ScreenShot
| Created | 2021.09.27 08:22 | Machine | s1_win7_x6402 |
| Filename | Zenar.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 17 detected (Artemis, Save, malicious, CoinMiner, MalwareX, ASBOL, Phonzy, score, Dyqd, Static AI, Malicious PE) | ||
| md5 | 844b7e033c078ed67b52558b5d891741 | ||
| sha256 | eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50 | ||
| ssdeep | 6144:xiqISqZfg//N7V8mIrf8y7ABqYWqjTf1ECB/N1:xz7zVRLix7ABwq/fmk3 | ||
| imphash | d8015d2a3e764c340a134c25fbcfa53b | ||
| impfuzzy | 6:/OA/BJAEoZ/OEGDzyRXchb1KSZozA5Bo46L:/OcABZG/DzKSIA5BLU | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| warning | Stops Windows services |
| watch | File has been identified by 17 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | One or more non-whitelisted processes were created |
| watch | Operates on local firewall's policies and settings |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
dxgi.dll
0x14007627c CreateDXGIFactory
KERNEL32.DLL
0x14007628c LoadLibraryA
0x140076294 ExitProcess
0x14007629c GetProcAddress
0x1400762a4 VirtualProtect
ole32.dll
0x1400762b4 CoInitializeEx
SHELL32.dll
0x1400762c4 ShellExecuteW
urlmon.dll
0x1400762d4 URLDownloadToFileW
USER32.dll
0x1400762e4 ShowWindow
WININET.dll
0x1400762f4 InternetOpenW
EAT(Export Address Table) is none
dxgi.dll
0x14007627c CreateDXGIFactory
KERNEL32.DLL
0x14007628c LoadLibraryA
0x140076294 ExitProcess
0x14007629c GetProcAddress
0x1400762a4 VirtualProtect
ole32.dll
0x1400762b4 CoInitializeEx
SHELL32.dll
0x1400762c4 ShellExecuteW
urlmon.dll
0x1400762d4 URLDownloadToFileW
USER32.dll
0x1400762e4 ShowWindow
WININET.dll
0x1400762f4 InternetOpenW
EAT(Export Address Table) is none