ScreenShot
| Created | 2023.03.17 09:51 | Machine | s1_win7_x6403 |
| Filename | brg.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (AIDetectNet, Plite, lulu, unsafe, Save, malicious, confidence, 100%, ZexaF, gpuaauNxnVni, Attribute, HighConfidence, high confidence, score, Stealerc, FileRepMalware, Misc, CLOUD, VMProtBad, PRIVATELOADER, YXDCPZ, Ursnif, moderate, Static AI, Suspicious PE, Sabsik, StealC, Y3AFB5, Detected, Artemis, RecordStealer, susgen, PossibleThreat) | ||
| md5 | c10bf20ea8b2665099d89da5d09b2d7b | ||
| sha256 | 947c1743e36c320d3f644d9e295730a1a9037e3220be6cd47b6f3fd952e41ca2 | ||
| ssdeep | 98304:0kvMmqsKiM1SkrxPJrYS7KT1mvposTyD6:F0rsKN1lDEFQhosTQ6 | ||
| imphash | a2a3e6d4fc968e1e65b99fc8b576cc36 | ||
| impfuzzy | 3:sUx2AEZsS9KTXzn/cG/A7KHKSW4LL:nERGDfo7VSN/ | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | MPRESS_Zero | MPRESS packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0xb09064 GetModuleHandleA
0xb09068 GetProcAddress
msvcrt.dll
0xb09070 memcpy
USER32.dll
0xb09078 GetProcessWindowStation
EAT(Export Address Table) is none
KERNEL32.DLL
0xb09064 GetModuleHandleA
0xb09068 GetProcAddress
msvcrt.dll
0xb09070 memcpy
USER32.dll
0xb09078 GetProcessWindowStation
EAT(Export Address Table) is none