ScreenShot
| Created | 2021.12.30 10:58 | Machine | s1_win7_x6403 |
| Filename | OK.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (malicious, high confidence, score, Perite, Pate, Parite, confidence, 100%, Pinfi, Heuristics, bysj, gen@1dp8c4, A + W32, ai score=83, FileInfector, ET#88%, RDMK, cmRtazoixqeM0mEvccfTKoTxDUaH, Static AI, Malicious PE) | ||
| md5 | 36c087cb423663c91959f045aa116c22 | ||
| sha256 | 402410a6afb5e119cbabd9f69bbc5e22ed0f2777a459fc81e02feb737f45e706 | ||
| ssdeep | 3072:ybVcCJGB0z9goLCg9yd7HhSqCNJ+KntK2g33dfEwIjYKlSMpPEpTptc:ybiCJK0+oWg9yd70NJPntiewIUKkMqI | ||
| imphash | 88f775776887c3897bf5575da16525a3 | ||
| impfuzzy | 24:V0DfjgVG1BzeLDUdAh5h0XGHqXNELCA27uDkFTK:jc1leLwdAhj0XGKXNELCcF | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x402000 LoadLibraryA
0x402004 GetProcAddress
0x402008 WaitForSingleObject
0x40200c CreateEventA
0x402010 Sleep
0x402014 ExitProcess
0x402018 CreateThread
0x40201c VirtualAlloc
0x402020 GetCurrentProcessId
0x402024 GetCurrentThreadId
0x402028 GetTickCount
0x40202c QueryPerformanceCounter
0x402030 GetModuleHandleA
0x402034 SetUnhandledExceptionFilter
0x402038 UnhandledExceptionFilter
0x40203c GetCurrentProcess
0x402040 TerminateProcess
0x402044 InterlockedCompareExchange
0x402048 InterlockedExchange
0x40204c GetSystemTimeAsFileTime
msvcrt.dll
0x40207c _controlfp
0x402080 exit
0x402084 ?terminate@@YAXXZ
0x402088 __set_app_type
0x40208c _initterm
0x402090 __p__fmode
0x402094 __p__commode
0x402098 __setusermatherr
0x40209c _amsg_exit
0x4020a0 _XcptFilter
0x4020a4 _exit
0x4020a8 _cexit
0x4020ac __getmainargs
0x4020b0 ??1type_info@@UAE@XZ
0x4020b4 ??3@YAXPAX@Z
0x4020b8 __CxxFrameHandler3
0x4020bc ??2@YAPAXI@Z
0x4020c0 memset
0x4020c4 memcpy
0x4020c8 _except_handler4_common
WS2_32.dll
0x402054 WSAStartup
0x402058 gethostbyname
0x40205c socket
0x402060 recv
0x402064 WSACleanup
0x402068 send
0x40206c htons
0x402070 connect
0x402074 closesocket
EAT(Export Address Table) is none
KERNEL32.dll
0x402000 LoadLibraryA
0x402004 GetProcAddress
0x402008 WaitForSingleObject
0x40200c CreateEventA
0x402010 Sleep
0x402014 ExitProcess
0x402018 CreateThread
0x40201c VirtualAlloc
0x402020 GetCurrentProcessId
0x402024 GetCurrentThreadId
0x402028 GetTickCount
0x40202c QueryPerformanceCounter
0x402030 GetModuleHandleA
0x402034 SetUnhandledExceptionFilter
0x402038 UnhandledExceptionFilter
0x40203c GetCurrentProcess
0x402040 TerminateProcess
0x402044 InterlockedCompareExchange
0x402048 InterlockedExchange
0x40204c GetSystemTimeAsFileTime
msvcrt.dll
0x40207c _controlfp
0x402080 exit
0x402084 ?terminate@@YAXXZ
0x402088 __set_app_type
0x40208c _initterm
0x402090 __p__fmode
0x402094 __p__commode
0x402098 __setusermatherr
0x40209c _amsg_exit
0x4020a0 _XcptFilter
0x4020a4 _exit
0x4020a8 _cexit
0x4020ac __getmainargs
0x4020b0 ??1type_info@@UAE@XZ
0x4020b4 ??3@YAXPAX@Z
0x4020b8 __CxxFrameHandler3
0x4020bc ??2@YAPAXI@Z
0x4020c0 memset
0x4020c4 memcpy
0x4020c8 _except_handler4_common
WS2_32.dll
0x402054 WSAStartup
0x402058 gethostbyname
0x40205c socket
0x402060 recv
0x402064 WSACleanup
0x402068 send
0x40206c htons
0x402070 connect
0x402074 closesocket
EAT(Export Address Table) is none