ScreenShot
| Created | 2022.12.15 17:47 | Machine | s1_win7_x6403 |
| Filename | Client_zffz.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 8 detected (malicious, moderate confidence, confidence, R002H06K721, AutoIt) | ||
| md5 | 9a3e1eee1cc88d5e7955f8a42f9cce61 | ||
| sha256 | f450e7ab58e7ec8298127012ccc234e08f52fa004f579ab44459dcf081862824 | ||
| ssdeep | 12288:8HLUMuiv9RgfSjAzRty26xGJeMTE3Z2ap4srKWLZ6JCtXZYJfme:WtARD6EAMC41o6Jfme | ||
| imphash | af02ce4a4548e322a95ca15cb9608683 | ||
| impfuzzy | 12:VA/DzqYOZQDmP75m3EXV6KxLAkcOcTQQnd3mxCHXT:V0DBacq78El6KxLAkcOs2k3T | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable uses a known packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4af444 LoadLibraryA
0x4af448 GetProcAddress
0x4af44c VirtualProtect
0x4af450 VirtualAlloc
0x4af454 VirtualFree
0x4af458 ExitProcess
ADVAPI32.dll
0x4af460 AddAce
COMCTL32.dll
0x4af468 ImageList_Remove
COMDLG32.dll
0x4af470 GetSaveFileNameW
GDI32.dll
0x4af478 BitBlt
MPR.dll
0x4af480 WNetGetConnectionW
ole32.dll
0x4af488 CoInitialize
OLEAUT32.dll
0x4af490 VariantTimeToSystemTime
PSAPI.DLL
0x4af498 EnumProcesses
SHELL32.dll
0x4af4a0 DragFinish
USER32.dll
0x4af4a8 GetDC
USERENV.dll
0x4af4b0 LoadUserProfileW
VERSION.dll
0x4af4b8 VerQueryValueW
WININET.dll
0x4af4c0 FtpOpenFileW
WINMM.dll
0x4af4c8 timeGetTime
WSOCK32.dll
0x4af4d0 recv
EAT(Export Address Table) is none
KERNEL32.DLL
0x4af444 LoadLibraryA
0x4af448 GetProcAddress
0x4af44c VirtualProtect
0x4af450 VirtualAlloc
0x4af454 VirtualFree
0x4af458 ExitProcess
ADVAPI32.dll
0x4af460 AddAce
COMCTL32.dll
0x4af468 ImageList_Remove
COMDLG32.dll
0x4af470 GetSaveFileNameW
GDI32.dll
0x4af478 BitBlt
MPR.dll
0x4af480 WNetGetConnectionW
ole32.dll
0x4af488 CoInitialize
OLEAUT32.dll
0x4af490 VariantTimeToSystemTime
PSAPI.DLL
0x4af498 EnumProcesses
SHELL32.dll
0x4af4a0 DragFinish
USER32.dll
0x4af4a8 GetDC
USERENV.dll
0x4af4b0 LoadUserProfileW
VERSION.dll
0x4af4b8 VerQueryValueW
WININET.dll
0x4af4c0 FtpOpenFileW
WINMM.dll
0x4af4c8 timeGetTime
WSOCK32.dll
0x4af4d0 recv
EAT(Export Address Table) is none