ScreenShot
| Created | 2021.11.02 11:11 | Machine | s1_win7_x6403 |
| Filename | file.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 20 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, ZexaF, br0@aGQQfYmi, Attribute, HighConfidence, GenKryptik, FMXS, Cridex, TrojanX, Score, Sabsik, Razy, BScope, Skipe, ET#87%, RDMK, cmRtazqU+DFo5yPe25DO+pND2vsz) | ||
| md5 | 3139e939a60a693862671d6b13741d3b | ||
| sha256 | 543c1df1becf83ebd6827cb6d1ad6f36e31f678a7ca5cf608971b7e3867fdc26 | ||
| ssdeep | 24576:NIoew+izW8U3TdHi8W6hJuSFpGIC2DVbGXdRs6:lewBy8U3TdHiubuEpGICmVbGDs6 | ||
| imphash | ef5956809c763f1379694f7eee70a306 | ||
| impfuzzy | 48:7/Vm93mY+06KJXkCukuJO9vP8+ugI3JkdhVbAf0S1KyX+wFIoPb598NTz95Sn6g3:bVm93mYz6K1uJIvP8+xSJUvbYx1Qpo | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks the CPU name from registry |
| watch | Creates an executable file in a user folder |
| watch | Deletes a large number of files from the system indicative of ransomware |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
advapi32.dll
0x4b1364 InitializeSecurityDescriptor
0x4b1368 ImpersonateSelf
0x4b136c GetLengthSid
0x4b1370 DecryptFileW
0x4b1374 SetSecurityDescriptorGroup
0x4b1378 AccessCheck
0x4b137c RegQueryValueExW
0x4b1380 GetSecurityInfo
0x4b1384 RegCreateKeyExW
0x4b1388 RegDeleteValueW
0x4b138c SetSecurityDescriptorDacl
0x4b1390 InitializeAcl
0x4b1394 GetSecurityDescriptorDacl
0x4b1398 OpenProcessToken
0x4b139c AddAccessAllowedAce
0x4b13a0 OpenThreadToken
0x4b13a4 RegCloseKey
0x4b13a8 AllocateAndInitializeSid
0x4b13ac GetTokenInformation
0x4b13b0 IsValidSecurityDescriptor
0x4b13b4 RegOpenKeyExA
0x4b13b8 SetSecurityDescriptorOwner
0x4b13bc GetUserNameW
0x4b13c0 SetEntriesInAclW
0x4b13c4 FreeSid
0x4b13c8 CreateProcessAsUserW
0x4b13cc FileEncryptionStatusW
0x4b13d0 SetSecurityInfo
0x4b13d4 LookupAccountSidW
0x4b13d8 BuildExplicitAccessWithNameW
0x4b13dc RevertToSelf
0x4b13e0 RegSetValueExW
0x4b13e4 RegOpenKeyExW
0x4b13e8 RegQueryValueExA
comctl32.dll
0x4b13f0 _TrackMouseEvent
comdlg32.dll
0x4b13f8 GetOpenFileNameW
gdi32.dll
0x4b1400 GetPixel
0x4b1404 RoundRect
0x4b1408 BitBlt
0x4b140c CreateSolidBrush
0x4b1410 DeleteObject
0x4b1414 GetTextExtentPoint32W
0x4b1418 StretchDIBits
0x4b141c CreateFontIndirectW
0x4b1420 GetDeviceCaps
0x4b1424 SetDIBitsToDevice
0x4b1428 CreateCompatibleDC
0x4b142c CreatePalette
0x4b1430 GetDIBits
0x4b1434 CreatePen
0x4b1438 GetStockObject
0x4b143c GetObjectW
0x4b1440 RealizePalette
0x4b1444 SelectObject
0x4b1448 SetPixel
0x4b144c CreateCompatibleBitmap
kernel32.dll
0x4b1454 GetModuleHandleW
0x4b1458 IsProcessorFeaturePresent
0x4b145c ExpandEnvironmentStringsA
0x4b1460 LoadLibraryExW
0x4b1464 InterlockedCompareExchange
0x4b1468 DeviceIoControl
0x4b146c FreeLibrary
0x4b1470 VerifyVersionInfoW
0x4b1474 GetStartupInfoW
0x4b1478 DeleteFileW
0x4b147c OutputDebugStringW
0x4b1480 CreateFileA
0x4b1484 GetModuleFileNameA
0x4b1488 GetVersionExW
0x4b148c CreateThread
0x4b1490 GetCurrentThreadId
0x4b1494 SetLastError
0x4b1498 LockResource
0x4b149c GetCurrentProcessId
0x4b14a0 GetCurrentProcess
0x4b14a4 InterlockedDecrement
0x4b14a8 GetLocaleInfoW
0x4b14ac VirtualProtect
0x4b14b0 CreateProcessW
0x4b14b4 QueryPerformanceCounter
0x4b14b8 DosDateTimeToFileTime
0x4b14bc GetLocalTime
0x4b14c0 GetComputerNameW
0x4b14c4 LeaveCriticalSection
0x4b14c8 DeleteCriticalSection
0x4b14cc ResetEvent
0x4b14d0 GetFullPathNameW
0x4b14d4 CreateFileW
0x4b14d8 ReadFile
0x4b14dc GetProcAddress
0x4b14e0 ReleaseMutex
0x4b14e4 SetErrorMode
0x4b14e8 CopyFileW
0x4b14ec lstrcmpiW
0x4b14f0 LoadLibraryA
0x4b14f4 OpenProcess
0x4b14f8 WideCharToMultiByte
0x4b14fc GetCommandLineA
0x4b1500 GetExitCodeProcess
0x4b1504 InterlockedIncrement
0x4b1508 InitializeCriticalSection
0x4b150c GlobalAlloc
0x4b1510 GetSystemDirectoryW
0x4b1514 LocalAlloc
0x4b1518 WaitForSingleObject
0x4b151c Sleep
0x4b1520 CloseHandle
0x4b1524 SetFilePointer
0x4b1528 InitializeCriticalSectionAndSpinCount
0x4b152c InterlockedExchange
0x4b1530 LoadLibraryW
0x4b1534 SetFileTime
0x4b1538 GetCurrentThread
0x4b153c GetModuleHandleA
0x4b1540 CreateDirectoryW
0x4b1544 LocalFree
0x4b1548 WriteFile
0x4b154c CreateEventW
0x4b1550 SetEvent
0x4b1554 CreateMutexW
0x4b1558 lstrlenW
0x4b155c GetCommandLineW
0x4b1560 LocalFileTimeToFileTime
0x4b1564 GetModuleFileNameW
0x4b1568 MoveFileExW
0x4b156c GetTempPathW
0x4b1570 GetFileAttributesW
0x4b1574 MultiByteToWideChar
0x4b1578 FindResourceW
0x4b157c IsDebuggerPresent
0x4b1580 RaiseException
0x4b1584 GetSystemTime
0x4b1588 VerSetConditionMask
0x4b158c GetFileTime
0x4b1590 WritePrivateProfileStringW
0x4b1594 EnterCriticalSection
0x4b1598 GetLastError
0x4b159c GlobalFree
0x4b15a0 MulDiv
0x4b15a4 LoadResource
0x4b15a8 GetPrivateProfileStringW
0x4b15ac OpenMutexW
ole32.dll
0x4b15b4 CoInitializeEx
shell32.dll
0x4b15bc CommandLineToArgvW
0x4b15c0 ShellExecuteExW
0x4b15c4 ShellExecuteW
shlwapi.dll
0x4b15cc PathIsRelativeA
user32.dll
0x4b15d4 ShowScrollBar
0x4b15d8 SetTimer
0x4b15dc IsChild
0x4b15e0 LoadCursorW
0x4b15e4 InflateRect
0x4b15e8 KillTimer
0x4b15ec SetForegroundWindow
0x4b15f0 SetRect
0x4b15f4 BringWindowToTop
0x4b15f8 ScreenToClient
0x4b15fc GetKeyState
0x4b1600 SendNotifyMessageW
0x4b1604 LoadImageW
0x4b1608 DrawStateW
0x4b160c SetCursor
0x4b1610 FindWindowW
0x4b1614 ReleaseDC
0x4b1618 GetClassLongW
0x4b161c PostMessageW
0x4b1620 GetClassNameW
0x4b1624 InvalidateRect
0x4b1628 IsRectEmpty
0x4b162c GetClientRect
0x4b1630 GetWindowRect
0x4b1634 SystemParametersInfoW
0x4b1638 GetDC
0x4b163c MessageBoxW
0x4b1640 SetClassLongW
0x4b1644 DestroyIcon
0x4b1648 GetLastActivePopup
0x4b164c SetCapture
0x4b1650 wsprintfW
0x4b1654 PtInRect
0x4b1658 CreateDialogParamA
0x4b165c UpdateWindow
0x4b1660 LoadStringW
0x4b1664 DrawIconEx
0x4b1668 SetRectEmpty
0x4b166c GetCursorPos
0x4b1670 SetWindowLongW
0x4b1674 CopyRect
0x4b1678 EnableWindow
0x4b167c ShowCaret
0x4b1680 ReleaseCapture
0x4b1684 LoadIconW
0x4b1688 SendMessageW
0x4b168c OffsetRect
0x4b1690 GetForegroundWindow
0x4b1694 GetParent
0x4b1698 FillRect
0x4b169c EnableScrollBar
0x4b16a0 TranslateAcceleratorW
0x4b16a4 GetSystemMetrics
0x4b16a8 GetActiveWindow
0x4b16ac GetWindowDC
0x4b16b0 GetDesktopWindow
wininet.dll
0x4b16b8 HttpQueryInfoW
0x4b16bc InternetOpenW
0x4b16c0 InternetCloseHandle
0x4b16c4 InternetOpenUrlW
EAT(Export Address Table) is none
advapi32.dll
0x4b1364 InitializeSecurityDescriptor
0x4b1368 ImpersonateSelf
0x4b136c GetLengthSid
0x4b1370 DecryptFileW
0x4b1374 SetSecurityDescriptorGroup
0x4b1378 AccessCheck
0x4b137c RegQueryValueExW
0x4b1380 GetSecurityInfo
0x4b1384 RegCreateKeyExW
0x4b1388 RegDeleteValueW
0x4b138c SetSecurityDescriptorDacl
0x4b1390 InitializeAcl
0x4b1394 GetSecurityDescriptorDacl
0x4b1398 OpenProcessToken
0x4b139c AddAccessAllowedAce
0x4b13a0 OpenThreadToken
0x4b13a4 RegCloseKey
0x4b13a8 AllocateAndInitializeSid
0x4b13ac GetTokenInformation
0x4b13b0 IsValidSecurityDescriptor
0x4b13b4 RegOpenKeyExA
0x4b13b8 SetSecurityDescriptorOwner
0x4b13bc GetUserNameW
0x4b13c0 SetEntriesInAclW
0x4b13c4 FreeSid
0x4b13c8 CreateProcessAsUserW
0x4b13cc FileEncryptionStatusW
0x4b13d0 SetSecurityInfo
0x4b13d4 LookupAccountSidW
0x4b13d8 BuildExplicitAccessWithNameW
0x4b13dc RevertToSelf
0x4b13e0 RegSetValueExW
0x4b13e4 RegOpenKeyExW
0x4b13e8 RegQueryValueExA
comctl32.dll
0x4b13f0 _TrackMouseEvent
comdlg32.dll
0x4b13f8 GetOpenFileNameW
gdi32.dll
0x4b1400 GetPixel
0x4b1404 RoundRect
0x4b1408 BitBlt
0x4b140c CreateSolidBrush
0x4b1410 DeleteObject
0x4b1414 GetTextExtentPoint32W
0x4b1418 StretchDIBits
0x4b141c CreateFontIndirectW
0x4b1420 GetDeviceCaps
0x4b1424 SetDIBitsToDevice
0x4b1428 CreateCompatibleDC
0x4b142c CreatePalette
0x4b1430 GetDIBits
0x4b1434 CreatePen
0x4b1438 GetStockObject
0x4b143c GetObjectW
0x4b1440 RealizePalette
0x4b1444 SelectObject
0x4b1448 SetPixel
0x4b144c CreateCompatibleBitmap
kernel32.dll
0x4b1454 GetModuleHandleW
0x4b1458 IsProcessorFeaturePresent
0x4b145c ExpandEnvironmentStringsA
0x4b1460 LoadLibraryExW
0x4b1464 InterlockedCompareExchange
0x4b1468 DeviceIoControl
0x4b146c FreeLibrary
0x4b1470 VerifyVersionInfoW
0x4b1474 GetStartupInfoW
0x4b1478 DeleteFileW
0x4b147c OutputDebugStringW
0x4b1480 CreateFileA
0x4b1484 GetModuleFileNameA
0x4b1488 GetVersionExW
0x4b148c CreateThread
0x4b1490 GetCurrentThreadId
0x4b1494 SetLastError
0x4b1498 LockResource
0x4b149c GetCurrentProcessId
0x4b14a0 GetCurrentProcess
0x4b14a4 InterlockedDecrement
0x4b14a8 GetLocaleInfoW
0x4b14ac VirtualProtect
0x4b14b0 CreateProcessW
0x4b14b4 QueryPerformanceCounter
0x4b14b8 DosDateTimeToFileTime
0x4b14bc GetLocalTime
0x4b14c0 GetComputerNameW
0x4b14c4 LeaveCriticalSection
0x4b14c8 DeleteCriticalSection
0x4b14cc ResetEvent
0x4b14d0 GetFullPathNameW
0x4b14d4 CreateFileW
0x4b14d8 ReadFile
0x4b14dc GetProcAddress
0x4b14e0 ReleaseMutex
0x4b14e4 SetErrorMode
0x4b14e8 CopyFileW
0x4b14ec lstrcmpiW
0x4b14f0 LoadLibraryA
0x4b14f4 OpenProcess
0x4b14f8 WideCharToMultiByte
0x4b14fc GetCommandLineA
0x4b1500 GetExitCodeProcess
0x4b1504 InterlockedIncrement
0x4b1508 InitializeCriticalSection
0x4b150c GlobalAlloc
0x4b1510 GetSystemDirectoryW
0x4b1514 LocalAlloc
0x4b1518 WaitForSingleObject
0x4b151c Sleep
0x4b1520 CloseHandle
0x4b1524 SetFilePointer
0x4b1528 InitializeCriticalSectionAndSpinCount
0x4b152c InterlockedExchange
0x4b1530 LoadLibraryW
0x4b1534 SetFileTime
0x4b1538 GetCurrentThread
0x4b153c GetModuleHandleA
0x4b1540 CreateDirectoryW
0x4b1544 LocalFree
0x4b1548 WriteFile
0x4b154c CreateEventW
0x4b1550 SetEvent
0x4b1554 CreateMutexW
0x4b1558 lstrlenW
0x4b155c GetCommandLineW
0x4b1560 LocalFileTimeToFileTime
0x4b1564 GetModuleFileNameW
0x4b1568 MoveFileExW
0x4b156c GetTempPathW
0x4b1570 GetFileAttributesW
0x4b1574 MultiByteToWideChar
0x4b1578 FindResourceW
0x4b157c IsDebuggerPresent
0x4b1580 RaiseException
0x4b1584 GetSystemTime
0x4b1588 VerSetConditionMask
0x4b158c GetFileTime
0x4b1590 WritePrivateProfileStringW
0x4b1594 EnterCriticalSection
0x4b1598 GetLastError
0x4b159c GlobalFree
0x4b15a0 MulDiv
0x4b15a4 LoadResource
0x4b15a8 GetPrivateProfileStringW
0x4b15ac OpenMutexW
ole32.dll
0x4b15b4 CoInitializeEx
shell32.dll
0x4b15bc CommandLineToArgvW
0x4b15c0 ShellExecuteExW
0x4b15c4 ShellExecuteW
shlwapi.dll
0x4b15cc PathIsRelativeA
user32.dll
0x4b15d4 ShowScrollBar
0x4b15d8 SetTimer
0x4b15dc IsChild
0x4b15e0 LoadCursorW
0x4b15e4 InflateRect
0x4b15e8 KillTimer
0x4b15ec SetForegroundWindow
0x4b15f0 SetRect
0x4b15f4 BringWindowToTop
0x4b15f8 ScreenToClient
0x4b15fc GetKeyState
0x4b1600 SendNotifyMessageW
0x4b1604 LoadImageW
0x4b1608 DrawStateW
0x4b160c SetCursor
0x4b1610 FindWindowW
0x4b1614 ReleaseDC
0x4b1618 GetClassLongW
0x4b161c PostMessageW
0x4b1620 GetClassNameW
0x4b1624 InvalidateRect
0x4b1628 IsRectEmpty
0x4b162c GetClientRect
0x4b1630 GetWindowRect
0x4b1634 SystemParametersInfoW
0x4b1638 GetDC
0x4b163c MessageBoxW
0x4b1640 SetClassLongW
0x4b1644 DestroyIcon
0x4b1648 GetLastActivePopup
0x4b164c SetCapture
0x4b1650 wsprintfW
0x4b1654 PtInRect
0x4b1658 CreateDialogParamA
0x4b165c UpdateWindow
0x4b1660 LoadStringW
0x4b1664 DrawIconEx
0x4b1668 SetRectEmpty
0x4b166c GetCursorPos
0x4b1670 SetWindowLongW
0x4b1674 CopyRect
0x4b1678 EnableWindow
0x4b167c ShowCaret
0x4b1680 ReleaseCapture
0x4b1684 LoadIconW
0x4b1688 SendMessageW
0x4b168c OffsetRect
0x4b1690 GetForegroundWindow
0x4b1694 GetParent
0x4b1698 FillRect
0x4b169c EnableScrollBar
0x4b16a0 TranslateAcceleratorW
0x4b16a4 GetSystemMetrics
0x4b16a8 GetActiveWindow
0x4b16ac GetWindowDC
0x4b16b0 GetDesktopWindow
wininet.dll
0x4b16b8 HttpQueryInfoW
0x4b16bc InternetOpenW
0x4b16c0 InternetCloseHandle
0x4b16c4 InternetOpenUrlW
EAT(Export Address Table) is none