ScreenShot
| Created | 2021.06.25 15:19 | Machine | s1_win7_x6401 |
| Filename | autoupdate.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 26 detected (Snatch, Unsafe, Wofith, FileRepMalware, DownLoader40, Artemis, Generic PUA FH, ai score=86, kcloud, Wacatac, R002H09FO21, Malicious, Behavior, susgen) | ||
| md5 | 63e32043d2d8713aae718fc11416153b | ||
| sha256 | 32ae83dce97b97caff308dc542e85e89570dc4eb35cdf10a357124300d3a1fe7 | ||
| ssdeep | 393216:VWPx1jpayhjOzsjEvOdlJTdNXhFUbMwc:VWPx1jpaqOzsQvOdlJTLXUD | ||
| imphash | 93a138801d9601e4c36e6274c8b9d111 | ||
| impfuzzy | 24:UbVjhNwO+VuTnvYzoLtXOr6kwmDruMztir6UP:KwO+VIc+XOmG8nP | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Detects the presence of Wine emulator |
| watch | Drops a binary and executes it |
| watch | Expresses interest in specific running processes |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Suricata ids
ET USER_AGENTS Go HTTP Client User-Agent
ET INFO Request for EXE via GO HTTP Client
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Inline HTTP
ET INFO Request for EXE via GO HTTP Client
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Inline HTTP
PE API
IAT(Import Address Table) Library
kernel32.dll
0x14d4020 WriteFile
0x14d4028 WriteConsoleW
0x14d4030 WaitForMultipleObjects
0x14d4038 WaitForSingleObject
0x14d4040 VirtualQuery
0x14d4048 VirtualFree
0x14d4050 VirtualAlloc
0x14d4058 SwitchToThread
0x14d4060 SuspendThread
0x14d4068 SetWaitableTimer
0x14d4070 SetUnhandledExceptionFilter
0x14d4078 SetProcessPriorityBoost
0x14d4080 SetEvent
0x14d4088 SetErrorMode
0x14d4090 SetConsoleCtrlHandler
0x14d4098 ResumeThread
0x14d40a0 QueryFullProcessImageNameA
0x14d40a8 ProcessIdToSessionId
0x14d40b0 PostQueuedCompletionStatus
0x14d40b8 OpenProcess
0x14d40c0 LoadLibraryA
0x14d40c8 LoadLibraryW
0x14d40d0 SetThreadContext
0x14d40d8 GetThreadContext
0x14d40e0 GetSystemInfo
0x14d40e8 GetSystemDirectoryA
0x14d40f0 GetStdHandle
0x14d40f8 GetQueuedCompletionStatusEx
0x14d4100 GetProcessAffinityMask
0x14d4108 GetProcAddress
0x14d4110 GetEnvironmentStringsW
0x14d4118 GetConsoleMode
0x14d4120 FreeEnvironmentStringsW
0x14d4128 ExitProcess
0x14d4130 DuplicateHandle
0x14d4138 CreateThread
0x14d4140 CreateIoCompletionPort
0x14d4148 CreateEventA
0x14d4150 CloseHandle
0x14d4158 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x14d4020 WriteFile
0x14d4028 WriteConsoleW
0x14d4030 WaitForMultipleObjects
0x14d4038 WaitForSingleObject
0x14d4040 VirtualQuery
0x14d4048 VirtualFree
0x14d4050 VirtualAlloc
0x14d4058 SwitchToThread
0x14d4060 SuspendThread
0x14d4068 SetWaitableTimer
0x14d4070 SetUnhandledExceptionFilter
0x14d4078 SetProcessPriorityBoost
0x14d4080 SetEvent
0x14d4088 SetErrorMode
0x14d4090 SetConsoleCtrlHandler
0x14d4098 ResumeThread
0x14d40a0 QueryFullProcessImageNameA
0x14d40a8 ProcessIdToSessionId
0x14d40b0 PostQueuedCompletionStatus
0x14d40b8 OpenProcess
0x14d40c0 LoadLibraryA
0x14d40c8 LoadLibraryW
0x14d40d0 SetThreadContext
0x14d40d8 GetThreadContext
0x14d40e0 GetSystemInfo
0x14d40e8 GetSystemDirectoryA
0x14d40f0 GetStdHandle
0x14d40f8 GetQueuedCompletionStatusEx
0x14d4100 GetProcessAffinityMask
0x14d4108 GetProcAddress
0x14d4110 GetEnvironmentStringsW
0x14d4118 GetConsoleMode
0x14d4120 FreeEnvironmentStringsW
0x14d4128 ExitProcess
0x14d4130 DuplicateHandle
0x14d4138 CreateThread
0x14d4140 CreateIoCompletionPort
0x14d4148 CreateEventA
0x14d4150 CloseHandle
0x14d4158 AddVectoredExceptionHandler
EAT(Export Address Table) is none