ScreenShot
| Created | 2021.09.23 10:10 | Machine | s1_win7_x6401 |
| Filename | file6.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (malicious, high confidence, GenericKD, Unsafe, GenKryptik, Attribute, HighConfidence, FKCK, Racealer, FileRepMalware, StellarStealer, thkkc, Sabsik, RWBGEG, score, Artemis, ai score=88, BScope, Foreign, R002H0DIK21, Static AI, Suspicious PE) | ||
| md5 | a92ecf7fef1451c1ebd6f7886a9e22d5 | ||
| sha256 | 40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae | ||
| ssdeep | 24576:GnrOChfE476dtiw8t+cZHlcBIfej4gRgq16CeRrLs1/cLG4pNdWgWu33Mqz2:GrOC9EEOixtjSBWeMgt6CeRk1/cLG4p3 | ||
| imphash | 4f0265512a1363fc11fe0c410b950baf | ||
| impfuzzy | 6:nERGDfAGavEKFAUKXPMKobGeSc9Q3c2AxyTO6LO7dplYWYE+cEWKC6zAn:EcDfAYK5KjHN3c2A+O6LOTlYKrKCKAn | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Detects VMWare through the in instruction feature |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | MPRESS_Zero | MPRESS packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x731118 GetModuleHandleA
0x73111c GetProcAddress
USER32.dll
0x731124 wsprintfW
GDI32.dll
0x73112c BitBlt
ADVAPI32.dll
0x731134 GetTokenInformation
SHELL32.dll
0x73113c SHGetFolderPathA
ole32.dll
0x731144 CoInitialize
USERENV.dll
0x73114c GetUserProfileDirectoryA
ktmw32.dll
0x731154 CreateTransaction
crypt.dll
0x73115c BCryptDecrypt
CRYPT32.dll
0x731164 CryptStringToBinaryA
SHLWAPI.dll
0x73116c StrCmpNW
WINHTTP.dll
0x731174 WinHttpSendRequest
gdiplus.dll
0x73117c GdiplusStartup
EAT(Export Address Table) is none
KERNEL32.DLL
0x731118 GetModuleHandleA
0x73111c GetProcAddress
USER32.dll
0x731124 wsprintfW
GDI32.dll
0x73112c BitBlt
ADVAPI32.dll
0x731134 GetTokenInformation
SHELL32.dll
0x73113c SHGetFolderPathA
ole32.dll
0x731144 CoInitialize
USERENV.dll
0x73114c GetUserProfileDirectoryA
ktmw32.dll
0x731154 CreateTransaction
crypt.dll
0x73115c BCryptDecrypt
CRYPT32.dll
0x731164 CryptStringToBinaryA
SHLWAPI.dll
0x73116c StrCmpNW
WINHTTP.dll
0x731174 WinHttpSendRequest
gdiplus.dll
0x73117c GdiplusStartup
EAT(Export Address Table) is none