ScreenShot
| Created | 2021.07.02 16:14 | Machine | s1_win7_x6401 |
| Filename | %E4%BD%9C%E8%80%85.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 48 detected (AIDetect, malware2, Unsafe, Zegost, Zlob, malicious, Eldorado, Attribute, HighConfidence, FileRepMalware, dvpspc, Wqxb, SM22, FJYJ, afio, Taranis, ai score=80, Redosdru, score, Artemis, BScope, GenAsa, tNjW2qB+pcY, susgen, confidence, 100%, HgIASXEA) | ||
| md5 | 6c77c76454570716846ba6815034ba10 | ||
| sha256 | 7e2d72b0a1edfdcbff3274250989bebcfae867c42f1417057c8a5adc4c2daf58 | ||
| ssdeep | 768:KYVNd+RLgdC85OhXarCuthQazw5zwTCunEQWf0oE6jxdCjq/awSpW+Nzsj8EZMuS:XVNoRKCWOhXicluEPrHI4+KZqi5K | ||
| imphash | 7dac6a3c6231c427b0e3eee9e808d65e | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/GlMvMcAnSyhabnsdc9WNsYbS4Q+VTcf5465xxKXn:VA/DzqYOZOXTGnX4QaTRKxxMn | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
ET INFO Dotted Quad Host DLL Request
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x44c918 LoadLibraryA
0x44c91c GetProcAddress
0x44c920 VirtualProtect
0x44c924 VirtualAlloc
0x44c928 VirtualFree
0x44c92c ExitProcess
COMCTL32.dll
0x44c934 None
GDI32.dll
0x44c93c BitBlt
imagehlp.dll
0x44c944 MakeSureDirectoryPathExists
MFC42.DLL
0x44c94c None
MSVCP60.dll
0x44c954 ??1locale@std@@QAE@XZ
MSVCRT.dll
0x44c95c free
ole32.dll
0x44c964 CoInitialize
SHELL32.dll
0x44c96c SHGetMalloc
USER32.dll
0x44c974 GetMenu
VERSION.dll
0x44c97c VerQueryValueA
WININET.dll
0x44c984 InternetOpenA
WSOCK32.dll
0x44c98c WSAGetLastError
EAT(Export Address Table) is none
KERNEL32.DLL
0x44c918 LoadLibraryA
0x44c91c GetProcAddress
0x44c920 VirtualProtect
0x44c924 VirtualAlloc
0x44c928 VirtualFree
0x44c92c ExitProcess
COMCTL32.dll
0x44c934 None
GDI32.dll
0x44c93c BitBlt
imagehlp.dll
0x44c944 MakeSureDirectoryPathExists
MFC42.DLL
0x44c94c None
MSVCP60.dll
0x44c954 ??1locale@std@@QAE@XZ
MSVCRT.dll
0x44c95c free
ole32.dll
0x44c964 CoInitialize
SHELL32.dll
0x44c96c SHGetMalloc
USER32.dll
0x44c974 GetMenu
VERSION.dll
0x44c97c VerQueryValueA
WININET.dll
0x44c984 InternetOpenA
WSOCK32.dll
0x44c98c WSAGetLastError
EAT(Export Address Table) is none