ScreenShot
| Created | 2022.10.10 19:27 | Machine | s1_win7_x6401 |
| Filename | Server_se.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetect, malware1, lIx9, Symmi, Unsafe, Save, NoobyProtect, malicious, ABRisk, YHQG, Attribute, HighConfidence, high confidence, M suspicious, score, Farfli, cejj, jsxwrl, MalwareX, Osmw, Amtar, KNB@4wlm66, Siggen2, R002C0DJ722, high, Generic ML PUA, Static AI, Malicious PE, AGEN, ai score=85, ASBOL, kcloud, Tnega, Detected, R514498, TpoaHBHYiZI, ZexaF, 3uW@aiSjXkej, confidence, 100%) | ||
| md5 | 53460de37325b4979177f832ae51f9de | ||
| sha256 | bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1 | ||
| ssdeep | 24576:7stUx5NK+HjoSIIJ2thqogNSNOKt5apf7xesN7:gtIS+dJgRkSNO0Qpow | ||
| imphash | 320ffb3ead7d13ea9d4a4b7814c6523f | ||
| impfuzzy | 3:sU9KTXz5NAHWbW6LlKKySoMfAE/yVcJUNQZn23S/KnA1MJuE9SX1Atd9CA:HGDTLb+ZSZoEa2WWZn2yILe1IqA | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x526196 GetProcAddress
SHELL32.dll
0x5261a2 ShellExecuteA
urlmon.dll
0x5261ae URLDownloadToFileA
MSVCRT.dll
0x5261ba strncpy
IPHLPAPI.DLL
0x5261c6 GetInterfaceInfo
PSAPI.DLL
0x5261d2 GetMappedFileNameW
USER32.dll
0x5261de GetWindow
ADVAPI32.dll
0x5261ea RegDeleteKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x526196 GetProcAddress
SHELL32.dll
0x5261a2 ShellExecuteA
urlmon.dll
0x5261ae URLDownloadToFileA
MSVCRT.dll
0x5261ba strncpy
IPHLPAPI.DLL
0x5261c6 GetInterfaceInfo
PSAPI.DLL
0x5261d2 GetMappedFileNameW
USER32.dll
0x5261de GetWindow
ADVAPI32.dll
0x5261ea RegDeleteKeyA
EAT(Export Address Table) is none