ScreenShot
| Created | 2021.06.17 13:24 | Machine | s1_win7_x6402 |
| Filename | hope.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (AIDetect, malware2, malicious, high confidence, Johnnie, Bingoml, FSDK, Unsafe, Kryptik, Eldorado, Attribute, HighConfidence, bvlm, iwbuju, MulDrop17, TSPY, VBKEYLOG, PWSZbot, Static AI, Malicious PE, ai score=89, ASMalwS, AgentKlog, score, ZevbaCO, Lm0@a0jGTPmi, CLASSIC, Outbreak, susgen, confidence, 100%) | ||
| md5 | d43338c66b34e2d4e15b090aeb58401c | ||
| sha256 | 3bc33661eae22696045e7b4b1f29344f4c33e53404ddee2f72fd188beea1d865 | ||
| ssdeep | 6144:5qyKexVFPv7cWcm1S4GlA9jmHv/VCSY3hw9lMbk6u1QMS0y+lqiHTonWryFDYR3:AyKsIp46A9jmP/uhu/yMS08CkntxYR3 | ||
| imphash | 145c6039185a48fcd75206f572d72aaf | ||
| impfuzzy | 12:nTOWpTOT8MYqUwTnwzTPc5swDQoTdU61n9anhmnaICTKiM2UR7lx9GSwmR/:nVWnw3c5BU66nSaaiM2GRNf/ | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Disables proxy possibly for traffic interception |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 None
0x40100c MethCallEngine
0x401010 None
0x401014 None
0x401018 None
0x40101c None
0x401020 None
0x401024 None
0x401028 None
0x40102c None
0x401030 None
0x401034 None
0x401038 None
0x40103c None
0x401040 None
0x401044 None
0x401048 None
0x40104c None
0x401050 None
0x401054 None
0x401058 None
0x40105c EVENT_SINK_AddRef
0x401060 None
0x401064 None
0x401068 None
0x40106c DllFunctionCall
0x401070 None
0x401074 None
0x401078 None
0x40107c EVENT_SINK_Release
0x401080 None
0x401084 None
0x401088 EVENT_SINK_QueryInterface
0x40108c __vbaExceptHandler
0x401090 None
0x401094 None
0x401098 None
0x40109c None
0x4010a0 None
0x4010a4 None
0x4010a8 None
0x4010ac None
0x4010b0 None
0x4010b4 ProcCallEngine
0x4010b8 None
0x4010bc None
0x4010c0 None
0x4010c4 None
0x4010c8 None
0x4010cc None
0x4010d0 None
0x4010d4 None
0x4010d8 None
0x4010dc None
0x4010e0 None
0x4010e4 None
0x4010e8 None
0x4010ec None
0x4010f0 None
0x4010f4 None
0x4010f8 None
0x4010fc None
0x401100 None
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 None
0x40100c MethCallEngine
0x401010 None
0x401014 None
0x401018 None
0x40101c None
0x401020 None
0x401024 None
0x401028 None
0x40102c None
0x401030 None
0x401034 None
0x401038 None
0x40103c None
0x401040 None
0x401044 None
0x401048 None
0x40104c None
0x401050 None
0x401054 None
0x401058 None
0x40105c EVENT_SINK_AddRef
0x401060 None
0x401064 None
0x401068 None
0x40106c DllFunctionCall
0x401070 None
0x401074 None
0x401078 None
0x40107c EVENT_SINK_Release
0x401080 None
0x401084 None
0x401088 EVENT_SINK_QueryInterface
0x40108c __vbaExceptHandler
0x401090 None
0x401094 None
0x401098 None
0x40109c None
0x4010a0 None
0x4010a4 None
0x4010a8 None
0x4010ac None
0x4010b0 None
0x4010b4 ProcCallEngine
0x4010b8 None
0x4010bc None
0x4010c0 None
0x4010c4 None
0x4010c8 None
0x4010cc None
0x4010d0 None
0x4010d4 None
0x4010d8 None
0x4010dc None
0x4010e0 None
0x4010e4 None
0x4010e8 None
0x4010ec None
0x4010f0 None
0x4010f4 None
0x4010f8 None
0x4010fc None
0x401100 None
EAT(Export Address Table) is none