ScreenShot
| Created | 2021.06.03 21:05 | Machine | s1_win7_x6401 |
| Filename | 4bd5e746e9329d8ab41a7d4fbbc91dc9.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 42 detected (AIDetect, malware1, GenericKD, Artemis, Unsafe, Save, GenKryptik, malicious, confidence, Attribute, HighConfidence, FFZO, USMANEU21, FileRepMalware, dmret, ai score=81, Vigorf, score, R423337, CLOUD, Krypt) | ||
| md5 | a4c547cfac944ad816edf7c54bb58c5c | ||
| sha256 | 2f158fe98389b164103a1c3aac49e10520dfd332559d64a546b65af7ef00cd5f | ||
| ssdeep | 24576:TGgoe5Q0nyofLPeHy2sjv7myfXrNXbjFveqqb:KwQ0nyoz3tvHLleBb | ||
| imphash | 3de737560d80707fbf000766309e79f6 | ||
| impfuzzy | 12:mDoAclLRmLF5sOovaZGe3wXJYv8ERRvNdKu1GlEEgKRi/wxrd:mDoxEyOovuiiv8ERRv6uklEEgK4wx5 | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Creates or sets a registry key to a long series of bytes |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable uses a known packer |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
Network (11cnts) ?
Suricata ids
ET POLICY External IP Lookup ip-api.com
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x405000 GetProcAddress
0x405004 LoadLibraryA
0x405008 GetConsoleWindow
0x40500c GetStringTypeA
0x405010 LCMapStringW
0x405014 LCMapStringA
0x405018 MultiByteToWideChar
0x40501c GetOEMCP
0x405020 GetACP
0x405024 GetCommandLineA
0x405028 GetVersion
0x40502c ExitProcess
0x405030 HeapAlloc
0x405034 TerminateProcess
0x405038 GetCurrentProcess
0x40503c UnhandledExceptionFilter
0x405040 GetModuleFileNameA
0x405044 FreeEnvironmentStringsA
0x405048 FreeEnvironmentStringsW
0x40504c WideCharToMultiByte
0x405050 GetEnvironmentStrings
0x405054 GetEnvironmentStringsW
0x405058 SetHandleCount
0x40505c GetStdHandle
0x405060 GetFileType
0x405064 GetStartupInfoA
0x405068 GetModuleHandleA
0x40506c GetEnvironmentVariableA
0x405070 GetVersionExA
0x405074 HeapDestroy
0x405078 HeapCreate
0x40507c VirtualFree
0x405080 HeapFree
0x405084 RtlUnwind
0x405088 WriteFile
0x40508c VirtualAlloc
0x405090 HeapReAlloc
0x405094 GetCPInfo
0x405098 GetStringTypeW
USER32.dll
0x4050a0 wsprintfW
ole32.dll
0x4050a8 CoUninitialize
0x4050ac CoCreateInstance
0x4050b0 CoInitialize
EAT(Export Address Table) is none
KERNEL32.dll
0x405000 GetProcAddress
0x405004 LoadLibraryA
0x405008 GetConsoleWindow
0x40500c GetStringTypeA
0x405010 LCMapStringW
0x405014 LCMapStringA
0x405018 MultiByteToWideChar
0x40501c GetOEMCP
0x405020 GetACP
0x405024 GetCommandLineA
0x405028 GetVersion
0x40502c ExitProcess
0x405030 HeapAlloc
0x405034 TerminateProcess
0x405038 GetCurrentProcess
0x40503c UnhandledExceptionFilter
0x405040 GetModuleFileNameA
0x405044 FreeEnvironmentStringsA
0x405048 FreeEnvironmentStringsW
0x40504c WideCharToMultiByte
0x405050 GetEnvironmentStrings
0x405054 GetEnvironmentStringsW
0x405058 SetHandleCount
0x40505c GetStdHandle
0x405060 GetFileType
0x405064 GetStartupInfoA
0x405068 GetModuleHandleA
0x40506c GetEnvironmentVariableA
0x405070 GetVersionExA
0x405074 HeapDestroy
0x405078 HeapCreate
0x40507c VirtualFree
0x405080 HeapFree
0x405084 RtlUnwind
0x405088 WriteFile
0x40508c VirtualAlloc
0x405090 HeapReAlloc
0x405094 GetCPInfo
0x405098 GetStringTypeW
USER32.dll
0x4050a0 wsprintfW
ole32.dll
0x4050a8 CoUninitialize
0x4050ac CoCreateInstance
0x4050b0 CoInitialize
EAT(Export Address Table) is none