ScreenShot
Created | 2021.10.11 10:26 | Machine | s1_win7_x6401 |
Filename | 5t6yujh.exe | ||
Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 40 detected (malicious, high confidence, PowerShell, GenericKDZ, Artemis, Unsafe, Save, GoCLR, a variant of WinGo, Bulz, WinGo, gzxxe, Score, 100%, Redcap, ikbih, kcloud, Wacatac, R442164, ai score=81, R002C0WJ921, HackTool, CLASSIC, Static AI, Suspicious PE, confidence) | ||
md5 | 211ca7c8d5fd20f7dcaebdbe354662be | ||
sha256 | aefb4a2472f0517d58cae7e5e0c9c51b4e36b39f6096dbffc6b8cc18d0be7175 | ||
ssdeep | 49152:sr/U2Wrb/T/vO90dL3BmAFd4A64nsfJ1gBO55+1TEf1q7NOVuZnsm/QBrkdL+DLk:srDnOOWmAQQQQQQQQQQQQQ | ||
imphash | c7269d59926fa4252270f407e4dab043 | ||
impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6tP:K5O+VAXOmGx0oP |
Network IP location
Signature (20cnts)
Level | Description |
---|---|
danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
watch | Creates a suspicious Powershell process |
watch | Deletes executed files from disk |
watch | Detects the presence of Wine emulator |
watch | One or more non-whitelisted processes were created |
watch | The process powershell.exe wrote an executable file to disk |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | NPKI_Zero | File included NPKI | binaries (download) |
danger | NPKI_Zero | File included NPKI | binaries (upload) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | Is_DotNET_DLL | (no description) | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x97e020 WriteFile
0x97e028 WriteConsoleW
0x97e030 WaitForMultipleObjects
0x97e038 WaitForSingleObject
0x97e040 VirtualQuery
0x97e048 VirtualFree
0x97e050 VirtualAlloc
0x97e058 SwitchToThread
0x97e060 SuspendThread
0x97e068 Sleep
0x97e070 SetWaitableTimer
0x97e078 SetUnhandledExceptionFilter
0x97e080 SetProcessPriorityBoost
0x97e088 SetEvent
0x97e090 SetErrorMode
0x97e098 SetConsoleCtrlHandler
0x97e0a0 ResumeThread
0x97e0a8 PostQueuedCompletionStatus
0x97e0b0 LoadLibraryA
0x97e0b8 LoadLibraryW
0x97e0c0 SetThreadContext
0x97e0c8 GetThreadContext
0x97e0d0 GetSystemInfo
0x97e0d8 GetSystemDirectoryA
0x97e0e0 GetStdHandle
0x97e0e8 GetQueuedCompletionStatusEx
0x97e0f0 GetProcessAffinityMask
0x97e0f8 GetProcAddress
0x97e100 GetEnvironmentStringsW
0x97e108 GetConsoleMode
0x97e110 FreeEnvironmentStringsW
0x97e118 ExitProcess
0x97e120 DuplicateHandle
0x97e128 CreateWaitableTimerExW
0x97e130 CreateThread
0x97e138 CreateIoCompletionPort
0x97e140 CreateFileA
0x97e148 CreateEventA
0x97e150 CloseHandle
0x97e158 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x97e020 WriteFile
0x97e028 WriteConsoleW
0x97e030 WaitForMultipleObjects
0x97e038 WaitForSingleObject
0x97e040 VirtualQuery
0x97e048 VirtualFree
0x97e050 VirtualAlloc
0x97e058 SwitchToThread
0x97e060 SuspendThread
0x97e068 Sleep
0x97e070 SetWaitableTimer
0x97e078 SetUnhandledExceptionFilter
0x97e080 SetProcessPriorityBoost
0x97e088 SetEvent
0x97e090 SetErrorMode
0x97e098 SetConsoleCtrlHandler
0x97e0a0 ResumeThread
0x97e0a8 PostQueuedCompletionStatus
0x97e0b0 LoadLibraryA
0x97e0b8 LoadLibraryW
0x97e0c0 SetThreadContext
0x97e0c8 GetThreadContext
0x97e0d0 GetSystemInfo
0x97e0d8 GetSystemDirectoryA
0x97e0e0 GetStdHandle
0x97e0e8 GetQueuedCompletionStatusEx
0x97e0f0 GetProcessAffinityMask
0x97e0f8 GetProcAddress
0x97e100 GetEnvironmentStringsW
0x97e108 GetConsoleMode
0x97e110 FreeEnvironmentStringsW
0x97e118 ExitProcess
0x97e120 DuplicateHandle
0x97e128 CreateWaitableTimerExW
0x97e130 CreateThread
0x97e138 CreateIoCompletionPort
0x97e140 CreateFileA
0x97e148 CreateEventA
0x97e150 CloseHandle
0x97e158 AddVectoredExceptionHandler
EAT(Export Address Table) is none