ScreenShot
Created | 2021.07.12 09:50 | Machine | s1_win7_x6402 |
Filename | f5aacf8c46f43d01d08fa79d2d72cfa9.exe | ||
Type | PE32 executable (console) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 40 detected (AIDetect, malware1, malicious, high confidence, Doina, GenericRXAA, Unsafe, Phonzy, Kryptik, VJVU, HLQQ, MalwareX, Wopz, Inject4, Artemis, woetv, 13QHYFZ, score, ai score=81, R002H0CGA21, confidence, HgIASYIA) | ||
md5 | 64976dbee1d73fb7765cbec2b3612acc | ||
sha256 | b5836dfd74e9e193cb8b3ee99d34f6b93ff5b88fecdc8f0b55928407bd0af376 | ||
ssdeep | 12288:CcXe9SLN+NH0khUZY+vcvw1PG8QYewwB9gL1xBtiJZcaFh:CcO2Q2ZYu+oel9gLHBtyZcaj | ||
imphash | 385b4c734448931d8105f2b8af2a40a5 | ||
impfuzzy | 24:mDYNCu9eVHOovu4fg7JHniv8ERRv6uk6fcVneJy+KoTPwxQ1EQm:euh449W/fcVneJy+KX5r |
Network IP location
Signature (18cnts)
Level | Description |
---|---|
danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
warning | Uses WMI to create a new process |
watch | Creates or sets a registry key to a long series of bytes |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Expresses interest in specific running processes |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Queries for the computername |
info | The executable uses a known packer |
Rules (11cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (10cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407000 GetProcAddress
0x407004 lstrlenW
0x407008 InterlockedDecrement
0x40700c LoadLibraryA
0x407010 GetEnvironmentVariableW
0x407014 InterlockedIncrement
0x407018 GetStringTypeW
0x40701c GetStringTypeA
0x407020 LocalFree
0x407024 RtlUnwind
0x407028 GetCommandLineA
0x40702c GetVersion
0x407030 ExitProcess
0x407034 RaiseException
0x407038 HeapFree
0x40703c HeapAlloc
0x407040 GetCurrentThreadId
0x407044 TlsSetValue
0x407048 TlsAlloc
0x40704c SetLastError
0x407050 TlsGetValue
0x407054 GetLastError
0x407058 TerminateProcess
0x40705c GetCurrentProcess
0x407060 UnhandledExceptionFilter
0x407064 GetModuleFileNameA
0x407068 FreeEnvironmentStringsA
0x40706c FreeEnvironmentStringsW
0x407070 WideCharToMultiByte
0x407074 GetEnvironmentStrings
0x407078 GetEnvironmentStringsW
0x40707c SetHandleCount
0x407080 GetStdHandle
0x407084 GetFileType
0x407088 GetStartupInfoA
0x40708c GetModuleHandleA
0x407090 GetEnvironmentVariableA
0x407094 GetVersionExA
0x407098 HeapDestroy
0x40709c HeapCreate
0x4070a0 VirtualFree
0x4070a4 WriteFile
0x4070a8 InitializeCriticalSection
0x4070ac EnterCriticalSection
0x4070b0 LeaveCriticalSection
0x4070b4 SetUnhandledExceptionFilter
0x4070b8 VirtualAlloc
0x4070bc HeapReAlloc
0x4070c0 IsBadWritePtr
0x4070c4 IsBadReadPtr
0x4070c8 IsBadCodePtr
0x4070cc GetCPInfo
0x4070d0 GetACP
0x4070d4 GetOEMCP
0x4070d8 MultiByteToWideChar
0x4070dc LCMapStringA
0x4070e0 LCMapStringW
USER32.dll
0x407100 wsprintfW
ole32.dll
0x407108 CoSetProxyBlanket
0x40710c CoInitializeSecurity
0x407110 CoInitialize
0x407114 CoCreateInstance
0x407118 CoUninitialize
OLEAUT32.dll
0x4070e8 SysStringLen
0x4070ec SysAllocStringLen
0x4070f0 SysAllocString
0x4070f4 VariantClear
0x4070f8 SysFreeString
EAT(Export Address Table) is none
KERNEL32.dll
0x407000 GetProcAddress
0x407004 lstrlenW
0x407008 InterlockedDecrement
0x40700c LoadLibraryA
0x407010 GetEnvironmentVariableW
0x407014 InterlockedIncrement
0x407018 GetStringTypeW
0x40701c GetStringTypeA
0x407020 LocalFree
0x407024 RtlUnwind
0x407028 GetCommandLineA
0x40702c GetVersion
0x407030 ExitProcess
0x407034 RaiseException
0x407038 HeapFree
0x40703c HeapAlloc
0x407040 GetCurrentThreadId
0x407044 TlsSetValue
0x407048 TlsAlloc
0x40704c SetLastError
0x407050 TlsGetValue
0x407054 GetLastError
0x407058 TerminateProcess
0x40705c GetCurrentProcess
0x407060 UnhandledExceptionFilter
0x407064 GetModuleFileNameA
0x407068 FreeEnvironmentStringsA
0x40706c FreeEnvironmentStringsW
0x407070 WideCharToMultiByte
0x407074 GetEnvironmentStrings
0x407078 GetEnvironmentStringsW
0x40707c SetHandleCount
0x407080 GetStdHandle
0x407084 GetFileType
0x407088 GetStartupInfoA
0x40708c GetModuleHandleA
0x407090 GetEnvironmentVariableA
0x407094 GetVersionExA
0x407098 HeapDestroy
0x40709c HeapCreate
0x4070a0 VirtualFree
0x4070a4 WriteFile
0x4070a8 InitializeCriticalSection
0x4070ac EnterCriticalSection
0x4070b0 LeaveCriticalSection
0x4070b4 SetUnhandledExceptionFilter
0x4070b8 VirtualAlloc
0x4070bc HeapReAlloc
0x4070c0 IsBadWritePtr
0x4070c4 IsBadReadPtr
0x4070c8 IsBadCodePtr
0x4070cc GetCPInfo
0x4070d0 GetACP
0x4070d4 GetOEMCP
0x4070d8 MultiByteToWideChar
0x4070dc LCMapStringA
0x4070e0 LCMapStringW
USER32.dll
0x407100 wsprintfW
ole32.dll
0x407108 CoSetProxyBlanket
0x40710c CoInitializeSecurity
0x407110 CoInitialize
0x407114 CoCreateInstance
0x407118 CoUninitialize
OLEAUT32.dll
0x4070e8 SysStringLen
0x4070ec SysAllocStringLen
0x4070f0 SysAllocString
0x4070f4 VariantClear
0x4070f8 SysFreeString
EAT(Export Address Table) is none