ScreenShot
| Created | 2021.06.17 13:20 | Machine | s1_win7_x6402 |
| Filename | jgfz.jpg | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 18 detected (Malicious, score, VZXV, dlhwif, Kudj, Generic ML PUA, RiskTool, FlyStudio, ASMalwS, Wacatac, Artemis, KillFiles, Unsafe, StartPage) | ||
| md5 | 51c10802ed8cbcb4850a602c43b691ec | ||
| sha256 | 6a89deb3aa29bae199ce09551378986120b2806f15e7e09c9742676046556d79 | ||
| ssdeep | 192:2kisNgpAXgPu9JAxjwCMrpY7e8LqPZo5LdCfq1Rn6O3Qv3ztVYs85naRPcyJmbOj:28PJAxjr6+e9Pfqbn1QvJVYqeOj | ||
| imphash | cae0259af6116376a984aebdda1867f9 | ||
| impfuzzy | 3:sU9KTXzhAXwSx2AEZsWBJAEcXQRWD37M9C1EeA4E:HGDmErBJAEcXQwDLz1VHE | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known FlyStudio files |
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| notice | Foreign language identified in PE resource |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x407f5c GetProcAddress
0x407f60 GetModuleHandleA
0x407f64 LoadLibraryA
user32.dll
0x408014 MessageBoxA
advapi32.dll
0x40801c RegQueryValueExA
EAT(Export Address Table) is none
kernel32.dll
0x407f5c GetProcAddress
0x407f60 GetModuleHandleA
0x407f64 LoadLibraryA
user32.dll
0x408014 MessageBoxA
advapi32.dll
0x40801c RegQueryValueExA
EAT(Export Address Table) is none