ScreenShot
| Created | 2023.03.14 17:28 | Machine | s1_win7_x6403 |
| Filename | niubi.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (malicious, high confidence, DeepScan, KillMBR, Artemis, A9ge, Farfli, confidence, 100%, Attribute, HighConfidence, score, BackdoorX, Gencirc, R002C0DCD23, high, Static AI, Suspicious PE, XPACK, ai score=83, Pack, Popwin, ~IQ@ogvrk, Detected, BScope, unsafe, Gh0st, CLOUD, susgen, ZexaF, Myxaae2dOGab) | ||
| md5 | ac9cc7a0d1a9e1cfde6591605f42a8d3 | ||
| sha256 | 4e90491d7bfcb50079a2fc9795b8ae9c4bd9ee5b26913b075ea248f953c6b910 | ||
| ssdeep | 12288:g2DDEEuqctaY5effnWQ7x7dJsPMR1F4fWDNo5F/oJBprSqYeJGDu12T6b:g2DoTqctaY5effnW8RDsXOvvY01bb | ||
| imphash | 73ec795c6c369c6ce2c3b4c3f6477daa | ||
| impfuzzy | 12:oAR0DaGsfGhqRJRke2V4TKLRmLF+Sg/m4T:B0DaLft2V4T/+Sg/1T | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Foreign language identified in PE resource |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x605000 lstrcatA
0x605004 InitializeCriticalSection
0x605008 GetProcAddress
0x60500c LocalFree
0x605010 RaiseException
0x605014 LocalAlloc
0x605018 GetModuleHandleA
0x60501c LeaveCriticalSection
0x605020 EnterCriticalSection
0x605024 DuplicateHandle
0x605028 GetShortPathNameA
0x60502c ResumeThread
0x605030 WriteProcessMemory
0x605034 GetPrivateProfileSectionA
0x605038 GetStringTypeA
0x60503c LCMapStringW
0x605040 LCMapStringA
0x605044 RtlUnwind
0x605048 WideCharToMultiByte
0x60504c MultiByteToWideChar
0x605050 GetStringTypeW
USER32.dll
0x605058 DefWindowProcA
0x60505c AdjustWindowRectEx
EAT(Export Address Table) is none
KERNEL32.dll
0x605000 lstrcatA
0x605004 InitializeCriticalSection
0x605008 GetProcAddress
0x60500c LocalFree
0x605010 RaiseException
0x605014 LocalAlloc
0x605018 GetModuleHandleA
0x60501c LeaveCriticalSection
0x605020 EnterCriticalSection
0x605024 DuplicateHandle
0x605028 GetShortPathNameA
0x60502c ResumeThread
0x605030 WriteProcessMemory
0x605034 GetPrivateProfileSectionA
0x605038 GetStringTypeA
0x60503c LCMapStringW
0x605040 LCMapStringA
0x605044 RtlUnwind
0x605048 WideCharToMultiByte
0x60504c MultiByteToWideChar
0x605050 GetStringTypeW
USER32.dll
0x605058 DefWindowProcA
0x60505c AdjustWindowRectEx
EAT(Export Address Table) is none