ScreenShot
Created | 2021.06.29 10:42 | Machine | s1_win7_x6401 |
Filename | 97e6dac4.exe | ||
Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 56 detected (malicious, high confidence, DownLoader40, Doina, Stantinko, Unsafe, Save, confidence, 100%, NOPC, TrojanX, gjwx, iwcpys, kYXw, Efky, Malware@#bsi9vm83cw79, FETNILTER, ejntd, ai score=83, ASMalwS, kcloud, Retliften, score, NetFilter, CLASSIC, HtkSy, PossibleThreat, susgen) | ||
md5 | 8bf00ef4dd6bb308c76849901b03ccbd | ||
sha256 | a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4 | ||
ssdeep | 192:oCaQ3qaG3GO/pfg9m3CJ3Mc+YeZBkvmKI7H:o5Nt/Vg9m3CJ3qZ0jI7 | ||
imphash | 7e3bbc4aa48a3d61a7b995aba939311c | ||
impfuzzy | 6:dBJAEHGDfj77AUAajVOarOZETO4Emyf5XnlJ8iPEcJA0IpJqhQJrEkH5XD4sIWG:VA/Dfj7dObdJmiJltPXJuJq+JX5zy |
Network IP location
Signature (11cnts)
Level | Description |
---|---|
danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
warning | Stops Windows services |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | Loads a driver |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | A process created a hidden window |
notice | An executable file was downloaded by the process 97e6dac4.exe |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Yara rule detected in process memory |
info | Command line console output was observed |
Rules (15cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | MAL_Netfilter_Dropper_Jun_2021_1 | Detect the dropper of Netfilter rootkit | binaries (download) |
danger | MAL_Netfilter_Dropper_Jun_2021_1 | Detect the dropper of Netfilter rootkit | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (2cnts) ?
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4034bc LoadLibraryA
0x4034c0 GetProcAddress
0x4034c4 WaitForSingleObject
0x4034c8 CreateFileA
0x4034cc WriteFile
0x4034d0 CloseHandle
0x4034d4 WideCharToMultiByte
0x4034d8 Sleep
0x4034dc DeleteFileA
0x4034e0 GetCurrentProcess
0x4034e4 TerminateProcess
0x4034e8 GetModuleHandleA
0x4034ec GetFileAttributesExA
0x4034f0 lstrlenW
0x4034f4 GetProcessHeap
0x4034f8 HeapAlloc
0x4034fc GetLastError
0x403500 HeapFree
0x403504 SetUnhandledExceptionFilter
msvcrt.dll
0x40350c memset
0x403510 strlen
0x403514 wcslen
0x403518 malloc
0x40351c strcmp
0x403520 free
0x403524 strstr
0x403528 memcpy
0x40352c _controlfp
0x403530 __set_app_type
0x403534 __getmainargs
0x403538 exit
EAT(Export Address Table) is none
kernel32.dll
0x4034bc LoadLibraryA
0x4034c0 GetProcAddress
0x4034c4 WaitForSingleObject
0x4034c8 CreateFileA
0x4034cc WriteFile
0x4034d0 CloseHandle
0x4034d4 WideCharToMultiByte
0x4034d8 Sleep
0x4034dc DeleteFileA
0x4034e0 GetCurrentProcess
0x4034e4 TerminateProcess
0x4034e8 GetModuleHandleA
0x4034ec GetFileAttributesExA
0x4034f0 lstrlenW
0x4034f4 GetProcessHeap
0x4034f8 HeapAlloc
0x4034fc GetLastError
0x403500 HeapFree
0x403504 SetUnhandledExceptionFilter
msvcrt.dll
0x40350c memset
0x403510 strlen
0x403514 wcslen
0x403518 malloc
0x40351c strcmp
0x403520 free
0x403524 strstr
0x403528 memcpy
0x40352c _controlfp
0x403530 __set_app_type
0x403534 __getmainargs
0x403538 exit
EAT(Export Address Table) is none