ScreenShot
| Created | 2021.10.14 17:35 | Machine | s1_win7_x6402 |
| Filename | farm_money.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (malicious, high confidence, InjectNET, GenericKDZ, Unsafe, Donut, confidence, 100%, Eldorado, AGen, FileRepMalware, Ednc, Artemis, Redcap, dmttu, ai score=84, Sabsik, score, R444169, GenericRXAA, R002H0CJC21, AgentAGen) | ||
| md5 | fa409741e16094bb8bc373d7b46742cd | ||
| sha256 | c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8 | ||
| ssdeep | 49152:47HPtc7WxLiwBM+/hO7ufPUWvcf5p/ZjlicJ6fuJ+Kjt1ph:eHPa7elm+/hTMlv/2cJ624Wt17 | ||
| imphash | 27516fd8750f40bdecf52a1420a0296a | ||
| impfuzzy | 6:HbJqX0pyxYJxSBS0H5sD4sIWvFoFUAliPEcJmJctD4tCcp4tWMB4:7Jq36Y58GaPXJmmtEvOb6 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x5f21a0 strlen
0x5f21a8 malloc
0x5f21b0 memset
0x5f21b8 getenv
0x5f21c0 sprintf
0x5f21c8 printf
0x5f21d0 __argc
0x5f21d8 __argv
0x5f21e0 _environ
0x5f21e8 _XcptFilter
0x5f21f0 __set_app_type
0x5f21f8 _controlfp
0x5f2200 __getmainargs
0x5f2208 exit
kernel32.dll
0x5f2218 Sleep
0x5f2220 GetModuleFileNameA
0x5f2228 CreateProcessA
0x5f2230 CloseHandle
0x5f2238 SetUnhandledExceptionFilter
ntdll.dll
0x5f2248 NtAllocateVirtualMemory
0x5f2250 NtWriteVirtualMemory
0x5f2258 NtCreateThreadEx
EAT(Export Address Table) is none
msvcrt.dll
0x5f21a0 strlen
0x5f21a8 malloc
0x5f21b0 memset
0x5f21b8 getenv
0x5f21c0 sprintf
0x5f21c8 printf
0x5f21d0 __argc
0x5f21d8 __argv
0x5f21e0 _environ
0x5f21e8 _XcptFilter
0x5f21f0 __set_app_type
0x5f21f8 _controlfp
0x5f2200 __getmainargs
0x5f2208 exit
kernel32.dll
0x5f2218 Sleep
0x5f2220 GetModuleFileNameA
0x5f2228 CreateProcessA
0x5f2230 CloseHandle
0x5f2238 SetUnhandledExceptionFilter
ntdll.dll
0x5f2248 NtAllocateVirtualMemory
0x5f2250 NtWriteVirtualMemory
0x5f2258 NtCreateThreadEx
EAT(Export Address Table) is none