ScreenShot
| Created | 2021.06.25 00:07 | Machine | s1_win7_x6401 |
| Filename | e9S | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 045cd8a6189dd15ad2b8e394f19b32f6 | ||
| sha256 | 702939d19fe783284ba1e80a33490caf3623a248a6de5c933a34bca17d01f5b8 | ||
| ssdeep | 196608:R1p0qUlrB8q6W1QmXZTkFkUpmKtX4vGoO85zxkGrs:Rf0ZlsuNZW2vw8Jps | ||
| imphash | 48cd2b97625a4aac7986ed6903d0a57c | ||
| impfuzzy | 12:om/4J5ABZG/DzpLTgup3Ex0+DbLGbtITQQnd3mxCMXnvc:F/4C+DFPpJExtDbLGbtI2kWvc | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | Creates known Bancos Banking Trojan files |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
advapi32.dll
0x1dbc484 RegEnumKeyW
comctl32.dll
0x1dbc48c ImageList_Add
comdlg32.dll
0x1dbc494 PrintDlgW
d3d9.dll
0x1dbc49c Direct3DCreate9
gdi32.dll
0x1dbc4a4 Pie
KERNEL32.DLL
0x1dbc4ac LoadLibraryA
0x1dbc4b0 ExitProcess
0x1dbc4b4 GetProcAddress
0x1dbc4b8 VirtualProtect
mpr.dll
0x1dbc4c0 WNetCloseEnum
msvcrt.dll
0x1dbc4c8 log
netapi32.dll
0x1dbc4d0 NetWkstaGetInfo
ole32.dll
0x1dbc4d8 OleDraw
oleacc.dll
0x1dbc4e0 LresultFromObject
oleaut32.dll
0x1dbc4e8 VariantInit
PSAPI.dll
0x1dbc4f0 GetProcessImageFileNameW
shell32.dll
0x1dbc4f8 DragFinish
SHFolder.dll
0x1dbc500 SHGetFolderPathW
user32.dll
0x1dbc508 GetDC
version.dll
0x1dbc510 VerQueryValueW
wininet.dll
0x1dbc518 FtpOpenFileW
winmm.dll
0x1dbc520 timeGetTime
winspool.drv
0x1dbc528 GetPrinterW
wtsapi32.dll
0x1dbc530 WTSFreeMemory
EAT(Export Address Table) is none
advapi32.dll
0x1dbc484 RegEnumKeyW
comctl32.dll
0x1dbc48c ImageList_Add
comdlg32.dll
0x1dbc494 PrintDlgW
d3d9.dll
0x1dbc49c Direct3DCreate9
gdi32.dll
0x1dbc4a4 Pie
KERNEL32.DLL
0x1dbc4ac LoadLibraryA
0x1dbc4b0 ExitProcess
0x1dbc4b4 GetProcAddress
0x1dbc4b8 VirtualProtect
mpr.dll
0x1dbc4c0 WNetCloseEnum
msvcrt.dll
0x1dbc4c8 log
netapi32.dll
0x1dbc4d0 NetWkstaGetInfo
ole32.dll
0x1dbc4d8 OleDraw
oleacc.dll
0x1dbc4e0 LresultFromObject
oleaut32.dll
0x1dbc4e8 VariantInit
PSAPI.dll
0x1dbc4f0 GetProcessImageFileNameW
shell32.dll
0x1dbc4f8 DragFinish
SHFolder.dll
0x1dbc500 SHGetFolderPathW
user32.dll
0x1dbc508 GetDC
version.dll
0x1dbc510 VerQueryValueW
wininet.dll
0x1dbc518 FtpOpenFileW
winmm.dll
0x1dbc520 timeGetTime
winspool.drv
0x1dbc528 GetPrinterW
wtsapi32.dll
0x1dbc530 WTSFreeMemory
EAT(Export Address Table) is none