ScreenShot
Created | 2021.06.25 09:38 | Machine | s1_win7_x6402 |
Filename | 2022c578cf7429b85615d4819d161edc.exe | ||
Type | PE32 executable (console) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 47 detected (malicious, high confidence, Inject4, GenericKD, Unsafe, Save, Zenlod, OAML, Attribute, HighConfidence, DropperX, Generic ML PUA, Malware@#1w0ix92xqhrt4, R06BC0WFL21, susgen, jwrep, ASMalwS, kcloud, Azorult, score, R426623, ai score=99, PossibleThreat) | ||
md5 | 41c69a7f93fbe7edc44fd1b09795fa67 | ||
sha256 | 8b720f6963165f9aca1600e2e3efb04a7162014d0d738fb7f8b9872019f49bd5 | ||
ssdeep | 12288:Umn1vBXNJl0P3ZbcCAjqH0d5i+qUH6wyZQMvvdgMiCiT:n1vJNJla39cGH0dg7sOlQCiT | ||
imphash | a044253673528dd98a9dd008f2a6b058 | ||
impfuzzy | 24:V0DWMU1tMS1hGhlJnc+pl39boEOovbOuHhZHuQ4vNAKvwxA:3tMS1hG5c+ppFc3OqNAKcA |
Network IP location
Signature (20cnts)
Level | Description |
---|---|
danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
watch | Creates or sets a registry key to a long series of bytes |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a shortcut to an executable file |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Expresses interest in specific running processes |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (8cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | Lnk_Format_Zero | LNK Format | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com
ET POLICY External IP Lookup ip-api.com
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40d000 LoadLibraryA
0x40d004 GetProcAddress
0x40d008 DecodePointer
0x40d00c WriteConsoleW
0x40d010 SetFilePointerEx
0x40d014 GetConsoleMode
0x40d018 GetConsoleCP
0x40d01c UnhandledExceptionFilter
0x40d020 SetUnhandledExceptionFilter
0x40d024 GetCurrentProcess
0x40d028 TerminateProcess
0x40d02c IsProcessorFeaturePresent
0x40d030 QueryPerformanceCounter
0x40d034 GetCurrentProcessId
0x40d038 GetCurrentThreadId
0x40d03c GetSystemTimeAsFileTime
0x40d040 InitializeSListHead
0x40d044 IsDebuggerPresent
0x40d048 GetStartupInfoW
0x40d04c GetModuleHandleW
0x40d050 RaiseException
0x40d054 RtlUnwind
0x40d058 GetLastError
0x40d05c SetLastError
0x40d060 EnterCriticalSection
0x40d064 LeaveCriticalSection
0x40d068 DeleteCriticalSection
0x40d06c InitializeCriticalSectionAndSpinCount
0x40d070 TlsAlloc
0x40d074 TlsGetValue
0x40d078 TlsSetValue
0x40d07c TlsFree
0x40d080 FreeLibrary
0x40d084 LoadLibraryExW
0x40d088 GetStdHandle
0x40d08c WriteFile
0x40d090 GetModuleFileNameA
0x40d094 MultiByteToWideChar
0x40d098 WideCharToMultiByte
0x40d09c ExitProcess
0x40d0a0 GetModuleHandleExW
0x40d0a4 GetCommandLineA
0x40d0a8 GetCommandLineW
0x40d0ac GetACP
0x40d0b0 HeapFree
0x40d0b4 HeapAlloc
0x40d0b8 CloseHandle
0x40d0bc FindClose
0x40d0c0 FindFirstFileExA
0x40d0c4 FindNextFileA
0x40d0c8 IsValidCodePage
0x40d0cc GetOEMCP
0x40d0d0 GetCPInfo
0x40d0d4 GetEnvironmentStringsW
0x40d0d8 FreeEnvironmentStringsW
0x40d0dc SetEnvironmentVariableA
0x40d0e0 CompareStringW
0x40d0e4 LCMapStringW
0x40d0e8 SetStdHandle
0x40d0ec GetFileType
0x40d0f0 GetStringTypeW
0x40d0f4 GetProcessHeap
0x40d0f8 HeapSize
0x40d0fc HeapReAlloc
0x40d100 FlushFileBuffers
0x40d104 CreateFileW
USER32.dll
0x40d10c wsprintfW
ole32.dll
0x40d114 CoInitialize
0x40d118 CoUninitialize
0x40d11c CoCreateInstance
EAT(Export Address Table) is none
KERNEL32.dll
0x40d000 LoadLibraryA
0x40d004 GetProcAddress
0x40d008 DecodePointer
0x40d00c WriteConsoleW
0x40d010 SetFilePointerEx
0x40d014 GetConsoleMode
0x40d018 GetConsoleCP
0x40d01c UnhandledExceptionFilter
0x40d020 SetUnhandledExceptionFilter
0x40d024 GetCurrentProcess
0x40d028 TerminateProcess
0x40d02c IsProcessorFeaturePresent
0x40d030 QueryPerformanceCounter
0x40d034 GetCurrentProcessId
0x40d038 GetCurrentThreadId
0x40d03c GetSystemTimeAsFileTime
0x40d040 InitializeSListHead
0x40d044 IsDebuggerPresent
0x40d048 GetStartupInfoW
0x40d04c GetModuleHandleW
0x40d050 RaiseException
0x40d054 RtlUnwind
0x40d058 GetLastError
0x40d05c SetLastError
0x40d060 EnterCriticalSection
0x40d064 LeaveCriticalSection
0x40d068 DeleteCriticalSection
0x40d06c InitializeCriticalSectionAndSpinCount
0x40d070 TlsAlloc
0x40d074 TlsGetValue
0x40d078 TlsSetValue
0x40d07c TlsFree
0x40d080 FreeLibrary
0x40d084 LoadLibraryExW
0x40d088 GetStdHandle
0x40d08c WriteFile
0x40d090 GetModuleFileNameA
0x40d094 MultiByteToWideChar
0x40d098 WideCharToMultiByte
0x40d09c ExitProcess
0x40d0a0 GetModuleHandleExW
0x40d0a4 GetCommandLineA
0x40d0a8 GetCommandLineW
0x40d0ac GetACP
0x40d0b0 HeapFree
0x40d0b4 HeapAlloc
0x40d0b8 CloseHandle
0x40d0bc FindClose
0x40d0c0 FindFirstFileExA
0x40d0c4 FindNextFileA
0x40d0c8 IsValidCodePage
0x40d0cc GetOEMCP
0x40d0d0 GetCPInfo
0x40d0d4 GetEnvironmentStringsW
0x40d0d8 FreeEnvironmentStringsW
0x40d0dc SetEnvironmentVariableA
0x40d0e0 CompareStringW
0x40d0e4 LCMapStringW
0x40d0e8 SetStdHandle
0x40d0ec GetFileType
0x40d0f0 GetStringTypeW
0x40d0f4 GetProcessHeap
0x40d0f8 HeapSize
0x40d0fc HeapReAlloc
0x40d100 FlushFileBuffers
0x40d104 CreateFileW
USER32.dll
0x40d10c wsprintfW
ole32.dll
0x40d114 CoInitialize
0x40d118 CoUninitialize
0x40d11c CoCreateInstance
EAT(Export Address Table) is none