ScreenShot
| Created | 2021.07.07 11:02 | Machine | s1_win7_x6402 |
| Filename | 119.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (AIDetect, malware2, malicious, high confidence, score, Save, Bsymem, Generic ML PUA, InvalidSig, ASCommon, Wacapew, Unsafe, Kryptik, CLASSIC, Static AI, Malicious PE, susgen, Ursnif, ZexaF, 4z1@a8wOM2gi, QVM20) | ||
| md5 | 13cf6e639bd4d6c7478f438e001beec7 | ||
| sha256 | 548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0 | ||
| ssdeep | 49152:p528wME4n6U/COuRMdt/8zexPwT0zZb9Im/xnGi5GvJs:bdFuzelA01si5CJs | ||
| imphash | fee9a94171107f726d5f8efe9e99a932 | ||
| impfuzzy | 12:YTyqXJjJjAGEpOGZGyR5j7r9yvn/JabpZGbQwD4gSLC8SIZ1wk:0rjAOa7jn9yv/JazUQwkgSLCpIZ1wk | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | Created a service where a service was also not started |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x5cd164 GetStartupInfoW
0x5cd168 ExitThread
0x5cd16c GetSystemTimeAsFileTime
0x5cd170 IsDebuggerPresent
0x5cd174 UnhandledExceptionFilter
0x5cd178 GetLastError
0x5cd17c LoadLibraryW
0x5cd180 GetModuleHandleA
0x5cd184 GetCommandLineW
0x5cd188 LocalAlloc
0x5cd18c LocalFree
0x5cd190 SearchPathW
0x5cd194 CreateProcessW
0x5cd198 WaitForSingleObject
0x5cd19c CloseHandle
0x5cd1a0 FormatMessageW
0x5cd1a4 GetModuleHandleW
0x5cd1a8 MultiByteToWideChar
0x5cd1ac GetStdHandle
0x5cd1b0 GetFileType
0x5cd1b4 WriteConsoleW
0x5cd1b8 SetLastError
0x5cd1bc FreeLibrary
0x5cd1c0 SetErrorMode
0x5cd1c4 ExitProcess
0x5cd1c8 VirtualAlloc
USER32.dll
0x5cd1d0 MessageBoxW
0x5cd1d4 LoadIconA
0x5cd1d8 CharUpperA
ADVAPI32.dll
0x5cd1e0 RegQueryValueExA
0x5cd1e4 RegOpenKeyExA
EAT(Export Address Table) is none
KERNEL32.dll
0x5cd164 GetStartupInfoW
0x5cd168 ExitThread
0x5cd16c GetSystemTimeAsFileTime
0x5cd170 IsDebuggerPresent
0x5cd174 UnhandledExceptionFilter
0x5cd178 GetLastError
0x5cd17c LoadLibraryW
0x5cd180 GetModuleHandleA
0x5cd184 GetCommandLineW
0x5cd188 LocalAlloc
0x5cd18c LocalFree
0x5cd190 SearchPathW
0x5cd194 CreateProcessW
0x5cd198 WaitForSingleObject
0x5cd19c CloseHandle
0x5cd1a0 FormatMessageW
0x5cd1a4 GetModuleHandleW
0x5cd1a8 MultiByteToWideChar
0x5cd1ac GetStdHandle
0x5cd1b0 GetFileType
0x5cd1b4 WriteConsoleW
0x5cd1b8 SetLastError
0x5cd1bc FreeLibrary
0x5cd1c0 SetErrorMode
0x5cd1c4 ExitProcess
0x5cd1c8 VirtualAlloc
USER32.dll
0x5cd1d0 MessageBoxW
0x5cd1d4 LoadIconA
0x5cd1d8 CharUpperA
ADVAPI32.dll
0x5cd1e0 RegQueryValueExA
0x5cd1e4 RegOpenKeyExA
EAT(Export Address Table) is none