ScreenShot
| Created | 2021.09.19 11:15 | Machine | s1_win7_x6401 |
| Filename | 753.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (malicious, high confidence, origin, GenericKD, Unsafe, Save, MalwareX, confidence, ZexaF, auW@a8m3bHai, Attribute, HighConfidence, Tiny, Lohy, 0NA103II21, Static AI, Malicious PE, XPACK, ai score=84, KVMH017, kcloud, Sabsik, score, Generic@ML, RDML, HYCzEUpYBrFhWCy5trk1yg, susgen) | ||
| md5 | af3e98549b975158f54ef8b171182d50 | ||
| sha256 | 43a1ee058eb0b771d9f9b179cb51a5b56a1c3ae8bdc211edeb8486f89e3bc10f | ||
| ssdeep | 96:ZeLUneX1Oe4HEWjOIgydPtboynun/AqiCtq9:0AeXcCcP1oynW/Ag | ||
| imphash | d4fccbf39f0b0e9e3b5577d3527b4e69 | ||
| impfuzzy | 12:I4sX5vBNGx4Gv+GXRzGy5GgYLwbISZOoS3fQAEsy27QDuKmRgFyS:W5vBUVv+GdySZO0N/2kDuKmML | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | An executable file was downloaded by the process 753.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x402090 PathFileExistsW
MSVCRT.dll
0x402040 __set_app_type
0x402044 _except_handler3
0x402048 __p__fmode
0x40204c _controlfp
0x402050 __p__commode
0x402054 _adjust_fdiv
0x402058 __setusermatherr
0x40205c _initterm
0x402060 __getmainargs
0x402064 _acmdln
0x402068 exit
0x40206c _XcptFilter
0x402070 _exit
0x402074 srand
0x402078 wcslen
0x40207c rand
0x402080 memset
WININET.dll
0x4020a0 InternetCloseHandle
0x4020a4 InternetOpenUrlW
0x4020a8 InternetOpenW
0x4020ac InternetReadFile
urlmon.dll
0x4020b4 URLDownloadToFileW
KERNEL32.dll
0x402010 DeleteFileW
0x402014 WriteFile
0x402018 Sleep
0x40201c CreateFileW
0x402020 GetModuleHandleA
0x402024 CreateProcessW
0x402028 CloseHandle
0x40202c SetFileAttributesW
0x402030 GetStartupInfoA
0x402034 GetTickCount
0x402038 ExpandEnvironmentStringsW
USER32.dll
0x402098 wsprintfW
ADVAPI32.dll
0x402000 RegSetValueExW
0x402004 RegCloseKey
0x402008 RegOpenKeyExW
SHELL32.dll
0x402088 ShellExecuteW
EAT(Export Address Table) is none
SHLWAPI.dll
0x402090 PathFileExistsW
MSVCRT.dll
0x402040 __set_app_type
0x402044 _except_handler3
0x402048 __p__fmode
0x40204c _controlfp
0x402050 __p__commode
0x402054 _adjust_fdiv
0x402058 __setusermatherr
0x40205c _initterm
0x402060 __getmainargs
0x402064 _acmdln
0x402068 exit
0x40206c _XcptFilter
0x402070 _exit
0x402074 srand
0x402078 wcslen
0x40207c rand
0x402080 memset
WININET.dll
0x4020a0 InternetCloseHandle
0x4020a4 InternetOpenUrlW
0x4020a8 InternetOpenW
0x4020ac InternetReadFile
urlmon.dll
0x4020b4 URLDownloadToFileW
KERNEL32.dll
0x402010 DeleteFileW
0x402014 WriteFile
0x402018 Sleep
0x40201c CreateFileW
0x402020 GetModuleHandleA
0x402024 CreateProcessW
0x402028 CloseHandle
0x40202c SetFileAttributesW
0x402030 GetStartupInfoA
0x402034 GetTickCount
0x402038 ExpandEnvironmentStringsW
USER32.dll
0x402098 wsprintfW
ADVAPI32.dll
0x402000 RegSetValueExW
0x402004 RegCloseKey
0x402008 RegOpenKeyExW
SHELL32.dll
0x402088 ShellExecuteW
EAT(Export Address Table) is none