ScreenShot
| Created | 2021.07.15 10:16 | Machine | s1_win7_x6402 |
| Filename | file1.bin | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, Emotet, Eldorado, Attribute, HighConfidence, Bsymem, A + Mal, EncPk, Ransomware, score, ZexaF, vu0@aWiramab, MachineLearning, Anomalous, 100%, Generic@ML, RDML, ctX2WonfkoZB9lEXvMa90w, Static AI, Malicious PE, susgen, confidence, QVM20) | ||
| md5 | 7d018423023461e09eb3b64b961092dd | ||
| sha256 | 956e66f820c127b655c4e59af455c4cc827d43b111f4cf260b6da1d30ac443b2 | ||
| ssdeep | 6144:vpWMSmgY0IyFpXjsCEqhp3xuo8Pr7Jjc7wPx5C:kHP7LFVst+0oA71+KC | ||
| imphash | c3803752167a683f3dbd2e2ab3d19b6d | ||
| impfuzzy | 24:NisHJ2sJWSTTgmDo8gwLGtAOA9OAaCnym:NOHwLUAzIAaG | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
POWRPROF.dll
0x44d074 IsPwrHibernateAllowed
0x44d078 ReadGlobalPwrPolicy
KERNEL32.dll
0x44d018 LoadLibraryExW
0x44d01c LocalFree
0x44d020 GetCurrentConsoleFont
0x44d024 AddConsoleAliasA
0x44d028 HeapWalk
0x44d02c HeapCreate
0x44d030 EraseTape
0x44d034 EnumSystemLocalesA
0x44d038 GetModuleHandleW
0x44d03c GetProcessAffinityMask
0x44d040 SetFileAttributesW
0x44d044 DeleteVolumeMountPointW
0x44d048 LockFile
0x44d04c GetLocaleInfoW
0x44d050 FillConsoleOutputAttribute
0x44d054 GetConsoleCursorInfo
0x44d058 GlobalFindAtomA
0x44d05c GetProcAddress
0x44d060 LoadLibraryA
0x44d064 GetModuleHandleA
0x44d068 GlobalAddAtomW
0x44d06c FindFirstFileA
WININET.dll
0x44d09c RetrieveUrlCacheEntryStreamW
msvcrt.dll
0x44d0ac memset
USER32.dll
0x44d080 GetWindowRect
0x44d084 InsertMenuA
0x44d088 GetClipboardFormatNameA
0x44d08c SetCursor
0x44d090 ShowCaret
0x44d094 IsWindow
ole32.dll
0x44d0b4 CoFreeUnusedLibrariesEx
GDI32.dll
0x44d000 GetDeviceCaps
0x44d004 GetObjectW
0x44d008 GetCharWidthW
0x44d00c GetPaletteEntries
0x44d010 GetBitmapBits
WINSPOOL.DRV
0x44d0a4 FindNextPrinterChangeNotification
EAT(Export Address Table) is none
POWRPROF.dll
0x44d074 IsPwrHibernateAllowed
0x44d078 ReadGlobalPwrPolicy
KERNEL32.dll
0x44d018 LoadLibraryExW
0x44d01c LocalFree
0x44d020 GetCurrentConsoleFont
0x44d024 AddConsoleAliasA
0x44d028 HeapWalk
0x44d02c HeapCreate
0x44d030 EraseTape
0x44d034 EnumSystemLocalesA
0x44d038 GetModuleHandleW
0x44d03c GetProcessAffinityMask
0x44d040 SetFileAttributesW
0x44d044 DeleteVolumeMountPointW
0x44d048 LockFile
0x44d04c GetLocaleInfoW
0x44d050 FillConsoleOutputAttribute
0x44d054 GetConsoleCursorInfo
0x44d058 GlobalFindAtomA
0x44d05c GetProcAddress
0x44d060 LoadLibraryA
0x44d064 GetModuleHandleA
0x44d068 GlobalAddAtomW
0x44d06c FindFirstFileA
WININET.dll
0x44d09c RetrieveUrlCacheEntryStreamW
msvcrt.dll
0x44d0ac memset
USER32.dll
0x44d080 GetWindowRect
0x44d084 InsertMenuA
0x44d088 GetClipboardFormatNameA
0x44d08c SetCursor
0x44d090 ShowCaret
0x44d094 IsWindow
ole32.dll
0x44d0b4 CoFreeUnusedLibrariesEx
GDI32.dll
0x44d000 GetDeviceCaps
0x44d004 GetObjectW
0x44d008 GetCharWidthW
0x44d00c GetPaletteEntries
0x44d010 GetBitmapBits
WINSPOOL.DRV
0x44d0a4 FindNextPrinterChangeNotification
EAT(Export Address Table) is none