ScreenShot
| Created | 2021.07.02 09:31 | Machine | s1_win7_x6401 |
| Filename | NolkaQibon.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (AIDetect, malware2, malicious, high confidence, Bulz, Gofot, Unsafe, Save, Attribute, HighConfidence, Pgwt, VMProtBad, R002C0RFM21, ai score=80, ASMalwS, kcloud, Tnega, score, Artemis, TScope, Generic@ML, RDML, yrMZOERks7TheBQJiPusEw, Static AI, Malicious PE, ZexaF, @F0@au1iJ9kj, confidence, 100%, susgen) | ||
| md5 | bd4fefc85df91dd4a1ea0959f50ee11d | ||
| sha256 | 393da31320be78156d5f1352460db20279dba0cc863e8494456f5badb78c652f | ||
| ssdeep | 98304:8CzIvx2vxRwD7P1KZdH7yzoRdXwyVRsaH+18IyfksDaZn1FUwIemqUPzsWwYHaK:Cvx26YdLRG+RFH+18I4kHFUwIe5Y4Wt6 | ||
| imphash | 7fb05647d0537b5b517720efafc40fb4 | ||
| impfuzzy | 12:t5/k/UyVnGv6SWTsd4x8BQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:t5/3AGv6SWTsK8BQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x849000 CreateThread
USER32.dll
0x849008 wsprintfA
ADVAPI32.dll
0x849010 CryptImportKey
SensApi.dll
0x849018 IsNetworkAlive
USERENV.dll
0x849020 CreateEnvironmentBlock
WTSAPI32.dll
0x849028 WTSQueryUserToken
SHLWAPI.dll
0x849030 PathStripPathA
WININET.dll
0x849038 DeleteUrlCacheEntry
urlmon.dll
0x849040 URLDownloadToFileA
PSAPI.DLL
0x849048 EnumProcesses
WS2_32.dll
0x849050 getsockopt
WLDAP32.dll
0x849058 None
IPHLPAPI.DLL
0x849060 GetAdaptersInfo
MSVCR100.dll
0x849068 _except_handler4_common
WTSAPI32.dll
0x849070 WTSSendMessageW
KERNEL32.dll
0x849078 VirtualQuery
USER32.dll
0x849080 GetProcessWindowStation
KERNEL32.dll
0x849088 LocalAlloc
0x84908c LocalFree
0x849090 GetModuleFileNameW
0x849094 GetProcessAffinityMask
0x849098 SetProcessAffinityMask
0x84909c SetThreadAffinityMask
0x8490a0 Sleep
0x8490a4 ExitProcess
0x8490a8 FreeLibrary
0x8490ac LoadLibraryA
0x8490b0 GetModuleHandleA
0x8490b4 GetProcAddress
USER32.dll
0x8490bc GetProcessWindowStation
0x8490c0 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0x849000 CreateThread
USER32.dll
0x849008 wsprintfA
ADVAPI32.dll
0x849010 CryptImportKey
SensApi.dll
0x849018 IsNetworkAlive
USERENV.dll
0x849020 CreateEnvironmentBlock
WTSAPI32.dll
0x849028 WTSQueryUserToken
SHLWAPI.dll
0x849030 PathStripPathA
WININET.dll
0x849038 DeleteUrlCacheEntry
urlmon.dll
0x849040 URLDownloadToFileA
PSAPI.DLL
0x849048 EnumProcesses
WS2_32.dll
0x849050 getsockopt
WLDAP32.dll
0x849058 None
IPHLPAPI.DLL
0x849060 GetAdaptersInfo
MSVCR100.dll
0x849068 _except_handler4_common
WTSAPI32.dll
0x849070 WTSSendMessageW
KERNEL32.dll
0x849078 VirtualQuery
USER32.dll
0x849080 GetProcessWindowStation
KERNEL32.dll
0x849088 LocalAlloc
0x84908c LocalFree
0x849090 GetModuleFileNameW
0x849094 GetProcessAffinityMask
0x849098 SetProcessAffinityMask
0x84909c SetThreadAffinityMask
0x8490a0 Sleep
0x8490a4 ExitProcess
0x8490a8 FreeLibrary
0x8490ac LoadLibraryA
0x8490b0 GetModuleHandleA
0x8490b4 GetProcAddress
USER32.dll
0x8490bc GetProcessWindowStation
0x8490c0 GetUserObjectInformationW
EAT(Export Address Table) is none