ScreenShot
| Created | 2021.07.01 18:09 | Machine | s1_win7_x6401 |
| Filename | WeaponGrand.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 46 detected (AIDetect, malware1, malicious, high confidence, Bulz, Gofot, Unsafe, Save, ZexaF, @F0@amxgdgij, LKNO, Attribute, HighConfidence, a variant of Generik, EBRZWEX, Generic@ML, RDMK, okUlmWh58GnN+FTAdcaxmA, R002C0RFN21, R + Mal, VMProtBad, ai score=89, ASMalwS, kcloud, Tnega, score, TScope, Wrgp, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | db2f659dc03c430d809eff66e99c42f8 | ||
| sha256 | b4949bab111ac8d8e02355953e179e395541d5dfcc23682d60efc7499074018f | ||
| ssdeep | 98304:NFlS9ZuvFerXLR4pHitnG7Nvg/cH7vEoxAC/tewIOjmuCJwmQCQIJb8g:NXogFerF4UtnQvgUbsaAC/cwc5QCQI | ||
| imphash | 7fb05647d0537b5b517720efafc40fb4 | ||
| impfuzzy | 12:t5/k/UyVnGv6SWTsd4x8BQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:t5/3AGv6SWTsK8BQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x7c0000 CreateThread
USER32.dll
0x7c0008 wsprintfA
ADVAPI32.dll
0x7c0010 CryptImportKey
SensApi.dll
0x7c0018 IsNetworkAlive
USERENV.dll
0x7c0020 CreateEnvironmentBlock
WTSAPI32.dll
0x7c0028 WTSQueryUserToken
SHLWAPI.dll
0x7c0030 PathStripPathA
WININET.dll
0x7c0038 DeleteUrlCacheEntry
urlmon.dll
0x7c0040 URLDownloadToFileA
PSAPI.DLL
0x7c0048 EnumProcesses
WS2_32.dll
0x7c0050 getsockopt
WLDAP32.dll
0x7c0058 None
IPHLPAPI.DLL
0x7c0060 GetAdaptersInfo
MSVCR100.dll
0x7c0068 _except_handler4_common
WTSAPI32.dll
0x7c0070 WTSSendMessageW
KERNEL32.dll
0x7c0078 VirtualQuery
USER32.dll
0x7c0080 GetProcessWindowStation
KERNEL32.dll
0x7c0088 LocalAlloc
0x7c008c LocalFree
0x7c0090 GetModuleFileNameW
0x7c0094 GetProcessAffinityMask
0x7c0098 SetProcessAffinityMask
0x7c009c SetThreadAffinityMask
0x7c00a0 Sleep
0x7c00a4 ExitProcess
0x7c00a8 FreeLibrary
0x7c00ac LoadLibraryA
0x7c00b0 GetModuleHandleA
0x7c00b4 GetProcAddress
USER32.dll
0x7c00bc GetProcessWindowStation
0x7c00c0 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0x7c0000 CreateThread
USER32.dll
0x7c0008 wsprintfA
ADVAPI32.dll
0x7c0010 CryptImportKey
SensApi.dll
0x7c0018 IsNetworkAlive
USERENV.dll
0x7c0020 CreateEnvironmentBlock
WTSAPI32.dll
0x7c0028 WTSQueryUserToken
SHLWAPI.dll
0x7c0030 PathStripPathA
WININET.dll
0x7c0038 DeleteUrlCacheEntry
urlmon.dll
0x7c0040 URLDownloadToFileA
PSAPI.DLL
0x7c0048 EnumProcesses
WS2_32.dll
0x7c0050 getsockopt
WLDAP32.dll
0x7c0058 None
IPHLPAPI.DLL
0x7c0060 GetAdaptersInfo
MSVCR100.dll
0x7c0068 _except_handler4_common
WTSAPI32.dll
0x7c0070 WTSSendMessageW
KERNEL32.dll
0x7c0078 VirtualQuery
USER32.dll
0x7c0080 GetProcessWindowStation
KERNEL32.dll
0x7c0088 LocalAlloc
0x7c008c LocalFree
0x7c0090 GetModuleFileNameW
0x7c0094 GetProcessAffinityMask
0x7c0098 SetProcessAffinityMask
0x7c009c SetThreadAffinityMask
0x7c00a0 Sleep
0x7c00a4 ExitProcess
0x7c00a8 FreeLibrary
0x7c00ac LoadLibraryA
0x7c00b0 GetModuleHandleA
0x7c00b4 GetProcAddress
USER32.dll
0x7c00bc GetProcessWindowStation
0x7c00c0 GetUserObjectInformationW
EAT(Export Address Table) is none