ScreenShot
| Created | 2021.09.14 16:01 | Machine | s1_win7_x6401 |
| Filename | nok.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 9 detected (malicious, high confidence, Unsafe, a variant of WinGo, score, NetTool, TorTool, Trickbot, AGEN, susgen) | ||
| md5 | 5930b25610cc3ebdc2543cf8a1bf1906 | ||
| sha256 | df567fbec321a3828643118c5b8f28e9ca7a70d416be9463d267389ec80595ca | ||
| ssdeep | 98304:Djv+PGv4y17elko0DU9hsiEsn1cHmyY1/b4Kwz1ua/Ea4UFikLPr1:f+xy17elBcU9hf1ywJkKwrc+iG | ||
| imphash | fc5373cea8ee043c2d12b7bc107fa80b | ||
| impfuzzy | 6:omRgAAKXG5ZRXvYBJAEoZ/OEGDzyRL1bS4Q5:omRgAALPxwABZG/DzB4Q5 | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | Drops a binary and executes it |
| notice | A process created a hidden window |
| notice | Creates executable files on the filesystem |
| notice | File has been identified by 9 AntiVirus engines on VirusTotal as malicious |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x15d50c8 RegCloseKey
CRYPT32.dll
0x15d50d8 CertOpenStore
GDI32.dll
0x15d50e8 GetDIBits
IPHLPAPI.DLL
0x15d50f8 GetAdaptersAddresses
KERNEL32.DLL
0x15d5108 LoadLibraryA
0x15d5110 ExitProcess
0x15d5118 GetProcAddress
0x15d5120 VirtualProtect
msvcrt.dll
0x15d5130 atof
SHELL32.dll
0x15d5140 SHGetMalloc
USER32.dll
0x15d5150 GetDC
WS2_32.dll
0x15d5160 ind
EAT(Export Address Table) is none
ADVAPI32.dll
0x15d50c8 RegCloseKey
CRYPT32.dll
0x15d50d8 CertOpenStore
GDI32.dll
0x15d50e8 GetDIBits
IPHLPAPI.DLL
0x15d50f8 GetAdaptersAddresses
KERNEL32.DLL
0x15d5108 LoadLibraryA
0x15d5110 ExitProcess
0x15d5118 GetProcAddress
0x15d5120 VirtualProtect
msvcrt.dll
0x15d5130 atof
SHELL32.dll
0x15d5140 SHGetMalloc
USER32.dll
0x15d5150 GetDC
WS2_32.dll
0x15d5160 ind
EAT(Export Address Table) is none