ScreenShot
| Created | 2021.09.30 09:36 | Machine | s1_win7_x6402 |
| Filename | Zenar_protected.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 27 detected (Agentb, trtl, malicious, high confidence, score, Artemis, confidence, Razy, a variant of Generik, IWMZXNV, Generic Reputation PUA, AGEN, ai score=86, kcloud, Sabsik, R002H0CIT21, Static AI, Malicious PE, PossibleThreat) | ||
| md5 | ab40d2395f7abeee43552ae6a750044d | ||
| sha256 | bcc26c979a4d7b0afec88bdf7c864e965db3041616acea4cda1874ba476e74e0 | ||
| ssdeep | 98304:MlVyw8BbPnvCR7znpN+gDn6Vj0mwLCZft9tDaQzLmXo48qBEt3730Z4e+Q:MlVyB7CFHDn6VjP+CZLVAXsq470Zr+ | ||
| imphash | fe4b72c1e87d00ec8a399de3b4432210 | ||
| impfuzzy | 3:sUx2AEJtFaAtdTiEJSbWmAgYbRA2yLMRMExAeGK6ySoMfA1MLOALYVcn:nEJt5t5iEMbK19yc1SZoGLOAT | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | themida_packer | themida packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x140070178 GetModuleHandleA
USER32.dll
0x140070188 ShowWindow
ADVAPI32.dll
0x140070198 GetUserNameA
SHELL32.dll
0x1400701a8 SHGetSpecialFolderPathW
ole32.dll
0x1400701b8 CoInitializeEx
urlmon.dll
0x1400701c8 URLDownloadToFileW
dxgi.dll
0x1400701d8 CreateDXGIFactory
EAT(Export Address Table) is none
kernel32.dll
0x140070178 GetModuleHandleA
USER32.dll
0x140070188 ShowWindow
ADVAPI32.dll
0x140070198 GetUserNameA
SHELL32.dll
0x1400701a8 SHGetSpecialFolderPathW
ole32.dll
0x1400701b8 CoInitializeEx
urlmon.dll
0x1400701c8 URLDownloadToFileW
dxgi.dll
0x1400701d8 CreateDXGIFactory
EAT(Export Address Table) is none