ScreenShot
| Created | 2022.06.07 14:02 | Machine | s1_win7_x6403 |
| Filename | win.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (FamVT, DumpModuleInfectiousNME, DownLoader18, VJadtre, GenericRI, S17164152, Kudj, FakeMS, ASPACK V2, malicious, FileInfector, PatchLoad, moderate confidence, Wapomi, Nimnul, Banload, cstqaj, Ramnit, Roue, CLASSIC, A + W32, MUPX, Gen@24tbus, Otwycal, Virut, high, score, Static AI, Malicious PE, Jadtre, ai score=89, Mikcer, Unsafe, Pcarrier, Probably Heur, ExeHeaderL, Loader, GenAsa, H41PVEbKGsY, CoinMiner, Nitol, confidence, 100%) | ||
| md5 | b238708a6c194f7cb92c8c50400a3a98 | ||
| sha256 | 78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11 | ||
| ssdeep | 768:C7I0+FNSW3YO5z+b+hCFfH/YZIvb5c4QGPL4vzZq2o9W7GsxBbPr:C7I0ekW3Ft+eeYZK5cTGCq2iW7z | ||
| imphash | a3efcc970852f76f399fd867a4d6b207 | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwcWZfxTQAGbK146Bj:VA/DzqYOZ9FpRm7c | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (10cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x411920 LoadLibraryA
0x411924 GetProcAddress
0x411928 VirtualProtect
0x41192c VirtualAlloc
0x411930 VirtualFree
0x411934 ExitProcess
ADVAPI32.dll
0x41193c RegOpenKeyA
iphlpapi.dll
0x411944 GetIfTable
MSVCRT.dll
0x41194c time
USER32.dll
0x411954 wsprintfA
WININET.dll
0x41195c InternetOpenA
WS2_32.dll
0x411964 inet_addr
EAT(Export Address Table) is none
KERNEL32.DLL
0x411920 LoadLibraryA
0x411924 GetProcAddress
0x411928 VirtualProtect
0x41192c VirtualAlloc
0x411930 VirtualFree
0x411934 ExitProcess
ADVAPI32.dll
0x41193c RegOpenKeyA
iphlpapi.dll
0x411944 GetIfTable
MSVCRT.dll
0x41194c time
USER32.dll
0x411954 wsprintfA
WININET.dll
0x41195c InternetOpenA
WS2_32.dll
0x411964 inet_addr
EAT(Export Address Table) is none