ScreenShot
| Created | 2021.06.24 18:57 | Machine | s1_win7_x6402 |
| Filename | 4p-desktop.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 32 detected (AIDetect, malware2, FakeAlert, Unsafe, Wacatac, malicious, confidence, Attribute, HighConfidence, FileRepMalware, score, fouaai2Rkbdi, ai score=87, BScope, AutoHK, R002H06FO21, ET#79%, RDMK, cmRtazpb+R4haCvBUFMfk1caOmUG, Static AI, Suspicious PE, susgen) | ||
| md5 | 2020ddf1aac56d939f7ee5af52903258 | ||
| sha256 | 958085c479df4ae7ebbd407dd43f11edcb0fa4677470c819fcaf5df87191b992 | ||
| ssdeep | 49152:UW3Hyg+e2SV47ojGAUkMI5+e2SV47ojGAUkMI9+e2SV47ojGAUkMIS+e2SV47oj9:t3SyvNxvNFvNkvN5vN | ||
| imphash | 48e414e431433a62713440d22abb8343 | ||
| impfuzzy | 6:nERGDmJcLPMeTc5suVMlEtHo468QLWvGmeGtRgKLbBnaZr4BSo:EcDmaL0eTQilWLSLORgCor4BSo | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates an executable file in a user folder |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
Network (28cnts) ?
Suricata ids
ET POLICY External IP Lookup (www. netikus .net)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x69f12c GetModuleHandleA
0x69f130 GetProcAddress
WSOCK32.dll
0x69f138 gethostbyname
WINMM.dll
0x69f140 mixerOpen
VERSION.dll
0x69f148 VerQueryValueW
COMCTL32.dll
0x69f150 ImageList_Create
PSAPI.DLL
0x69f158 GetModuleBaseNameW
WININET.dll
0x69f160 InternetOpenW
USER32.dll
0x69f168 GetDC
GDI32.dll
0x69f170 BitBlt
COMDLG32.dll
0x69f178 GetSaveFileNameW
ADVAPI32.dll
0x69f180 RegCloseKey
SHELL32.dll
0x69f188 DragFinish
ole32.dll
0x69f190 CoGetObject
OLEAUT32.dll
0x69f198 SafeArrayGetLBound
EAT(Export Address Table) is none
KERNEL32.DLL
0x69f12c GetModuleHandleA
0x69f130 GetProcAddress
WSOCK32.dll
0x69f138 gethostbyname
WINMM.dll
0x69f140 mixerOpen
VERSION.dll
0x69f148 VerQueryValueW
COMCTL32.dll
0x69f150 ImageList_Create
PSAPI.DLL
0x69f158 GetModuleBaseNameW
WININET.dll
0x69f160 InternetOpenW
USER32.dll
0x69f168 GetDC
GDI32.dll
0x69f170 BitBlt
COMDLG32.dll
0x69f178 GetSaveFileNameW
ADVAPI32.dll
0x69f180 RegCloseKey
SHELL32.dll
0x69f188 DragFinish
ole32.dll
0x69f190 CoGetObject
OLEAUT32.dll
0x69f198 SafeArrayGetLBound
EAT(Export Address Table) is none