ScreenShot
| Created | 2021.10.05 17:57 | Machine | s1_win7_x6401 |
| Filename | intel.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (RammitNNA, Nimnul, tn4U, malicious, high confidence, score, Ramnit, Unsafe, confidence, 100%, eslalb, RmnDrp, CLASSIC, A + W32, MUPX, Gen@24tbus, Rmnet, Static AI, Malicious PE, ASVirus, Infected, kcloud, se59456, ai score=80, FileInfector, Cosmu) | ||
| md5 | 47c116db3f0e5d536352aaecbbc7d6b6 | ||
| sha256 | bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90 | ||
| ssdeep | 3072:Y1HXx5/ddPgS99gzAMuAwUJJRD5jw2YBc7ipa+P/5y+mgZiTnBz/n2:85/DgfnuANJRDK2Y7/5y+VsZ/ | ||
| imphash | 6ed4f5f04d62b18d96b26d6db7c18840 | ||
| impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Ramnit malware indicators found |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x426028 LoadLibraryA
0x42602c ExitProcess
0x426030 GetProcAddress
0x426034 VirtualProtect
EAT(Export Address Table) is none
KERNEL32.DLL
0x426028 LoadLibraryA
0x42602c ExitProcess
0x426030 GetProcAddress
0x426034 VirtualProtect
EAT(Export Address Table) is none