ScreenShot
| Created | 2021.06.24 20:35 | Machine | s1_win7_x6402 |
| Filename | partsoffer.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 20 detected (GenericKD, Artemis, gwuym, ai score=80, ASMalwS, TScope, Delf, GenAsa, O5kSGRR64q8, Unsafe, Score) | ||
| md5 | e15787ea22a793ff3c4d414c18234fec | ||
| sha256 | e2d41e6fae54525411887f8bad539d96f36a7668304bd60011bd1b9532bc325e | ||
| ssdeep | 24576:GqZaXhzKHU2yQcD8+9Wu7I39dZymxNvUt8FPV18t4Bm7xc2EBKfQOemYe:Gq8oU2WDMT39dgcNv/F918+BIxc2IKfS | ||
| imphash | 7eb888f70bc151dc8035311fb5fbfe26 | ||
| impfuzzy | 12:mDzjA9A+pZ1nd6wugiTf1ElfGZuCoDPTX0Ks1FG0xWAtn:mDnWA+pZ1swu/Et2RWb50WAtn | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x8f7f5c GetProcAddress
0x8f7f60 GetModuleHandleA
0x8f7f64 LoadLibraryA
user32.dll
0x8f8271 GetKeyboardType
advapi32.dll
0x8f8279 RegQueryValueExA
oleaut32.dll
0x8f8281 SysFreeString
advapi32.dll
0x8f8289 RegSetValueExA
mpr.dll
0x8f8291 WNetGetConnectionA
version.dll
0x8f8299 VerQueryValueA
gdi32.dll
0x8f82a1 UnrealizeObject
user32.dll
0x8f82a9 CreateWindowExA
shell32.dll
0x8f82b1 ShellExecuteExA
ole32.dll
0x8f82b9 CreateStreamOnHGlobal
oleaut32.dll
0x8f82c1 GetErrorInfo
comctl32.dll
0x8f82c9 FlatSB_SetScrollPos
urlmon.dll
0x8f82d1 CoInternetCreateZoneManager
shell32.dll
0x8f82d9 SHGetSpecialFolderLocation
comdlg32.dll
0x8f82e1 PrintDlgA
winspool.drv
0x8f82e9 WritePrinter
oleaut32.dll
0x8f82f1 SafeArrayPtrOfIndex
wsock32.dll
0x8f82f9 WSACleanup
advapi32.dll
0x8f8301 QueryServiceStatus
iphlpapi.dll
0x8f8309 GetAdaptersInfo
winmm.dll
0x8f8311 mciSendCommandA
EAT(Export Address Table) is none
kernel32.dll
0x8f7f5c GetProcAddress
0x8f7f60 GetModuleHandleA
0x8f7f64 LoadLibraryA
user32.dll
0x8f8271 GetKeyboardType
advapi32.dll
0x8f8279 RegQueryValueExA
oleaut32.dll
0x8f8281 SysFreeString
advapi32.dll
0x8f8289 RegSetValueExA
mpr.dll
0x8f8291 WNetGetConnectionA
version.dll
0x8f8299 VerQueryValueA
gdi32.dll
0x8f82a1 UnrealizeObject
user32.dll
0x8f82a9 CreateWindowExA
shell32.dll
0x8f82b1 ShellExecuteExA
ole32.dll
0x8f82b9 CreateStreamOnHGlobal
oleaut32.dll
0x8f82c1 GetErrorInfo
comctl32.dll
0x8f82c9 FlatSB_SetScrollPos
urlmon.dll
0x8f82d1 CoInternetCreateZoneManager
shell32.dll
0x8f82d9 SHGetSpecialFolderLocation
comdlg32.dll
0x8f82e1 PrintDlgA
winspool.drv
0x8f82e9 WritePrinter
oleaut32.dll
0x8f82f1 SafeArrayPtrOfIndex
wsock32.dll
0x8f82f9 WSACleanup
advapi32.dll
0x8f8301 QueryServiceStatus
iphlpapi.dll
0x8f8309 GetAdaptersInfo
winmm.dll
0x8f8311 mciSendCommandA
EAT(Export Address Table) is none