popup

Report - DimenSaint.exe

VMProtect Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.01 10:30 Machine s1_win7_x6403
Filename DimenSaint.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
3.2
ZERO API file : clean
VT API (file) 41 detected (AIDetect, malware2, Malicious, high confidence, score, Artemis, Unsafe, Save, GenericKD, ZexaF, @F0@a8dQmwgj, Eldorado, Attribute, HighConfidence, Vmprotbad, ET#93%, RDMK, cmRtazq+, jxfnxvq10YHpPBbmVCb, Malware@#1qignphq7o0u2, R002C0RJM21, ai score=84, Tnega, Static AI, Malicious PE, ADER, confidence, 100%)
md5 d1467f50022d8c25d69d80fceb9d2f32
sha256 578712ce5c4301ae924ae943567a192f352376f2c03edf348d362a3dcf23949c
ssdeep 98304:/itG8zJTB7V/+4FkXwStCejqIS9VONPKHvY6hlKCfGRAUW8Jr0A6SVUtT/+VBgjO:/+GIB7V/rFkXwACwqj9Vaig6rKwGRfWT
imphash 4fbc37a01c682e76f135ea1cbb670d70
impfuzzy 12:1o1zRgGUyVnGv6SW1vwKUtbLxdQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:wz2AGv6SW1s9LbQ58QtXJHc9NDI5Q8
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Foreign language identified in PE resource
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0xc2a000 InterlockedDecrement
ADVAPI32.dll
 0xc2a008 RegCloseKey
SensApi.dll
 0xc2a010 IsNetworkAlive
USERENV.dll
 0xc2a018 CreateEnvironmentBlock
WTSAPI32.dll
 0xc2a020 WTSQueryUserToken
SHLWAPI.dll
 0xc2a028 PathStripPathA
WININET.dll
 0xc2a030 DeleteUrlCacheEntry
urlmon.dll
 0xc2a038 URLDownloadToFileA
PSAPI.DLL
 0xc2a040 EnumProcesses
WS2_32.dll
 0xc2a048 WSACleanup
WLDAP32.dll
 0xc2a050 None
MSVCR100.dll
 0xc2a058 _strnicmp
WTSAPI32.dll
 0xc2a060 WTSSendMessageW
KERNEL32.dll
 0xc2a068 VirtualQuery
USER32.dll
 0xc2a070 GetProcessWindowStation
KERNEL32.dll
 0xc2a078 LocalAlloc
 0xc2a07c LocalFree
 0xc2a080 GetModuleFileNameW
 0xc2a084 GetProcessAffinityMask
 0xc2a088 SetProcessAffinityMask
 0xc2a08c SetThreadAffinityMask
 0xc2a090 Sleep
 0xc2a094 ExitProcess
 0xc2a098 FreeLibrary
 0xc2a09c LoadLibraryA
 0xc2a0a0 GetModuleHandleA
 0xc2a0a4 GetProcAddress
USER32.dll
 0xc2a0ac GetProcessWindowStation
 0xc2a0b0 GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure