ScreenShot
| Created | 2021.09.15 18:13 | Machine | s1_win7_x6402 |
| Filename | phorm.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 34 detected (Zonidel, malicious, high confidence, score, Unsafe, confidence, Mint, Zard, Attribute, HighConfidence, ADMJ, jbbiel, Artemis, XPACK, kcloud, Sabsik, BScope, Tiggre, ai score=88, Generic@ML, RDML, dzB5pRgOKMqpQ0Q1hWz6VA, Static AI, Malicious PE) | ||
| md5 | 400fc2e410b02fb12db7634c8221f51c | ||
| sha256 | 191e85467c65e5e382e384b39edeea61f4daad41c3c192d2be70e1c3ab2f0760 | ||
| ssdeep | 96:Q8RK3EF+kzplYp3stt67oU5R4u6EGjjT9ePtboyn0nU6TWS/cCtcb2S:1K32xzpeBokrGTcP1oynmU6TWS/3cbP | ||
| imphash | 3636696cda8ae63c15290a7642f2c7a3 | ||
| impfuzzy | 24:suoTB+5T0v+GE/aN/2MtIOgnloysJDuKm1/mIVU1we:suod+x02GNN3yOWoy06Ko/Q | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Worm_Phorpiex | a worm which spreads via removable drives and network drives. | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x4020d8 StrCmpNW
0x4020dc PathFileExistsW
0x4020e0 StrStrIW
MSVCRT.dll
0x402090 _onexit
0x402094 __dllonexit
0x402098 _controlfp
0x40209c _except_handler3
0x4020a0 __set_app_type
0x4020a4 __p__fmode
0x4020a8 __p__commode
0x4020ac _adjust_fdiv
0x4020b0 __setusermatherr
0x4020b4 _initterm
0x4020b8 __getmainargs
0x4020bc _acmdln
0x4020c0 exit
0x4020c4 wcslen
0x4020c8 wcscmp
0x4020cc _XcptFilter
0x4020d0 _exit
KERNEL32.dll
0x402020 GetStartupInfoA
0x402024 GetModuleHandleA
0x402028 CreateMutexA
0x40202c GetLastError
0x402030 ExitProcess
0x402034 GetModuleFileNameW
0x402038 ExpandEnvironmentStringsW
0x40203c CopyFileW
0x402040 CreateThread
0x402044 Sleep
0x402048 ExitThread
0x40204c SetFileAttributesW
0x402050 DeleteFileW
0x402054 HeapFree
0x402058 HeapAlloc
0x40205c GetProcessHeap
0x402060 lstrcpyW
0x402064 QueryDosDeviceW
0x402068 GetDriveTypeW
0x40206c GetLogicalDrives
0x402070 RemoveDirectoryW
0x402074 FindClose
0x402078 FindNextFileW
0x40207c MoveFileExW
0x402080 lstrcmpW
0x402084 FindFirstFileW
0x402088 CreateDirectoryW
USER32.dll
0x4020e8 wsprintfW
ADVAPI32.dll
0x402000 RegSetValueExW
0x402004 RegQueryValueExW
0x402008 RegOpenKeyExW
0x40200c RegQueryInfoKeyW
0x402010 RegEnumValueW
0x402014 RegDeleteValueW
0x402018 RegCloseKey
EAT(Export Address Table) is none
SHLWAPI.dll
0x4020d8 StrCmpNW
0x4020dc PathFileExistsW
0x4020e0 StrStrIW
MSVCRT.dll
0x402090 _onexit
0x402094 __dllonexit
0x402098 _controlfp
0x40209c _except_handler3
0x4020a0 __set_app_type
0x4020a4 __p__fmode
0x4020a8 __p__commode
0x4020ac _adjust_fdiv
0x4020b0 __setusermatherr
0x4020b4 _initterm
0x4020b8 __getmainargs
0x4020bc _acmdln
0x4020c0 exit
0x4020c4 wcslen
0x4020c8 wcscmp
0x4020cc _XcptFilter
0x4020d0 _exit
KERNEL32.dll
0x402020 GetStartupInfoA
0x402024 GetModuleHandleA
0x402028 CreateMutexA
0x40202c GetLastError
0x402030 ExitProcess
0x402034 GetModuleFileNameW
0x402038 ExpandEnvironmentStringsW
0x40203c CopyFileW
0x402040 CreateThread
0x402044 Sleep
0x402048 ExitThread
0x40204c SetFileAttributesW
0x402050 DeleteFileW
0x402054 HeapFree
0x402058 HeapAlloc
0x40205c GetProcessHeap
0x402060 lstrcpyW
0x402064 QueryDosDeviceW
0x402068 GetDriveTypeW
0x40206c GetLogicalDrives
0x402070 RemoveDirectoryW
0x402074 FindClose
0x402078 FindNextFileW
0x40207c MoveFileExW
0x402080 lstrcmpW
0x402084 FindFirstFileW
0x402088 CreateDirectoryW
USER32.dll
0x4020e8 wsprintfW
ADVAPI32.dll
0x402000 RegSetValueExW
0x402004 RegQueryValueExW
0x402008 RegOpenKeyExW
0x40200c RegQueryInfoKeyW
0x402010 RegEnumValueW
0x402014 RegDeleteValueW
0x402018 RegCloseKey
EAT(Export Address Table) is none