ScreenShot
| Created | 2021.07.02 09:19 | Machine | s1_win7_x6401 |
| Filename | BalomaKeaft.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 43 detected (AIDetect, malware2, malicious, high confidence, Bulz, Gofot, HgIASXMA, Save, ZexaF, @F0@aiYfI1ej, ACMF, Attribute, HighConfidence, Generic@ML, RDML, 61evESLAVBOadQ1jZN0D, R049C0RFS21, R + Mal, VMProtBad, kcloud, Tnega, score, Artemis, ai score=82, TScope, Unsafe, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | c0de5b33ab30d3257451f2aff84d4e51 | ||
| sha256 | 5ac7fc154a948a26d0b7469dda7495f712cb15d055692e6cd989c07c92fee9f7 | ||
| ssdeep | 98304:BhAvjJHXMQtJPpe7gM9vJR4YWUH1NUzqRYzczRBV7XYRhhY812kCU3ItR:BhQJHXMQvPWzLR4YfH1NEAY49BBeY814 | ||
| imphash | 7fb05647d0537b5b517720efafc40fb4 | ||
| impfuzzy | 12:t5/k/UyVnGv6SWTsd4x8BQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:t5/3AGv6SWTsK8BQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xbf5000 CreateThread
USER32.dll
0xbf5008 wsprintfA
ADVAPI32.dll
0xbf5010 CryptImportKey
SensApi.dll
0xbf5018 IsNetworkAlive
USERENV.dll
0xbf5020 CreateEnvironmentBlock
WTSAPI32.dll
0xbf5028 WTSQueryUserToken
SHLWAPI.dll
0xbf5030 PathStripPathA
WININET.dll
0xbf5038 DeleteUrlCacheEntry
urlmon.dll
0xbf5040 URLDownloadToFileA
PSAPI.DLL
0xbf5048 EnumProcesses
WS2_32.dll
0xbf5050 getsockopt
WLDAP32.dll
0xbf5058 None
IPHLPAPI.DLL
0xbf5060 GetAdaptersInfo
MSVCR100.dll
0xbf5068 _except_handler4_common
WTSAPI32.dll
0xbf5070 WTSSendMessageW
KERNEL32.dll
0xbf5078 VirtualQuery
USER32.dll
0xbf5080 GetProcessWindowStation
KERNEL32.dll
0xbf5088 LocalAlloc
0xbf508c LocalFree
0xbf5090 GetModuleFileNameW
0xbf5094 GetProcessAffinityMask
0xbf5098 SetProcessAffinityMask
0xbf509c SetThreadAffinityMask
0xbf50a0 Sleep
0xbf50a4 ExitProcess
0xbf50a8 FreeLibrary
0xbf50ac LoadLibraryA
0xbf50b0 GetModuleHandleA
0xbf50b4 GetProcAddress
USER32.dll
0xbf50bc GetProcessWindowStation
0xbf50c0 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0xbf5000 CreateThread
USER32.dll
0xbf5008 wsprintfA
ADVAPI32.dll
0xbf5010 CryptImportKey
SensApi.dll
0xbf5018 IsNetworkAlive
USERENV.dll
0xbf5020 CreateEnvironmentBlock
WTSAPI32.dll
0xbf5028 WTSQueryUserToken
SHLWAPI.dll
0xbf5030 PathStripPathA
WININET.dll
0xbf5038 DeleteUrlCacheEntry
urlmon.dll
0xbf5040 URLDownloadToFileA
PSAPI.DLL
0xbf5048 EnumProcesses
WS2_32.dll
0xbf5050 getsockopt
WLDAP32.dll
0xbf5058 None
IPHLPAPI.DLL
0xbf5060 GetAdaptersInfo
MSVCR100.dll
0xbf5068 _except_handler4_common
WTSAPI32.dll
0xbf5070 WTSSendMessageW
KERNEL32.dll
0xbf5078 VirtualQuery
USER32.dll
0xbf5080 GetProcessWindowStation
KERNEL32.dll
0xbf5088 LocalAlloc
0xbf508c LocalFree
0xbf5090 GetModuleFileNameW
0xbf5094 GetProcessAffinityMask
0xbf5098 SetProcessAffinityMask
0xbf509c SetThreadAffinityMask
0xbf50a0 Sleep
0xbf50a4 ExitProcess
0xbf50a8 FreeLibrary
0xbf50ac LoadLibraryA
0xbf50b0 GetModuleHandleA
0xbf50b4 GetProcAddress
USER32.dll
0xbf50bc GetProcessWindowStation
0xbf50c0 GetUserObjectInformationW
EAT(Export Address Table) is none