ScreenShot
| Created | 2021.09.03 08:58 | Machine | s1_win7_x6401 |
| Filename | Server.txt | ||
| Type | ASCII text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 2 detected (Attribute, HighConfidence, Wacatac) | ||
| md5 | 94399d073244c168d813a46c1751b396 | ||
| sha256 | 30b4cfb6c0c1633fa3702b12a16bacdaff7a20e1667922e65f22843af46aeb88 | ||
| ssdeep | 1536:LKywW7bhKpDpfOCXh9jSuzkXuxPdJ8hRNuNrKvLu2K94Drh:oY | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 2 AntiVirus engines on VirusTotal as malicious |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | PowerShell_Script_MZ_Zero | PowerShell Script MZ [Zero] | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
