ScreenShot
| Created | 2023.03.14 17:32 | Machine | s1_win7_x6401 |
| Filename | xinxin.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (malicious, high confidence, DeepScan, KillMBR, Artemis, Vl3w, Farfli, confidence, 100%, Attribute, HighConfidence, score, BackdoorX, Gencirc, R002C0DCD23, high, XPACK, Pack, Popwin, ~IQ@ogvrk, Detected, BScope, ai score=80, unsafe, Gh0st, CLASSIC, Static AI, Suspicious PE, susgen, PossibleThreat, PALLASNET, ZexaF, MyxaaaLAL0bb) | ||
| md5 | 1a5fed7b02d73b3589cebd2394fe7ce9 | ||
| sha256 | d46dbbb40bf11bda9b1aa74d9d2550a73ab0ae6008270c2c541153cd4974a3dd | ||
| ssdeep | 12288:0MDDEEuqctaY5effnWQ7x7dJsPMR1F4fWDNo5F/oJBprSqYeJGDH12AlgC9h:0MDoTqctaY5effnW8RDsXOvvYp19lgCf | ||
| imphash | 73ec795c6c369c6ce2c3b4c3f6477daa | ||
| impfuzzy | 12:oAR0DaGsfGhqRJRke2V4TKLRmLF+Sg/m4T:B0DaLft2V4T/+Sg/1T | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x605000 lstrcatA
0x605004 InitializeCriticalSection
0x605008 GetProcAddress
0x60500c LocalFree
0x605010 RaiseException
0x605014 LocalAlloc
0x605018 GetModuleHandleA
0x60501c LeaveCriticalSection
0x605020 EnterCriticalSection
0x605024 DuplicateHandle
0x605028 GetShortPathNameA
0x60502c ResumeThread
0x605030 WriteProcessMemory
0x605034 GetPrivateProfileSectionA
0x605038 GetStringTypeA
0x60503c LCMapStringW
0x605040 LCMapStringA
0x605044 RtlUnwind
0x605048 WideCharToMultiByte
0x60504c MultiByteToWideChar
0x605050 GetStringTypeW
USER32.dll
0x605058 DefWindowProcA
0x60505c AdjustWindowRectEx
EAT(Export Address Table) is none
KERNEL32.dll
0x605000 lstrcatA
0x605004 InitializeCriticalSection
0x605008 GetProcAddress
0x60500c LocalFree
0x605010 RaiseException
0x605014 LocalAlloc
0x605018 GetModuleHandleA
0x60501c LeaveCriticalSection
0x605020 EnterCriticalSection
0x605024 DuplicateHandle
0x605028 GetShortPathNameA
0x60502c ResumeThread
0x605030 WriteProcessMemory
0x605034 GetPrivateProfileSectionA
0x605038 GetStringTypeA
0x60503c LCMapStringW
0x605040 LCMapStringA
0x605044 RtlUnwind
0x605048 WideCharToMultiByte
0x60504c MultiByteToWideChar
0x605050 GetStringTypeW
USER32.dll
0x605058 DefWindowProcA
0x60505c AdjustWindowRectEx
EAT(Export Address Table) is none