ScreenShot
Created | 2021.06.25 14:37 | Machine | s1_win7_x6402 |
Filename | 08018.HOME | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 42 detected (AIDetect, malware1, malicious, high confidence, Siggen13, GenericKD, Generic Exploit, Unsafe, achb, confidence, 100%, ZexaF, FG0@aKdRytaj, CAFO, Attribute, HighConfidence, R01FC0PFK21, AutoitDropper, Static AI, Suspicious PE, ai score=84, Caynamer, score, Malpacked3, BScope, Generic@ML, RDML, Qesq9yqSE7DCRrrZF0s68g, PossibleThreat, PALLAS, susgen) | ||
md5 | a44a654c5d0f1673322f3ccdaffcaaca | ||
sha256 | 352c79c680d2c4f465128040357b366bb52eaa7cf220a253dbf3362a47bc2982 | ||
ssdeep | 12288:bRBM/siiYMqReP+58lxwxW7l17l8rslOTQ/q7l4Npl:bR1YM+ePBlxwcYr9TIq63l | ||
imphash | 555dcc440c1351e0b99a7601cce6c4fc | ||
impfuzzy | 12:hFA2eNBBoh3EQ+VTQQLTnrVKOQEEKxh/TAcDzUwD3:HA2eTBkEQmnBheSFHDQwL |
Network IP location
Signature (16cnts)
Level | Description |
---|---|
danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
watch | Attempts to disable browser security warnings |
watch | Attempts to modify browser security settings |
watch | Communicates with host for which no DNS query was performed |
watch | Expresses interest in specific running processes |
watch | Modifies proxy autoconfiguration settings possibly for traffic interception |
notice | A process attempted to delay the analysis task. |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Foreign language identified in PE resource |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is likely packed with VMProtect |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | ASPack_Zero | ASPack packed file | binaries (upload) |
watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x554f8c FindNextFileW
USER32.dll
0x53eb94 FindWindowExW
ADVAPI32.dll
0x5400d2 SetSecurityDescriptorDacl
ole32.dll
0x55355d StgCreateDocfile
SHELL32.dll
0x55607f SHGetSpecialFolderPathW
OLEAUT32.dll
0x55406f VariantClear
SHLWAPI.dll
0x53e52e SHSetValueA
VERSION.dll
0x54116c VerQueryValueW
WININET.dll
0x5407d2 InternetCrackUrlW
PSAPI.DLL
0x552418 GetModuleFileNameExW
WS2_32.dll
0x50db6c htons
HTTPAPI.dll
0x53d29f HttpRemoveUrl
GDI32.dll
0x55314c GetObjectW
gdiplus.dll
0x55320a GdipGetImageEncoders
IPHLPAPI.DLL
0x5563d6 GetAdaptersInfo
RPCRT4.dll
0x551fa0 UuidCreateSequential
KERNEL32.dll
0x552b9e GetModuleHandleA
0x552ba2 GetProcAddress
0x552ba6 VirtualProtect
USER32.dll
0x5520a5 MessageBoxA
EAT(Export Address Table) Library
0x412f82 d10000
KERNEL32.dll
0x554f8c FindNextFileW
USER32.dll
0x53eb94 FindWindowExW
ADVAPI32.dll
0x5400d2 SetSecurityDescriptorDacl
ole32.dll
0x55355d StgCreateDocfile
SHELL32.dll
0x55607f SHGetSpecialFolderPathW
OLEAUT32.dll
0x55406f VariantClear
SHLWAPI.dll
0x53e52e SHSetValueA
VERSION.dll
0x54116c VerQueryValueW
WININET.dll
0x5407d2 InternetCrackUrlW
PSAPI.DLL
0x552418 GetModuleFileNameExW
WS2_32.dll
0x50db6c htons
HTTPAPI.dll
0x53d29f HttpRemoveUrl
GDI32.dll
0x55314c GetObjectW
gdiplus.dll
0x55320a GdipGetImageEncoders
IPHLPAPI.DLL
0x5563d6 GetAdaptersInfo
RPCRT4.dll
0x551fa0 UuidCreateSequential
KERNEL32.dll
0x552b9e GetModuleHandleA
0x552ba2 GetProcAddress
0x552ba6 VirtualProtect
USER32.dll
0x5520a5 MessageBoxA
EAT(Export Address Table) Library
0x412f82 d10000