYHo | ||
| imphash | 14048fae5b8fc070a9de08ac1297587d | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/CmmbNUxAdYgTDn:VA/DzqYOZKPu45n | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4f7d74 LoadLibraryA
0x4f7d78 GetProcAddress
0x4f7d7c VirtualProtect
0x4f7d80 VirtualAlloc
0x4f7d84 VirtualFree
0x4f7d88 ExitProcess
GDI32.dll
0x4f7d90 DeleteObject
MSVCRT.dll
0x4f7d98 free
SHELL32.dll
0x4f7da0 ShellExecuteA
SHLWAPI.dll
0x4f7da8 PathFileExistsA
USER32.dll
0x4f7db0 GetFocus
EAT(Export Address Table) is none
KERNEL32.DLL
0x4f7d74 LoadLibraryA
0x4f7d78 GetProcAddress
0x4f7d7c VirtualProtect
0x4f7d80 VirtualAlloc
0x4f7d84 VirtualFree
0x4f7d88 ExitProcess
GDI32.dll
0x4f7d90 DeleteObject
MSVCRT.dll
0x4f7d98 free
SHELL32.dll
0x4f7da0 ShellExecuteA
SHLWAPI.dll
0x4f7da8 PathFileExistsA
USER32.dll
0x4f7db0 GetFocus
EAT(Export Address Table) is none