ScreenShot
| Created | 2021.09.28 15:59 | Machine | s1_win7_x6402 |
| Filename | update.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 37 detected (Racealer, malicious, high confidence, GenericKD, confidence, Attribute, HighConfidence, Raccoon, Artemis, Redcap, wuyrr, Sabsik, score, ai score=81, R002H0CIQ21, NjtAyz0lZyU, Static AI, Suspicious PE, InvalidSig, VMProtectPacked, ZexaF, @J2@aWAiToeO, PWSX) | ||
| md5 | 4f103b3d193ab688e6595b09ca78c759 | ||
| sha256 | fa6dd5eb60f0cd975e9429dc2cc97362c542f4fd001d1d99995484215da3377e | ||
| ssdeep | 98304:Vi0rWB4KuIEoGHKRsH9sXUlkaZRkBqdpmvz6WcO6oxrk+kv:k54Ku2GyXzaQPverIxkv | ||
| imphash | 5b9290431b366a1252cf05522cb28180 | ||
| impfuzzy | 12:vYK5KjHN3c2A+O6LOTlYKrKCKA4Q5kBZGoQtXJxZGb9AJcDfA5kLfP9m:vYK5K7K2ZOuCSKGXQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x7ed000 GetVersionExW
USER32.dll
0x7ed008 wsprintfW
GDI32.dll
0x7ed010 BitBlt
ADVAPI32.dll
0x7ed018 GetTokenInformation
SHELL32.dll
0x7ed020 SHGetFolderPathA
ole32.dll
0x7ed028 CoInitialize
USERENV.dll
0x7ed030 GetUserProfileDirectoryA
ktmw32.dll
0x7ed038 CreateTransaction
crypt.dll
0x7ed040 BCryptDecrypt
CRYPT32.dll
0x7ed048 CryptStringToBinaryA
SHLWAPI.dll
0x7ed050 StrCmpNW
WINHTTP.dll
0x7ed058 WinHttpSendRequest
gdiplus.dll
0x7ed060 GdiplusStartup
WTSAPI32.dll
0x7ed068 WTSSendMessageW
KERNEL32.dll
0x7ed070 VirtualQuery
USER32.dll
0x7ed078 GetProcessWindowStation
KERNEL32.dll
0x7ed080 LocalAlloc
0x7ed084 LocalFree
0x7ed088 GetModuleFileNameW
0x7ed08c GetProcessAffinityMask
0x7ed090 SetProcessAffinityMask
0x7ed094 SetThreadAffinityMask
0x7ed098 Sleep
0x7ed09c ExitProcess
0x7ed0a0 FreeLibrary
0x7ed0a4 LoadLibraryA
0x7ed0a8 GetModuleHandleA
0x7ed0ac GetProcAddress
USER32.dll
0x7ed0b4 GetProcessWindowStation
0x7ed0b8 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0x7ed000 GetVersionExW
USER32.dll
0x7ed008 wsprintfW
GDI32.dll
0x7ed010 BitBlt
ADVAPI32.dll
0x7ed018 GetTokenInformation
SHELL32.dll
0x7ed020 SHGetFolderPathA
ole32.dll
0x7ed028 CoInitialize
USERENV.dll
0x7ed030 GetUserProfileDirectoryA
ktmw32.dll
0x7ed038 CreateTransaction
crypt.dll
0x7ed040 BCryptDecrypt
CRYPT32.dll
0x7ed048 CryptStringToBinaryA
SHLWAPI.dll
0x7ed050 StrCmpNW
WINHTTP.dll
0x7ed058 WinHttpSendRequest
gdiplus.dll
0x7ed060 GdiplusStartup
WTSAPI32.dll
0x7ed068 WTSSendMessageW
KERNEL32.dll
0x7ed070 VirtualQuery
USER32.dll
0x7ed078 GetProcessWindowStation
KERNEL32.dll
0x7ed080 LocalAlloc
0x7ed084 LocalFree
0x7ed088 GetModuleFileNameW
0x7ed08c GetProcessAffinityMask
0x7ed090 SetProcessAffinityMask
0x7ed094 SetThreadAffinityMask
0x7ed098 Sleep
0x7ed09c ExitProcess
0x7ed0a0 FreeLibrary
0x7ed0a4 LoadLibraryA
0x7ed0a8 GetModuleHandleA
0x7ed0ac GetProcAddress
USER32.dll
0x7ed0b4 GetProcessWindowStation
0x7ed0b8 GetUserObjectInformationW
EAT(Export Address Table) is none