ScreenShot
| Created | 2021.06.24 09:42 | Machine | s1_win7_x6401 |
| Filename | Protected.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 37 detected (AIDetect, malware2, malicious, high confidence, Inject4, Babar, Artemis, Unsafe, Save, Attribute, HighConfidence, EPJG, FileRepMalware, Sxeb, VirRansom, Score, AGEN, ai score=84, Wacatac, BScope, TrojanPSW, Racealer, CLASSIC, susgen) | ||
| md5 | c735ab1566d5ef0b24ab014db8852ea8 | ||
| sha256 | a00fa5a6df14735054f3b9700d0a9418be11971365eda296c2d539141f05fc7f | ||
| ssdeep | 49152:7poqpcFq9lSG3I1fecbpUD+sglZI0dEq969:7poo+clSG3efez+N+0SG2 | ||
| imphash | 4dfea731e342ecfb5ceb366d5bafbbf1 | ||
| impfuzzy | 48:c4FmAz/l1wzxQQZwgowbbV2gkH1xR3Yl39Pjw419xoT+ytmFNjWc4jMhHw+pxmHy:+Az/l1GxQQZfoubogkH1xRuNPjl19xQG | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x58a000 GetProcAddress
0x58a004 RtlMoveMemory
0x58a008 GetModuleHandleW
0x58a00c WriteFile
0x58a010 RtlFillMemory
MSVBVM60.DLL
0x58a018 __vbaVarSub
0x58a01c __vbaStrI2
0x58a020 _CIcos
0x58a024 _adj_fptan
0x58a028 __vbaVarMove
0x58a02c __vbaStrI4
0x58a030 __vbaVarVargNofree
0x58a034 __vbaFreeVar
0x58a038 __vbaAryMove
0x58a03c __vbaStrVarMove
0x58a040 __vbaLenBstr
0x58a044 __vbaFreeVarList
0x58a048 _adj_fdiv_m64
0x58a04c None
0x58a050 __vbaFreeObjList
0x58a054 __vbaStrErrVarCopy
0x58a058 _adj_fprem1
0x58a05c __vbaStrCat
0x58a060 __vbaSetSystemError
0x58a064 __vbaHresultCheckObj
0x58a068 __vbaLenVar
0x58a06c _adj_fdiv_m32
0x58a070 __vbaAryDestruct
0x58a074 __vbaObjSet
0x58a078 None
0x58a07c _adj_fdiv_m16i
0x58a080 __vbaObjSetAddref
0x58a084 _adj_fdivr_m16i
0x58a088 __vbaVarTstLt
0x58a08c __vbaRefVarAry
0x58a090 __vbaBoolVarNull
0x58a094 _CIsin
0x58a098 None
0x58a09c __vbaChkstk
0x58a0a0 EVENT_SINK_AddRef
0x58a0a4 None
0x58a0a8 None
0x58a0ac __vbaVarLikeVar
0x58a0b0 DllFunctionCall
0x58a0b4 _adj_fpatan
0x58a0b8 __vbaRedim
0x58a0bc EVENT_SINK_Release
0x58a0c0 __vbaNew
0x58a0c4 _CIsqrt
0x58a0c8 EVENT_SINK_QueryInterface
0x58a0cc __vbaStr2Vec
0x58a0d0 __vbaExceptHandler
0x58a0d4 __vbaStrToUnicode
0x58a0d8 _adj_fprem
0x58a0dc _adj_fdivr_m64
0x58a0e0 None
0x58a0e4 __vbaFPException
0x58a0e8 None
0x58a0ec __vbaStrVarVal
0x58a0f0 __vbaUbound
0x58a0f4 __vbaVarCat
0x58a0f8 None
0x58a0fc _CIlog
0x58a100 __vbaNew2
0x58a104 __vbaR8Str
0x58a108 _adj_fdiv_m32i
0x58a10c _adj_fdivr_m32i
0x58a110 __vbaStrCopy
0x58a114 __vbaI4Str
0x58a118 __vbaFreeStrList
0x58a11c _adj_fdivr_m32
0x58a120 _adj_fdiv_r
0x58a124 None
0x58a128 __vbaI4Var
0x58a12c __vbaAryLock
0x58a130 __vbaVarAdd
0x58a134 __vbaStrToAnsi
0x58a138 __vbaVarDup
0x58a13c __vbaVarCopy
0x58a140 None
0x58a144 _CIatan
0x58a148 __vbaStrMove
0x58a14c __vbaCastObj
0x58a150 __vbaAryCopy
0x58a154 _allmul
0x58a158 _CItan
0x58a15c __vbaAryUnlock
0x58a160 None
0x58a164 _CIexp
0x58a168 __vbaFreeStr
0x58a16c __vbaFreeObj
EAT(Export Address Table) is none
KERNEL32.DLL
0x58a000 GetProcAddress
0x58a004 RtlMoveMemory
0x58a008 GetModuleHandleW
0x58a00c WriteFile
0x58a010 RtlFillMemory
MSVBVM60.DLL
0x58a018 __vbaVarSub
0x58a01c __vbaStrI2
0x58a020 _CIcos
0x58a024 _adj_fptan
0x58a028 __vbaVarMove
0x58a02c __vbaStrI4
0x58a030 __vbaVarVargNofree
0x58a034 __vbaFreeVar
0x58a038 __vbaAryMove
0x58a03c __vbaStrVarMove
0x58a040 __vbaLenBstr
0x58a044 __vbaFreeVarList
0x58a048 _adj_fdiv_m64
0x58a04c None
0x58a050 __vbaFreeObjList
0x58a054 __vbaStrErrVarCopy
0x58a058 _adj_fprem1
0x58a05c __vbaStrCat
0x58a060 __vbaSetSystemError
0x58a064 __vbaHresultCheckObj
0x58a068 __vbaLenVar
0x58a06c _adj_fdiv_m32
0x58a070 __vbaAryDestruct
0x58a074 __vbaObjSet
0x58a078 None
0x58a07c _adj_fdiv_m16i
0x58a080 __vbaObjSetAddref
0x58a084 _adj_fdivr_m16i
0x58a088 __vbaVarTstLt
0x58a08c __vbaRefVarAry
0x58a090 __vbaBoolVarNull
0x58a094 _CIsin
0x58a098 None
0x58a09c __vbaChkstk
0x58a0a0 EVENT_SINK_AddRef
0x58a0a4 None
0x58a0a8 None
0x58a0ac __vbaVarLikeVar
0x58a0b0 DllFunctionCall
0x58a0b4 _adj_fpatan
0x58a0b8 __vbaRedim
0x58a0bc EVENT_SINK_Release
0x58a0c0 __vbaNew
0x58a0c4 _CIsqrt
0x58a0c8 EVENT_SINK_QueryInterface
0x58a0cc __vbaStr2Vec
0x58a0d0 __vbaExceptHandler
0x58a0d4 __vbaStrToUnicode
0x58a0d8 _adj_fprem
0x58a0dc _adj_fdivr_m64
0x58a0e0 None
0x58a0e4 __vbaFPException
0x58a0e8 None
0x58a0ec __vbaStrVarVal
0x58a0f0 __vbaUbound
0x58a0f4 __vbaVarCat
0x58a0f8 None
0x58a0fc _CIlog
0x58a100 __vbaNew2
0x58a104 __vbaR8Str
0x58a108 _adj_fdiv_m32i
0x58a10c _adj_fdivr_m32i
0x58a110 __vbaStrCopy
0x58a114 __vbaI4Str
0x58a118 __vbaFreeStrList
0x58a11c _adj_fdivr_m32
0x58a120 _adj_fdiv_r
0x58a124 None
0x58a128 __vbaI4Var
0x58a12c __vbaAryLock
0x58a130 __vbaVarAdd
0x58a134 __vbaStrToAnsi
0x58a138 __vbaVarDup
0x58a13c __vbaVarCopy
0x58a140 None
0x58a144 _CIatan
0x58a148 __vbaStrMove
0x58a14c __vbaCastObj
0x58a150 __vbaAryCopy
0x58a154 _allmul
0x58a158 _CItan
0x58a15c __vbaAryUnlock
0x58a160 None
0x58a164 _CIexp
0x58a168 __vbaFreeStr
0x58a16c __vbaFreeObj
EAT(Export Address Table) is none