ScreenShot
| Created | 2021.06.25 15:19 | Machine | s1_win7_x6402 |
| Filename | loader_v.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 31 detected (GenericKD, Bobik, Artemis, Save, malicious, confidence, 100%, Static AI, Suspicious PE, susgen, ai score=89, Wacapew, score, PossibleThreat, PALLAS) | ||
| md5 | 6463f298a5906133c8bf1b375ad3d5be | ||
| sha256 | fafd3207bf267790beea5a8b0c1f0af421933e20938f6b644459704c5cd3dbf7 | ||
| ssdeep | 196608:ss5dOrrONRuMMrkNwEs1sPY8ue5D6jBk6:sqdaONw9/10JD69 | ||
| imphash | e79f923df3693782fa7210e948279324 | ||
| impfuzzy | 12:9OzA0lLKz1iRtw3CXD4DvvfjnwfP9qZGoQtXJxZGb9AJcDfA5kLfP9m:9OzA0lLKz12twUEnjwaQtXJHc9NDI5Q8 | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1406c9000 DeleteFileW
USER32.dll
0x1406c9010 RegisterClassW
GDI32.dll
0x1406c9020 BitBlt
ADVAPI32.dll
0x1406c9030 RegDeleteValueW
SHELL32.dll
0x1406c9040 SHGetFolderPathA
ole32.dll
0x1406c9050 CoCreateGuid
gdiplus.dll
0x1406c9060 GdipSaveImageToFile
SHLWAPI.dll
0x1406c9070 PathFileExistsW
COMCTL32.dll
0x1406c9080 None
WS2_32.dll
0x1406c9090 WSACleanup
ntdll.dll
0x1406c90a0 RtlLookupFunctionEntry
WTSAPI32.dll
0x1406c90b0 WTSSendMessageW
KERNEL32.dll
0x1406c90c0 GetSystemTimeAsFileTime
USER32.dll
0x1406c90d0 GetUserObjectInformationW
KERNEL32.dll
0x1406c90e0 LocalAlloc
0x1406c90e8 LocalFree
0x1406c90f0 GetModuleFileNameW
0x1406c90f8 GetProcessAffinityMask
0x1406c9100 SetProcessAffinityMask
0x1406c9108 SetThreadAffinityMask
0x1406c9110 Sleep
0x1406c9118 ExitProcess
0x1406c9120 FreeLibrary
0x1406c9128 LoadLibraryA
0x1406c9130 GetModuleHandleA
0x1406c9138 GetProcAddress
USER32.dll
0x1406c9148 GetProcessWindowStation
0x1406c9150 GetUserObjectInformationW
EAT(Export Address Table) Library
KERNEL32.dll
0x1406c9000 DeleteFileW
USER32.dll
0x1406c9010 RegisterClassW
GDI32.dll
0x1406c9020 BitBlt
ADVAPI32.dll
0x1406c9030 RegDeleteValueW
SHELL32.dll
0x1406c9040 SHGetFolderPathA
ole32.dll
0x1406c9050 CoCreateGuid
gdiplus.dll
0x1406c9060 GdipSaveImageToFile
SHLWAPI.dll
0x1406c9070 PathFileExistsW
COMCTL32.dll
0x1406c9080 None
WS2_32.dll
0x1406c9090 WSACleanup
ntdll.dll
0x1406c90a0 RtlLookupFunctionEntry
WTSAPI32.dll
0x1406c90b0 WTSSendMessageW
KERNEL32.dll
0x1406c90c0 GetSystemTimeAsFileTime
USER32.dll
0x1406c90d0 GetUserObjectInformationW
KERNEL32.dll
0x1406c90e0 LocalAlloc
0x1406c90e8 LocalFree
0x1406c90f0 GetModuleFileNameW
0x1406c90f8 GetProcessAffinityMask
0x1406c9100 SetProcessAffinityMask
0x1406c9108 SetThreadAffinityMask
0x1406c9110 Sleep
0x1406c9118 ExitProcess
0x1406c9120 FreeLibrary
0x1406c9128 LoadLibraryA
0x1406c9130 GetModuleHandleA
0x1406c9138 GetProcAddress
USER32.dll
0x1406c9148 GetProcessWindowStation
0x1406c9150 GetUserObjectInformationW
EAT(Export Address Table) Library