ScreenShot
| Created | 2021.09.14 10:06 | Machine | s1_win7_x6401 |
| Filename | pay.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (malicious, high confidence, Magania, Trojanpws, Bjlog, Save, Dialer, PcClient, Zegost, Eldorado, Baijin, score, dxwn, fjzikd, FileRepMalware, Gh0st, ~Z@k24gw, MulDrop1, Static AI, Malicious PE, A + Troj, Redosdru, chek, ASBOL, PbBot, R3985, Artemis, ai score=84, BScope, Unsafe, Bagolod, CLASSIC, confidence) | ||
| md5 | 6622363be06db7fabf23393755e05b0b | ||
| sha256 | e046697b4102be8e3ad4b6e04524e7248d86b58f6d9f4884357fd33768878fbd | ||
| ssdeep | 1536:59POZTDTDXAqlscUaXzvFMHmx7HHZsj8U4n43HTdk0GVj+Bk4:HPmTXDXAdEzmGBH5uHTddG4 | ||
| imphash | 4a808dc3f3a9b0712288dfa8c7e7e8a4 | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EXJS09QAd/U3QGY:VA/DzqYOZkSQQ4/Ugd | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Creates a service |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | The executable uses a known packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4324f0 LoadLibraryA
0x4324f4 GetProcAddress
0x4324f8 VirtualProtect
0x4324fc VirtualAlloc
0x432500 VirtualFree
0x432504 ExitProcess
ADVAPI32.dll
0x43250c GetAce
MSVCRT.dll
0x432514 exit
NETAPI32.dll
0x43251c NetApiBufferFree
SHLWAPI.dll
0x432524 SHDeleteKeyA
USER32.dll
0x43252c wsprintfA
EAT(Export Address Table) is none
KERNEL32.DLL
0x4324f0 LoadLibraryA
0x4324f4 GetProcAddress
0x4324f8 VirtualProtect
0x4324fc VirtualAlloc
0x432500 VirtualFree
0x432504 ExitProcess
ADVAPI32.dll
0x43250c GetAce
MSVCRT.dll
0x432514 exit
NETAPI32.dll
0x43251c NetApiBufferFree
SHLWAPI.dll
0x432524 SHDeleteKeyA
USER32.dll
0x43252c wsprintfA
EAT(Export Address Table) is none