ScreenShot
Created | 2021.06.29 20:07 | Machine | s1_win7_x6401 |
Filename | waads.bin | ||
Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 59 detected (Gen:Variant.Fugrafa.858, Trojan.Win32.Generic!BT, Trojan.Fugrafa.858, Trojan.Win32.Inject3.horsiq, Trojan.Generic.ftawl, Malware.Win32.Gencirc.10ce3d9a, Gen:Variant.Fugrafa.858 (B), Malicious, Trojan:Win32/Cobaltstrike.MK!MTB, malicious (high confidence), Cobalt-EVTS!72E4F355907B, Trojan.Generic, HEUR:Trojan.Win32.CobaltStrike.gen, Trojan.Win32.Rozena, Trojan ( 005622831 ), TScope.Malware-Cryptor.SB, Trojan/Generic.ASMalwS.30BBA6D, TR/Crypt.XPACK.Gen7, Generic.mg.72e4f355907b6c91, Trojan.TR/Crypt.XPACK.Gen7, Trojan.Malware.300983.susgen, Trojan.Win32.Heur.oa!s1, W32/Diple.G.gen!Eldorado, Trj/GdSda.A, Trojan/W32.Agent.14336.WO, Trojan.Rozena.Win32.99309, Mal/Generic-R + ATK/Cobalt-A, Trojan.Win32.COBALT.SM, Trojan.Win32.Save.a, win/malicious_confidence_100% (W), W32/Generic.AP.118EACE!tr, Malicious (score: 100), Trojan:Win32/Rozena.605bb16b, Trojan.Inject3.2700, a variant of Win32/Rozena.AMZ, Trojan.Win32.Cobalt.14336.J, Win32:Trojan-gen, Trojan.Win32.Sheljector.trJD, Win.Trojan.CobaltStrike-7899872-1, W32.Trojan.Gen, Backdoor.Cobalt, Static AI - Malicious PE, generic.ml, Unsafe, malicious.5907b6, Trojan.GenAsa!/C5jzoNrl5s, Trojan/Win32.CobaltStrike.R329694, Backdoor.CobaltStrike!1.D049 (CLASSIC), malware (ai score=100), Trojan.CobaltStrike) | ||
md5 | 72e4f355907b6c91e6f8508d102bd896 | ||
sha256 | 232a5fe454c9537ddea265d805d1daa8e016b1ed30cd2ebde7feb12f866f5608 | ||
ssdeep | 192:AlH+DgGK83SxHn2OQ/dmBI4KBfTgir+xzARbqUqV/Qjo7AGa:A9+kGKqbOCdWIVBff+xz6fCXAn | ||
imphash | |||
impfuzzy |
Network IP location
Signature (6cnts)
Level | Description |
---|---|
watch | Communicates with host for which no DNS query was performed |
watch | Network activity contains more than one unique useragent |
notice | A process attempted to delay the analysis task. |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
info | Queries for the computername |
Rules (3cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |