ScreenShot
| Created | 2021.09.03 10:10 | Machine | s1_win7_x6401 |
| Filename | e_KJpx.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 29 detected (Malicious, score, FMCT, Filecoder, Convagent, MalwareX, Erica, CLASSIC, Vilsel, ASMalwS, Wacatac, Ransomware, ai score=82, BScope, Unsafe, Gencirc, Static AI, Suspicious PE, ZelphiF, dGW@ay8@e5ii, GdSda) | ||
| md5 | d5fda1a31aa08a72883cdc3752ea681f | ||
| sha256 | 78852458f761f88b1cee45637281d1edd675fc3976ab0acdb2445fe4230fcd7e | ||
| ssdeep | 768:8ZIqZycEr//ezVXjy3/C0eG8qBVVTlWOH4ue0DjlwNIe1vCw77UpcEE57K7DC+KE:kIqZycEizpu37B6034lvNkE5YsmD | ||
| imphash | c959bce2b081104f10c7f296e5f58414 | ||
| impfuzzy | 48:5QcfpqdVngOcE/+4QkebZSin3OuGKACyHvzXZX0QnBn6GuSe4IVAHZAQt739zyRn:5QcfpqXgOc/4IbZh3tw9wxlT/8Rwd | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | Drops 1879 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| notice | Drops an executable to the user AppData folder |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (24cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x40d0f0 GetCurrentThreadId
0x40d0f4 DeleteCriticalSection
0x40d0f8 LeaveCriticalSection
0x40d0fc EnterCriticalSection
0x40d100 InitializeCriticalSection
0x40d104 VirtualFree
0x40d108 VirtualAlloc
0x40d10c LocalFree
0x40d110 LocalAlloc
0x40d114 VirtualQuery
0x40d118 lstrlenA
0x40d11c lstrcpyA
0x40d120 LoadLibraryExA
0x40d124 GetThreadLocale
0x40d128 GetStartupInfoA
0x40d12c GetModuleFileNameA
0x40d130 GetLocaleInfoA
0x40d134 GetLastError
0x40d138 GetCommandLineA
0x40d13c FreeLibrary
0x40d140 ExitProcess
0x40d144 WriteFile
0x40d148 SetFilePointer
0x40d14c SetEndOfFile
0x40d150 RtlUnwind
0x40d154 ReadFile
0x40d158 RaiseException
0x40d15c GetStdHandle
0x40d160 GetFileSize
0x40d164 GetFileType
0x40d168 CreateFileA
0x40d16c CloseHandle
user32.dll
0x40d174 GetKeyboardType
0x40d178 MessageBoxA
advapi32.dll
0x40d180 RegQueryValueExA
0x40d184 RegOpenKeyExA
0x40d188 RegCloseKey
oleaut32.dll
0x40d190 VariantCopyInd
0x40d194 VariantClear
0x40d198 SysFreeString
0x40d19c SysReAllocStringLen
kernel32.dll
0x40d1a4 TlsSetValue
0x40d1a8 TlsGetValue
0x40d1ac LocalAlloc
0x40d1b0 GetModuleHandleA
0x40d1b4 GetModuleFileNameA
advapi32.dll
0x40d1bc RegSetValueExA
0x40d1c0 RegOpenKeyExA
0x40d1c4 RegFlushKey
0x40d1c8 RegCreateKeyExA
0x40d1cc RegCloseKey
kernel32.dll
0x40d1d4 WriteFile
0x40d1d8 SetFilePointer
0x40d1dc SetEndOfFile
0x40d1e0 ReadFile
0x40d1e4 MoveFileA
0x40d1e8 GetModuleFileNameA
0x40d1ec GetLastError
0x40d1f0 GetFileSize
0x40d1f4 GetFileAttributesA
0x40d1f8 GetCommandLineA
0x40d1fc FreeLibrary
0x40d200 FindNextFileA
0x40d204 FindFirstFileA
0x40d208 FindClose
0x40d20c DeleteFileA
0x40d210 CreateFileA
0x40d214 CloseHandle
gdi32.dll
0x40d21c DeleteObject
user32.dll
0x40d224 TranslateMessage
0x40d228 ShowWindow
0x40d22c SetWindowTextA
0x40d230 SetTimer
0x40d234 SetPropA
0x40d238 SetFocus
0x40d23c SetCursor
0x40d240 SendMessageA
0x40d244 RemovePropA
0x40d248 RegisterClassA
0x40d24c PostQuitMessage
0x40d250 PostMessageA
0x40d254 MessageBoxA
0x40d258 LoadIconA
0x40d25c LoadCursorA
0x40d260 KillTimer
0x40d264 IsZoomed
0x40d268 IsWindowEnabled
0x40d26c IsWindow
0x40d270 IsIconic
0x40d274 InvalidateRect
0x40d278 GetSysColor
0x40d27c GetPropA
0x40d280 GetMessageA
0x40d284 GetKeyState
0x40d288 GetFocus
0x40d28c GetClassInfoA
0x40d290 GetCapture
0x40d294 DispatchMessageA
0x40d298 DestroyWindow
0x40d29c DestroyIcon
0x40d2a0 DestroyAcceleratorTable
0x40d2a4 DefWindowProcA
0x40d2a8 CreateWindowExA
0x40d2ac CopyImage
0x40d2b0 CallWindowProcA
0x40d2b4 CharLowerA
shell32.dll
0x40d2bc SHFileOperationA
advapi32.dll
0x40d2c4 CryptDestroyHash
0x40d2c8 CryptHashData
0x40d2cc CryptCreateHash
0x40d2d0 CryptEncrypt
0x40d2d4 CryptDeriveKey
0x40d2d8 CryptSetKeyParam
0x40d2dc CryptGetKeyParam
0x40d2e0 CryptDestroyKey
0x40d2e4 CryptGetDefaultProviderA
0x40d2e8 CryptReleaseContext
0x40d2ec CryptAcquireContextA
EAT(Export Address Table) is none
kernel32.dll
0x40d0f0 GetCurrentThreadId
0x40d0f4 DeleteCriticalSection
0x40d0f8 LeaveCriticalSection
0x40d0fc EnterCriticalSection
0x40d100 InitializeCriticalSection
0x40d104 VirtualFree
0x40d108 VirtualAlloc
0x40d10c LocalFree
0x40d110 LocalAlloc
0x40d114 VirtualQuery
0x40d118 lstrlenA
0x40d11c lstrcpyA
0x40d120 LoadLibraryExA
0x40d124 GetThreadLocale
0x40d128 GetStartupInfoA
0x40d12c GetModuleFileNameA
0x40d130 GetLocaleInfoA
0x40d134 GetLastError
0x40d138 GetCommandLineA
0x40d13c FreeLibrary
0x40d140 ExitProcess
0x40d144 WriteFile
0x40d148 SetFilePointer
0x40d14c SetEndOfFile
0x40d150 RtlUnwind
0x40d154 ReadFile
0x40d158 RaiseException
0x40d15c GetStdHandle
0x40d160 GetFileSize
0x40d164 GetFileType
0x40d168 CreateFileA
0x40d16c CloseHandle
user32.dll
0x40d174 GetKeyboardType
0x40d178 MessageBoxA
advapi32.dll
0x40d180 RegQueryValueExA
0x40d184 RegOpenKeyExA
0x40d188 RegCloseKey
oleaut32.dll
0x40d190 VariantCopyInd
0x40d194 VariantClear
0x40d198 SysFreeString
0x40d19c SysReAllocStringLen
kernel32.dll
0x40d1a4 TlsSetValue
0x40d1a8 TlsGetValue
0x40d1ac LocalAlloc
0x40d1b0 GetModuleHandleA
0x40d1b4 GetModuleFileNameA
advapi32.dll
0x40d1bc RegSetValueExA
0x40d1c0 RegOpenKeyExA
0x40d1c4 RegFlushKey
0x40d1c8 RegCreateKeyExA
0x40d1cc RegCloseKey
kernel32.dll
0x40d1d4 WriteFile
0x40d1d8 SetFilePointer
0x40d1dc SetEndOfFile
0x40d1e0 ReadFile
0x40d1e4 MoveFileA
0x40d1e8 GetModuleFileNameA
0x40d1ec GetLastError
0x40d1f0 GetFileSize
0x40d1f4 GetFileAttributesA
0x40d1f8 GetCommandLineA
0x40d1fc FreeLibrary
0x40d200 FindNextFileA
0x40d204 FindFirstFileA
0x40d208 FindClose
0x40d20c DeleteFileA
0x40d210 CreateFileA
0x40d214 CloseHandle
gdi32.dll
0x40d21c DeleteObject
user32.dll
0x40d224 TranslateMessage
0x40d228 ShowWindow
0x40d22c SetWindowTextA
0x40d230 SetTimer
0x40d234 SetPropA
0x40d238 SetFocus
0x40d23c SetCursor
0x40d240 SendMessageA
0x40d244 RemovePropA
0x40d248 RegisterClassA
0x40d24c PostQuitMessage
0x40d250 PostMessageA
0x40d254 MessageBoxA
0x40d258 LoadIconA
0x40d25c LoadCursorA
0x40d260 KillTimer
0x40d264 IsZoomed
0x40d268 IsWindowEnabled
0x40d26c IsWindow
0x40d270 IsIconic
0x40d274 InvalidateRect
0x40d278 GetSysColor
0x40d27c GetPropA
0x40d280 GetMessageA
0x40d284 GetKeyState
0x40d288 GetFocus
0x40d28c GetClassInfoA
0x40d290 GetCapture
0x40d294 DispatchMessageA
0x40d298 DestroyWindow
0x40d29c DestroyIcon
0x40d2a0 DestroyAcceleratorTable
0x40d2a4 DefWindowProcA
0x40d2a8 CreateWindowExA
0x40d2ac CopyImage
0x40d2b0 CallWindowProcA
0x40d2b4 CharLowerA
shell32.dll
0x40d2bc SHFileOperationA
advapi32.dll
0x40d2c4 CryptDestroyHash
0x40d2c8 CryptHashData
0x40d2cc CryptCreateHash
0x40d2d0 CryptEncrypt
0x40d2d4 CryptDeriveKey
0x40d2d8 CryptSetKeyParam
0x40d2dc CryptGetKeyParam
0x40d2e0 CryptDestroyKey
0x40d2e4 CryptGetDefaultProviderA
0x40d2e8 CryptReleaseContext
0x40d2ec CryptAcquireContextA
EAT(Export Address Table) is none