ScreenShot
| Created | 2021.08.13 20:12 | Machine | s1_win7_x6402 |
| Filename | %E8%BD%AF%E4%BB%B6%E6%8E%88%E6%9D%83%E7%A8%8B%E5%BA%8F.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (AIDetect, malware1, Farfli, malicious, high confidence, xmW@a8KOUHe, HwIAzAsA, Unsafe, Save, Kryptik, confidence, 100%, Eldorado, Attribute, HighConfidence, HCAH, Fugrafa, gsuiii, BackdoorX, Gencirc, FK@7jqjxo, Siggen11, R002C0PH621, PWSZbot, AGEN, ASMalwS, kcloud, Multiverze, score, R299466, GenericRXLP, ai score=89, BScope, Generic@ML, RDML, DJMH8sHhmyUpPg6hCfv5Eg, GenAsa, gBhknYBDYco, Static AI, Suspicious PE, ZexaF, susgen) | ||
| md5 | ca0bfb0e149468f828793f18cd1db393 | ||
| sha256 | 323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a | ||
| ssdeep | 6144:MkyLEbWaR5CcUdoVjOU7i2P2P25rrrrDL:dUaWaR5vUKsUeQQ0rrrrD | ||
| imphash | 032ac126bef9dc99c70a99a6b91b16f2 | ||
| impfuzzy | 24:mDo2auMiOovuH+fcd37JHd3iv8ERRvNuCeRVXWyM1y3:duM1hH+fclr3WJeRHmy3 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Expresses interest in specific running processes |
| watch | Installs itself for autorun at Windows startup |
| notice | An executable file was downloaded by the process %e8%bd%af%e4%bb%b6%e6%8e%88%e6%9d%83%e7%a8%8b%e5%ba%8f.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
| info | The executable uses a known packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET HUNTING Suspicious services.exe in URI
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f000 GetProcAddress
0x40f004 LoadLibraryA
0x40f008 VirtualAlloc
0x40f00c VirtualFree
0x40f010 FreeLibrary
0x40f014 RtlUnwind
0x40f018 RaiseException
0x40f01c GetModuleHandleA
0x40f020 GetStartupInfoA
0x40f024 GetCommandLineA
0x40f028 GetVersion
0x40f02c ExitProcess
0x40f030 InitializeCriticalSection
0x40f034 DeleteCriticalSection
0x40f038 EnterCriticalSection
0x40f03c LeaveCriticalSection
0x40f040 HeapFree
0x40f044 GetCurrentThreadId
0x40f048 TlsSetValue
0x40f04c TlsAlloc
0x40f050 SetLastError
0x40f054 TlsGetValue
0x40f058 GetLastError
0x40f05c SetUnhandledExceptionFilter
0x40f060 TerminateProcess
0x40f064 GetCurrentProcess
0x40f068 UnhandledExceptionFilter
0x40f06c GetModuleFileNameA
0x40f070 FreeEnvironmentStringsA
0x40f074 FreeEnvironmentStringsW
0x40f078 WideCharToMultiByte
0x40f07c GetEnvironmentStrings
0x40f080 GetEnvironmentStringsW
0x40f084 SetHandleCount
0x40f088 GetStdHandle
0x40f08c GetFileType
0x40f090 GetEnvironmentVariableA
0x40f094 GetVersionExA
0x40f098 HeapDestroy
0x40f09c HeapCreate
0x40f0a0 WriteFile
0x40f0a4 IsBadWritePtr
0x40f0a8 IsBadReadPtr
0x40f0ac HeapValidate
0x40f0b0 HeapAlloc
0x40f0b4 HeapReAlloc
0x40f0b8 DebugBreak
0x40f0bc InterlockedDecrement
0x40f0c0 OutputDebugStringA
0x40f0c4 InterlockedIncrement
0x40f0c8 IsBadCodePtr
0x40f0cc GetCPInfo
0x40f0d0 GetACP
0x40f0d4 GetOEMCP
0x40f0d8 MultiByteToWideChar
0x40f0dc LCMapStringA
0x40f0e0 LCMapStringW
0x40f0e4 GetStringTypeA
0x40f0e8 GetStringTypeW
0x40f0ec SetFilePointer
0x40f0f0 SetStdHandle
0x40f0f4 FlushFileBuffers
0x40f0f8 CloseHandle
EAT(Export Address Table) is none
KERNEL32.dll
0x40f000 GetProcAddress
0x40f004 LoadLibraryA
0x40f008 VirtualAlloc
0x40f00c VirtualFree
0x40f010 FreeLibrary
0x40f014 RtlUnwind
0x40f018 RaiseException
0x40f01c GetModuleHandleA
0x40f020 GetStartupInfoA
0x40f024 GetCommandLineA
0x40f028 GetVersion
0x40f02c ExitProcess
0x40f030 InitializeCriticalSection
0x40f034 DeleteCriticalSection
0x40f038 EnterCriticalSection
0x40f03c LeaveCriticalSection
0x40f040 HeapFree
0x40f044 GetCurrentThreadId
0x40f048 TlsSetValue
0x40f04c TlsAlloc
0x40f050 SetLastError
0x40f054 TlsGetValue
0x40f058 GetLastError
0x40f05c SetUnhandledExceptionFilter
0x40f060 TerminateProcess
0x40f064 GetCurrentProcess
0x40f068 UnhandledExceptionFilter
0x40f06c GetModuleFileNameA
0x40f070 FreeEnvironmentStringsA
0x40f074 FreeEnvironmentStringsW
0x40f078 WideCharToMultiByte
0x40f07c GetEnvironmentStrings
0x40f080 GetEnvironmentStringsW
0x40f084 SetHandleCount
0x40f088 GetStdHandle
0x40f08c GetFileType
0x40f090 GetEnvironmentVariableA
0x40f094 GetVersionExA
0x40f098 HeapDestroy
0x40f09c HeapCreate
0x40f0a0 WriteFile
0x40f0a4 IsBadWritePtr
0x40f0a8 IsBadReadPtr
0x40f0ac HeapValidate
0x40f0b0 HeapAlloc
0x40f0b4 HeapReAlloc
0x40f0b8 DebugBreak
0x40f0bc InterlockedDecrement
0x40f0c0 OutputDebugStringA
0x40f0c4 InterlockedIncrement
0x40f0c8 IsBadCodePtr
0x40f0cc GetCPInfo
0x40f0d0 GetACP
0x40f0d4 GetOEMCP
0x40f0d8 MultiByteToWideChar
0x40f0dc LCMapStringA
0x40f0e0 LCMapStringW
0x40f0e4 GetStringTypeA
0x40f0e8 GetStringTypeW
0x40f0ec SetFilePointer
0x40f0f0 SetStdHandle
0x40f0f4 FlushFileBuffers
0x40f0f8 CloseHandle
EAT(Export Address Table) is none