ScreenShot
| Created | 2023.01.20 08:04 | Machine | s1_win7_x6401 |
| Filename | payload | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (malicious, moderate confidence, GenericKD, Artemis, MachineLearning, Anomalous, 100%, Save, ZexaF, Br1@aKOaCchi, GenCBL, Strab, Generic PUA LE, moderate, score, ai score=80, GrayWare, Wacapew, Sabsik, Unsafe, FileTour, CLASSIC) | ||
| md5 | 0d36a4e578fadabccbe15db03c722f6a | ||
| sha256 | c81d0001db2319c3774dff80f346801f493b45c92bd4e825895495158fdf2e9d | ||
| ssdeep | 24576:aaRWQtfxeCrudvcqhUN+N34UrNQwJho3ndFQhmu5NOVR5y6XA7j6y5vxp:vRtxeCr/qhz4UxQwvo3QrOj5y6wCy5vf | ||
| imphash | d8e1ce6efe964fd86ad73408ea71ada5 | ||
| impfuzzy | 6:HGDYBJAEtmVCyRlbcwnEpOLEOARyCyDiB9W:mDoAPCqvEpOovQCyey | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects VirtualBox through the presence of a device |
| watch | Detects VirtualBox through the presence of a file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Expresses interest in specific running processes |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x500050 GetProcAddress
0x500054 LoadLibraryA
0x500058 VirtualAlloc
0x50005c VirtualFree
0x500060 VirtualProtect
0x500064 GetVersionExA
0x500068 GetModuleHandleA
0x50006c GetCommandLineA
0x500070 GetStartupInfoA
USER32.dll
0x500078 EnumDisplayDevicesW
GDI32.dll
0x500080 GetDeviceCaps
EAT(Export Address Table) is none
KERNEL32.dll
0x500050 GetProcAddress
0x500054 LoadLibraryA
0x500058 VirtualAlloc
0x50005c VirtualFree
0x500060 VirtualProtect
0x500064 GetVersionExA
0x500068 GetModuleHandleA
0x50006c GetCommandLineA
0x500070 GetStartupInfoA
USER32.dll
0x500078 EnumDisplayDevicesW
GDI32.dll
0x500080 GetDeviceCaps
EAT(Export Address Table) is none