ScreenShot
Created | 2021.06.22 18:13 | Machine | s1_win7_x6402 |
Filename | prince_of_persia_P_v4_x86.exe | ||
Type | PE32 executable (console) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 34 detected (malicious, high confidence, Unsafe, Save, ZexaF, p8Y@aeK1PWl, Attribute, HighConfidence, ENCW, InjectorX, Zenpak, imccim, RDMK, cmRtazrVVPuJckTUjWVpm08mp3oT, Meterpreter, Hijacker, PoshC2, score, R361916, ai score=80, BScope, GdSda, confidence) | ||
md5 | 28906318e1bfa9949cd086e807a0f220 | ||
sha256 | 3c4c4cb0e9a48e8203ebe67da38dcfdc0d888213424ddd335a767f6a04e798ff | ||
ssdeep | 3072:Fw5tuhTTKtpWAFPmM9Kx067MjdfOW7B9tNY12xGLgzONzW:FkgxAFfOWN/o2x8gzONi | ||
imphash | 35b5715d1d5b1876f546dbd1eae03180 | ||
impfuzzy | 12:C+wRJRibJ2cDk85ARZqRLAuzhYPXJ+qRmzT4GQGX5XGXKYmJlk6lTpJqJiZn:jkfiFlDk/cLZzeFmLTX5XGAJlkoDqoZn |
Network IP location
Signature (16cnts)
Level | Description |
---|---|
danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Communicates with host for which no DNS query was performed |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | Queries for the computername |
info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
Network (22cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42c104 CloseHandle
0x42c108 CreateProcessA
0x42c10c CreateRemoteThread
0x42c110 DeleteCriticalSection
0x42c114 EnterCriticalSection
0x42c118 FreeLibrary
0x42c11c GetLastError
0x42c120 GetModuleHandleA
0x42c124 GetProcAddress
0x42c128 GetProcessId
0x42c12c GetStartupInfoA
0x42c130 InitializeCriticalSection
0x42c134 LeaveCriticalSection
0x42c138 LoadLibraryA
0x42c13c OpenProcess
0x42c140 SetUnhandledExceptionFilter
0x42c144 Sleep
0x42c148 TlsGetValue
0x42c14c VirtualAllocEx
0x42c150 VirtualProtect
0x42c154 VirtualQuery
0x42c158 WriteProcessMemory
msvcrt.dll
0x42c160 __getmainargs
0x42c164 __initenv
0x42c168 __lconv_init
0x42c16c __p__acmdln
0x42c170 __p__commode
0x42c174 __p__fmode
0x42c178 __set_app_type
0x42c17c __setusermatherr
0x42c180 _amsg_exit
0x42c184 _cexit
0x42c188 _initterm
0x42c18c _iob
0x42c190 _onexit
0x42c194 abort
0x42c198 atoi
0x42c19c calloc
0x42c1a0 exit
0x42c1a4 fprintf
0x42c1a8 free
0x42c1ac fwrite
0x42c1b0 malloc
0x42c1b4 memcpy
0x42c1b8 signal
0x42c1bc strlen
0x42c1c0 strncmp
0x42c1c4 vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x42c104 CloseHandle
0x42c108 CreateProcessA
0x42c10c CreateRemoteThread
0x42c110 DeleteCriticalSection
0x42c114 EnterCriticalSection
0x42c118 FreeLibrary
0x42c11c GetLastError
0x42c120 GetModuleHandleA
0x42c124 GetProcAddress
0x42c128 GetProcessId
0x42c12c GetStartupInfoA
0x42c130 InitializeCriticalSection
0x42c134 LeaveCriticalSection
0x42c138 LoadLibraryA
0x42c13c OpenProcess
0x42c140 SetUnhandledExceptionFilter
0x42c144 Sleep
0x42c148 TlsGetValue
0x42c14c VirtualAllocEx
0x42c150 VirtualProtect
0x42c154 VirtualQuery
0x42c158 WriteProcessMemory
msvcrt.dll
0x42c160 __getmainargs
0x42c164 __initenv
0x42c168 __lconv_init
0x42c16c __p__acmdln
0x42c170 __p__commode
0x42c174 __p__fmode
0x42c178 __set_app_type
0x42c17c __setusermatherr
0x42c180 _amsg_exit
0x42c184 _cexit
0x42c188 _initterm
0x42c18c _iob
0x42c190 _onexit
0x42c194 abort
0x42c198 atoi
0x42c19c calloc
0x42c1a0 exit
0x42c1a4 fprintf
0x42c1a8 free
0x42c1ac fwrite
0x42c1b0 malloc
0x42c1b4 memcpy
0x42c1b8 signal
0x42c1bc strlen
0x42c1c0 strncmp
0x42c1c4 vfprintf
EAT(Export Address Table) is none