ScreenShot
Created | 2021.06.09 22:21 | Machine | s1_win7_x6401 |
Filename | xy_cjz_37658_315d8b4zbmga.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 42 detected (Hyperborea, Artemis, Unsafe, qwiard, malicious, confidence, 100%, Jacard, fmxctm, Malware@#1156om7dcxn0d, 0NA103JU20, Generic ML PUA, cqiu, qckcf, Score, ASMalwS, HackTool, AutoKMS, ai score=100, susgen) | ||
md5 | f99d0fc489a7258c29ec765cf1e2624a | ||
sha256 | 194c31cd0d620ef3c2772030924e28afb54f0a087d4b6c1c73c57f3de8f09222 | ||
ssdeep | 49152:ENVJk7WTiwEqg9OlppXsZuXiO9ztg15s/DwfxCro2lhf8QHx8etJOHrIgl:+VJk6DEq9p9WuXiKzq15skpCU2HPR50L | ||
imphash | 09a2e2c06ba2d6163c72d330b716ac6c | ||
impfuzzy | 12:mDzjAb6w1qwDDMgTQFjhnbAWg0sgypcMsXuqXz8cSx:mDnDw1qw3KdUgsgM2Vz8c4 |
Network IP location
Signature (19cnts)
Level | Description |
---|---|
danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Communicates with host for which no DNS query was performed |
watch | Disables proxy possibly for traffic interception |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates a shortcut to an executable file |
notice | Creates executable files on the filesystem |
notice | Foreign language identified in PE resource |
notice | Performs some HTTP requests |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The executable uses a known packer |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (upload) |
info | JPEG_Format_Zero | JPEG Format | binaries (download) |
info | Lnk_Format_Zero | LNK Format | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PNG_Format_Zero | PNG Format | binaries (download) |
Network (5cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x9d0f5c GetProcAddress
0x9d0f60 GetModuleHandleA
0x9d0f64 LoadLibraryA
oleaut32.dll
0x9d1214 SysFreeString
advapi32.dll
0x9d121c RegQueryValueExW
user32.dll
0x9d1224 MessageBoxA
user32.dll
0x9d122c SetClassLongW
gdi32.dll
0x9d1234 WidenPath
version.dll
0x9d123c VerQueryValueW
advapi32.dll
0x9d1244 RegUnLoadKeyW
oleaut32.dll
0x9d124c SafeArrayPtrOfIndex
oleaut32.dll
0x9d1254 CreateErrorInfo
ole32.dll
0x9d125c CreateStreamOnHGlobal
comctl32.dll
0x9d1264 InitializeFlatSB
user32.dll
0x9d126c EnumDisplayMonitors
msvcrt.dll
0x9d1274 memset
shell32.dll
0x9d127c ShellExecuteW
shell32.dll
0x9d1284 SHGetSpecialFolderLocation
winspool.drv
0x9d128c OpenPrinterW
winspool.drv
0x9d1294 GetDefaultPrinterW
gdiplus.dll
0x9d129c GdipEmfToWmfBits
EAT(Export Address Table) Library
0x462eec TMethodImplementationIntercept
kernel32.dll
0x9d0f5c GetProcAddress
0x9d0f60 GetModuleHandleA
0x9d0f64 LoadLibraryA
oleaut32.dll
0x9d1214 SysFreeString
advapi32.dll
0x9d121c RegQueryValueExW
user32.dll
0x9d1224 MessageBoxA
user32.dll
0x9d122c SetClassLongW
gdi32.dll
0x9d1234 WidenPath
version.dll
0x9d123c VerQueryValueW
advapi32.dll
0x9d1244 RegUnLoadKeyW
oleaut32.dll
0x9d124c SafeArrayPtrOfIndex
oleaut32.dll
0x9d1254 CreateErrorInfo
ole32.dll
0x9d125c CreateStreamOnHGlobal
comctl32.dll
0x9d1264 InitializeFlatSB
user32.dll
0x9d126c EnumDisplayMonitors
msvcrt.dll
0x9d1274 memset
shell32.dll
0x9d127c ShellExecuteW
shell32.dll
0x9d1284 SHGetSpecialFolderLocation
winspool.drv
0x9d128c OpenPrinterW
winspool.drv
0x9d1294 GetDefaultPrinterW
gdiplus.dll
0x9d129c GdipEmfToWmfBits
EAT(Export Address Table) Library
0x462eec TMethodImplementationIntercept