ScreenShot
| Created | 2021.08.03 09:43 | Machine | s1_win7_x6402 |
| Filename | Tani_Khan_Matrimonial_profile_picture_for_email_circulation_4.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 34 detected (Bingoml, malicious, high confidence, score, Artemis, Unsafe, Save, Doina, TrojanX, CLASSIC, Generic ML PUA, Siggen14, BOZOKRAT, MalCert, ai score=99, kcloud, BScope, Agentb, HgIASZkA) | ||
| md5 | 578d9f0ced02ee2f03ad3484628671d7 | ||
| sha256 | 6ddf7b13312987ed7d85ff6795f279d4c09ef67e7895a84254e53776a7ea9873 | ||
| ssdeep | 12288:3t0DuDX3YZfBZcYoocqn6MiJ1M8nVOKPFRHXV7Dbxw9/EbS3z:90aqfhc06L68nVOqFNXV7CcbSj | ||
| imphash | 9e3e99cf6ad9c3792938c76840115904 | ||
| impfuzzy | 24:Tv3uBvzOTrLL/qtMS17hlJnc+pl3eDoR7OovbOuHPvRhZHuujMUAM:ArOfHqtMS175c+pps3mndAM | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x412000 ReadFile
0x412004 GetModuleFileNameA
0x412008 FindFirstFileA
0x41200c WriteFile
0x412010 GetModuleFileNameW
0x412014 GetEnvironmentVariableA
0x412018 lstrcmpA
0x41201c GetCurrentDirectoryA
0x412020 lstrcatA
0x412024 GetModuleHandleA
0x412028 Sleep
0x41202c CreateFileA
0x412030 DeleteFileA
0x412034 lstrcpyA
0x412038 CloseHandle
0x41203c SetFileAttributesA
0x412040 ExitProcess
0x412044 GetConsoleWindow
0x412048 CreateDirectoryA
0x41204c RaiseException
0x412050 WriteConsoleW
0x412054 UnhandledExceptionFilter
0x412058 SetUnhandledExceptionFilter
0x41205c GetCurrentProcess
0x412060 TerminateProcess
0x412064 IsProcessorFeaturePresent
0x412068 QueryPerformanceCounter
0x41206c GetCurrentProcessId
0x412070 GetCurrentThreadId
0x412074 GetSystemTimeAsFileTime
0x412078 InitializeSListHead
0x41207c IsDebuggerPresent
0x412080 GetStartupInfoW
0x412084 GetModuleHandleW
0x412088 RtlUnwind
0x41208c GetLastError
0x412090 SetLastError
0x412094 EnterCriticalSection
0x412098 LeaveCriticalSection
0x41209c DeleteCriticalSection
0x4120a0 InitializeCriticalSectionAndSpinCount
0x4120a4 TlsAlloc
0x4120a8 TlsGetValue
0x4120ac TlsSetValue
0x4120b0 TlsFree
0x4120b4 FreeLibrary
0x4120b8 GetProcAddress
0x4120bc LoadLibraryExW
0x4120c0 GetModuleHandleExW
0x4120c4 GetStdHandle
0x4120c8 MultiByteToWideChar
0x4120cc WideCharToMultiByte
0x4120d0 GetCommandLineA
0x4120d4 GetCommandLineW
0x4120d8 GetACP
0x4120dc HeapFree
0x4120e0 HeapAlloc
0x4120e4 CompareStringW
0x4120e8 LCMapStringW
0x4120ec GetFileType
0x4120f0 FindClose
0x4120f4 FindFirstFileExA
0x4120f8 FindNextFileA
0x4120fc IsValidCodePage
0x412100 GetOEMCP
0x412104 GetCPInfo
0x412108 GetEnvironmentStringsW
0x41210c FreeEnvironmentStringsW
0x412110 SetEnvironmentVariableA
0x412114 SetStdHandle
0x412118 GetStringTypeW
0x41211c GetProcessHeap
0x412120 HeapSize
0x412124 HeapReAlloc
0x412128 GetConsoleCP
0x41212c GetConsoleMode
0x412130 SetFilePointerEx
0x412134 FlushFileBuffers
0x412138 DecodePointer
0x41213c CreateFileW
USER32.dll
0x412144 ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x412000 ReadFile
0x412004 GetModuleFileNameA
0x412008 FindFirstFileA
0x41200c WriteFile
0x412010 GetModuleFileNameW
0x412014 GetEnvironmentVariableA
0x412018 lstrcmpA
0x41201c GetCurrentDirectoryA
0x412020 lstrcatA
0x412024 GetModuleHandleA
0x412028 Sleep
0x41202c CreateFileA
0x412030 DeleteFileA
0x412034 lstrcpyA
0x412038 CloseHandle
0x41203c SetFileAttributesA
0x412040 ExitProcess
0x412044 GetConsoleWindow
0x412048 CreateDirectoryA
0x41204c RaiseException
0x412050 WriteConsoleW
0x412054 UnhandledExceptionFilter
0x412058 SetUnhandledExceptionFilter
0x41205c GetCurrentProcess
0x412060 TerminateProcess
0x412064 IsProcessorFeaturePresent
0x412068 QueryPerformanceCounter
0x41206c GetCurrentProcessId
0x412070 GetCurrentThreadId
0x412074 GetSystemTimeAsFileTime
0x412078 InitializeSListHead
0x41207c IsDebuggerPresent
0x412080 GetStartupInfoW
0x412084 GetModuleHandleW
0x412088 RtlUnwind
0x41208c GetLastError
0x412090 SetLastError
0x412094 EnterCriticalSection
0x412098 LeaveCriticalSection
0x41209c DeleteCriticalSection
0x4120a0 InitializeCriticalSectionAndSpinCount
0x4120a4 TlsAlloc
0x4120a8 TlsGetValue
0x4120ac TlsSetValue
0x4120b0 TlsFree
0x4120b4 FreeLibrary
0x4120b8 GetProcAddress
0x4120bc LoadLibraryExW
0x4120c0 GetModuleHandleExW
0x4120c4 GetStdHandle
0x4120c8 MultiByteToWideChar
0x4120cc WideCharToMultiByte
0x4120d0 GetCommandLineA
0x4120d4 GetCommandLineW
0x4120d8 GetACP
0x4120dc HeapFree
0x4120e0 HeapAlloc
0x4120e4 CompareStringW
0x4120e8 LCMapStringW
0x4120ec GetFileType
0x4120f0 FindClose
0x4120f4 FindFirstFileExA
0x4120f8 FindNextFileA
0x4120fc IsValidCodePage
0x412100 GetOEMCP
0x412104 GetCPInfo
0x412108 GetEnvironmentStringsW
0x41210c FreeEnvironmentStringsW
0x412110 SetEnvironmentVariableA
0x412114 SetStdHandle
0x412118 GetStringTypeW
0x41211c GetProcessHeap
0x412120 HeapSize
0x412124 HeapReAlloc
0x412128 GetConsoleCP
0x41212c GetConsoleMode
0x412130 SetFilePointerEx
0x412134 FlushFileBuffers
0x412138 DecodePointer
0x41213c CreateFileW
USER32.dll
0x412144 ShowWindow
EAT(Export Address Table) is none