ScreenShot
| Created | 2022.01.16 22:51 | Machine | s1_win7_x6403 |
| Filename | 111.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 21 detected (AIDetect, malware1, Malicious, high confidence, Unsafe, Attribute, HighConfidence, ET#98%, RDMK, cmRtazptNDj6Wv4bQ6Ae6CoaajYM, Generic ML PUA, Obsidium, score, BScope, Static AI, Malicious PE, ZexaF, Nq3@a8F2l3fi, confidence) | ||
| md5 | bc8905c3958b8b5f581a9045d58c9966 | ||
| sha256 | 360f2daa601a407296f2a123346526c790bc1a03f974bad4379e0c534056182e | ||
| ssdeep | 12288:RoDmR0LSmXI1XOiQ3V11xOMGdzEVO60ZuNreSNcXf5R5y:Roa028I1XDUzh8DENCSNcXXQ | ||
| imphash | 71add84b94d4b4bc13ebdd0143d4adab | ||
| impfuzzy | 3:sUx2AEJtyQ8zqg/My6i3qX798SE:nEJtyDDwi3qL2SE | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 21 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects VirtualBox through the presence of a device |
| watch | Harvests credentials from local email clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | TESTYARA | (no description) | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (6cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x48f064 GetModuleHandleA
user32.dll
0x48f074 EnumDisplayDevicesA
advapi32.dll
0x48f084 CryptCreateHash
comctl32.dll
0x48f094 CreateStatusWindowA
EAT(Export Address Table) is none
kernel32.dll
0x48f064 GetModuleHandleA
user32.dll
0x48f074 EnumDisplayDevicesA
advapi32.dll
0x48f084 CryptCreateHash
comctl32.dll
0x48f094 CreateStatusWindowA
EAT(Export Address Table) is none