ScreenShot
| Created | 2021.08.25 09:58 | Machine | s1_win7_x6401 |
| Filename | can.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 19 detected (AIDetect, malware2, malicious, high confidence, Artemis, Unsafe, Save, confidence, ZexaF, EuZ@aWrKYJdi, Attribute, HighConfidence, Kryptik, CLASSIC, Sabsik, score, BScope, TrojanPSW, Agensla, AgentTesla, Static AI, Suspicious PE) | ||
| md5 | 941ffbcc54a5826dde6e2d35f2fc761d | ||
| sha256 | 4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b | ||
| ssdeep | 12288:+pxLkSqnEa1yg6PbvF1yC62hkh2pf05T70sZ0XNfM:jaZ1yQC5gXtM | ||
| imphash | 439ff53323e9506db8654c0d8af9cf37 | ||
| impfuzzy | 6:+TaupKx5XtSRMvblJfG4yRlbb7RBuQLHQ3Q/QKRBKBJqX00OXn:VucJFpG4qpQQ03Q9RcBJqd4 | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x402150 EnumTimeFormatsW
0x402154 GetConsoleOutputCP
0x402158 GetLastError
0x40215c GetModuleHandleW
0x402160 GetProcessHeap
0x402164 GetStdHandle
0x402168 HeapAlloc
0x40216c HeapFree
0x402170 LocalFree
0x402174 VirtualProtect
0x402178 WideCharToMultiByte
0x40217c WriteConsoleW
0x402180 WriteFile
0x402184 lstrlenW
ole32.dll
0x40218c OleUninitialize
USER32.dll
0x402194 LoadStringW
MSVCRT.dll
0x40219c malloc
0x4021a0 memset
0x4021a4 towlower
EAT(Export Address Table) is none
KERNEL32.dll
0x402150 EnumTimeFormatsW
0x402154 GetConsoleOutputCP
0x402158 GetLastError
0x40215c GetModuleHandleW
0x402160 GetProcessHeap
0x402164 GetStdHandle
0x402168 HeapAlloc
0x40216c HeapFree
0x402170 LocalFree
0x402174 VirtualProtect
0x402178 WideCharToMultiByte
0x40217c WriteConsoleW
0x402180 WriteFile
0x402184 lstrlenW
ole32.dll
0x40218c OleUninitialize
USER32.dll
0x402194 LoadStringW
MSVCRT.dll
0x40219c malloc
0x4021a0 memset
0x4021a4 towlower
EAT(Export Address Table) is none