ScreenShot
| Created | 2021.10.06 13:50 | Machine | s1_win7_x6403_us |
| Filename | new.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 3c4bb0d8ea06d2b95ee937a82a860d69 | ||
| sha256 | 5368d720c17234fa4aac42b20464b7d0a0fb02436a67dd65d088f3488ece563f | ||
| ssdeep | 24576:50l9FjBRhJQ06bwIsNdvh+RB8dBxw9QVxiFaDxuLrPQY+/voV+VjHd976Dr7RMyS:58zYUJmWdM5SgQmfRDk7 | ||
| imphash | 4328f7206db519cd4e82283211d98e83 | ||
| impfuzzy | 3:sUx2AEBquLdAIEK:nEBqMf | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (3cnts) ?
Suricata ids
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
PE API
IAT(Import Address Table) Library
kernel32.dll
0x47a078 GetModuleHandleA
mscoree.dll
0x47a080 _CorExeMain
EAT(Export Address Table) is none
kernel32.dll
0x47a078 GetModuleHandleA
mscoree.dll
0x47a080 _CorExeMain
EAT(Export Address Table) is none