ScreenShot
| Created | 2021.06.24 22:58 | Machine | s1_win7_x6402 |
| Filename | 1234.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (Bulz, Unsafe, Wacapew, malicious, FileRepMalware, TrojanVeil, AGEN, score, Artemis, ai score=86, R002H09FI21, PossibleThreat) | ||
| md5 | 9615ab661d92bbc4b3fda0fe3739ade7 | ||
| sha256 | 94f593a07ee9a5168450fd8a67825cca582cfcb890cc758cc651550e46894e92 | ||
| ssdeep | 196608:v1oLBo8ywTbUGxa19aD0sSegGl31O301+:eB9xUfaDyGlF | ||
| imphash | 1cd364a9e949d5ecebd6c614e64bc545 | ||
| impfuzzy | 12:5ObVj7NkOREXPXJHeOAThTAqAGIR6kW0mDruMzTZGHrYXOeUP:UbVjhkO+VuTdLS6kNmDruMztir6UP | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0xb33020 WriteFile
0xb33028 WriteConsoleW
0xb33030 WaitForMultipleObjects
0xb33038 WaitForSingleObject
0xb33040 VirtualQuery
0xb33048 VirtualFree
0xb33050 VirtualAlloc
0xb33058 SwitchToThread
0xb33060 SetWaitableTimer
0xb33068 SetUnhandledExceptionFilter
0xb33070 SetProcessPriorityBoost
0xb33078 SetEvent
0xb33080 SetErrorMode
0xb33088 SetConsoleCtrlHandler
0xb33090 LoadLibraryA
0xb33098 LoadLibraryW
0xb330a0 GetSystemInfo
0xb330a8 GetSystemDirectoryA
0xb330b0 GetStdHandle
0xb330b8 GetQueuedCompletionStatus
0xb330c0 GetProcessAffinityMask
0xb330c8 GetProcAddress
0xb330d0 GetEnvironmentStringsW
0xb330d8 GetConsoleMode
0xb330e0 FreeEnvironmentStringsW
0xb330e8 ExitProcess
0xb330f0 DuplicateHandle
0xb330f8 CreateThread
0xb33100 CreateIoCompletionPort
0xb33108 CreateEventA
0xb33110 CloseHandle
0xb33118 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0xb33020 WriteFile
0xb33028 WriteConsoleW
0xb33030 WaitForMultipleObjects
0xb33038 WaitForSingleObject
0xb33040 VirtualQuery
0xb33048 VirtualFree
0xb33050 VirtualAlloc
0xb33058 SwitchToThread
0xb33060 SetWaitableTimer
0xb33068 SetUnhandledExceptionFilter
0xb33070 SetProcessPriorityBoost
0xb33078 SetEvent
0xb33080 SetErrorMode
0xb33088 SetConsoleCtrlHandler
0xb33090 LoadLibraryA
0xb33098 LoadLibraryW
0xb330a0 GetSystemInfo
0xb330a8 GetSystemDirectoryA
0xb330b0 GetStdHandle
0xb330b8 GetQueuedCompletionStatus
0xb330c0 GetProcessAffinityMask
0xb330c8 GetProcAddress
0xb330d0 GetEnvironmentStringsW
0xb330d8 GetConsoleMode
0xb330e0 FreeEnvironmentStringsW
0xb330e8 ExitProcess
0xb330f0 DuplicateHandle
0xb330f8 CreateThread
0xb33100 CreateIoCompletionPort
0xb33108 CreateEventA
0xb33110 CloseHandle
0xb33118 AddVectoredExceptionHandler
EAT(Export Address Table) is none