ScreenShot
| Created | 2021.06.24 18:56 | Machine | s1_win7_x6402 |
| Filename | download.php | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 15 detected (AIDetect, malware1, Unsafe, Malicious, aqscn, Wacapew, MulDrop, JpE4mAkYxXE, Gendal, susgen, confidence) | ||
| md5 | e26b7bc94aac86c0faef0ed54aaa4461 | ||
| sha256 | cc095322275f33b13f9ab3c36cd1e54a315c6f6def3991b05922caf6b1146a05 | ||
| ssdeep | 768:gpXblTxujWdn9jg6+xcDxXhQ3m2/3VHS7QW6x8deVsqE6PS5Vxdw8n/:gpp06dii9W33vo7Q+jq7a5bdL/ | ||
| imphash | 24ad104a00688625f1c866ec954ed33f | ||
| impfuzzy | 6:HGDmErBJAEcXQdoJpZ1VHxAmnugXKSNsYb/o0YbxD:mDzjA9A+pZ1ndugXPNsrJ | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x419f5c GetProcAddress
0x419f60 GetModuleHandleA
0x419f64 LoadLibraryA
user32.dll
0x41a094 GetKeyboardType
advapi32.dll
0x41a09c RegQueryValueExA
oleaut32.dll
0x41a0a4 SysFreeString
user32.dll
0x41a0ac TranslateMessage
shell32.dll
0x41a0b4 SHGetPathFromIDListA
shell32.dll
0x41a0bc SHGetFileInfoA
EAT(Export Address Table) is none
kernel32.dll
0x419f5c GetProcAddress
0x419f60 GetModuleHandleA
0x419f64 LoadLibraryA
user32.dll
0x41a094 GetKeyboardType
advapi32.dll
0x41a09c RegQueryValueExA
oleaut32.dll
0x41a0a4 SysFreeString
user32.dll
0x41a0ac TranslateMessage
shell32.dll
0x41a0b4 SHGetPathFromIDListA
shell32.dll
0x41a0bc SHGetFileInfoA
EAT(Export Address Table) is none