ScreenShot
Created | 2021.06.21 12:55 | Machine | s1_win7_x6402 |
Filename | temp.exe | ||
Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 47 detected (malicious, high confidence, GenericKD, Artemis, Unsafe, Rozena, Shelma, MYRZ, Wstw, sdjwo, DownLoader39, R011C0WF821, Gravity, susgen, ASBOL, Encoded, Glupteba, score, ai score=88, 1U+6LbCbUgU, confidence) | ||
md5 | d89c813bf46d01f144a20592d371f0cc | ||
sha256 | 984265f2a1df743a585b3ed1aa138080dbc0e27c66d2472d10a66c916739556c | ||
ssdeep | 98304:T1yVjqcy7Vr5Xvdy3FBtCNG7Kmvh6BD1HRx2ZrCluDWtmf:ZyiTXY3mpmbpDYm | ||
imphash | 6ed4f5f04d62b18d96b26d6db7c18840 | ||
impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn |
Network IP location
Signature (17cnts)
Level | Description |
---|---|
danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
watch | BITSAdmin Tool has been invoked to download a file |
watch | Communicates with host for which no DNS query was performed |
watch | Detects the presence of Wine emulator |
watch | Installs itself for autorun at Windows startup |
watch | Network activity contains more than one unique useragent |
watch | Uses suspicious command line tools or Windows utilities |
watch | Uses Sysinternals tools in order to add additional command line functionality |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a suspicious process |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Uses Windows utilities for basic Windows functionality |
info | Queries for the computername |
Rules (2cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET USER_AGENTS Go HTTP Client User-Agent
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0xa6d028 LoadLibraryA
0xa6d030 ExitProcess
0xa6d038 GetProcAddress
0xa6d040 VirtualProtect
EAT(Export Address Table) is none
KERNEL32.DLL
0xa6d028 LoadLibraryA
0xa6d030 ExitProcess
0xa6d038 GetProcAddress
0xa6d040 VirtualProtect
EAT(Export Address Table) is none