ScreenShot
| Created | 2021.08.09 17:15 | Machine | s1_win7_x6401 |
| Filename | readerdc_en_ka_cra_install.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 1 detected (eqmyj) | ||
| md5 | d20ea08fef3b921c8f7c716f29281110 | ||
| sha256 | 9369fb712545f6b6fec5fbf8b1dd228e57ca7899933bbe354b7c4351c8700c99 | ||
| ssdeep | 24576:5FIAHcjqpyjJ/IeUz5nmerq425WIuz+oaJiWEUtsoB+NaMUc:Lr8KyjVIe0n25W7z+oaHEUtsoB81 | ||
| imphash | 74883a00492bef08188fc68a79b1f1fa | ||
| impfuzzy | 6:dBJAEHGDymVMbqR45LamBJcidPLMKJAmzRjF6+dLn:VA/D5/R2DbP+m9RrRn | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | File has been identified by one AntiVirus engine on VirusTotal as malicious |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
Network (3cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
kernel32.dll
0x845c90 LoadLibraryA
0x845c94 GetProcAddress
0x845c98 VirtualAlloc
0x845c9c VirtualFree
SHELL32.dll
0x845ca4 SHCreateDirectoryExW
SHLWAPI.dll
0x845cac UrlIsW
GDI32.dll
0x845cb4 GetTextFaceW
ADVAPI32.dll
0x845cbc RegDeleteKeyW
COMCTL32.dll
0x845cc4 InitCommonControlsEx
ole32.dll
0x845ccc OleInitialize
OLEAUT32.dll
0x845cd4 LoadTypeLib
gdiplus.dll
0x845cdc GdipSetInterpolationMode
EAT(Export Address Table) is none
kernel32.dll
0x845c90 LoadLibraryA
0x845c94 GetProcAddress
0x845c98 VirtualAlloc
0x845c9c VirtualFree
SHELL32.dll
0x845ca4 SHCreateDirectoryExW
SHLWAPI.dll
0x845cac UrlIsW
GDI32.dll
0x845cb4 GetTextFaceW
ADVAPI32.dll
0x845cbc RegDeleteKeyW
COMCTL32.dll
0x845cc4 InitCommonControlsEx
ole32.dll
0x845ccc OleInitialize
OLEAUT32.dll
0x845cd4 LoadTypeLib
gdiplus.dll
0x845cdc GdipSetInterpolationMode
EAT(Export Address Table) is none