ScreenShot
| Created | 2021.09.25 11:11 | Machine | s1_win7_x6402 |
| Filename | vida.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 22 detected (AIDetect, malware2, malicious, high confidence, Artemis, Unsafe, Save, Attribute, HighConfidence, R + Mal, EncPk, KVMH008, kcloud, Sabsik, ZexaF, 6nuaaeoIMhnO, BScope, Wacatac, Static AI, Suspicious PE, Score, confidence, 100%) | ||
| md5 | f22c9479a75f069c121ca390b35d3541 | ||
| sha256 | cb892b4b5ea77832886be5bfe2ba04ada67bcdfb7501c1832389caa005ef31bd | ||
| ssdeep | 49152:f0go55qAJy2AhOGK7qlWfAWSTUvVg3l+:sh5xJy2KxK+fTOg1 | ||
| imphash | 96778352d99ca84b52328b0725ee1935 | ||
| impfuzzy | 3:sUx2AEZsS9KTXz/HAAfKVSM3YdTiEJSbWyA8xHblKS5g8Az8EVML3qyMGARLBAJX:nERGDfArvY5iEMbfNvAz8EBKbSs6XEaA | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Detects VMWare through the in instruction feature |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Expresses interest in specific running processes |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | MPRESS_Zero | MPRESS packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x80c0b4 GetModuleHandleA
0x80c0b8 GetProcAddress
USER32.dll
0x80c0c0 GetDesktopWindow
ADVAPI32.dll
0x80c0c8 GetUserNameA
SHELL32.dll
0x80c0d0 SHFileOperationA
SHLWAPI.dll
0x80c0d8 PathMatchSpecW
PSAPI.DLL
0x80c0e0 GetModuleFileNameExA
WININET.dll
0x80c0e8 DeleteUrlCacheEntry
gdiplus.dll
0x80c0f0 GdipGetImageEncodersSize
EAT(Export Address Table) is none
KERNEL32.DLL
0x80c0b4 GetModuleHandleA
0x80c0b8 GetProcAddress
USER32.dll
0x80c0c0 GetDesktopWindow
ADVAPI32.dll
0x80c0c8 GetUserNameA
SHELL32.dll
0x80c0d0 SHFileOperationA
SHLWAPI.dll
0x80c0d8 PathMatchSpecW
PSAPI.DLL
0x80c0e0 GetModuleFileNameExA
WININET.dll
0x80c0e8 DeleteUrlCacheEntry
gdiplus.dll
0x80c0f0 GdipGetImageEncodersSize
EAT(Export Address Table) is none