ScreenShot
| Created | 2023.03.17 17:58 | Machine | s1_win7_x6401 |
| Filename | HDU3.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (GenericKD, GenericRI, S29850418, V0q6, malicious, confidence, Attribute, HighConfidence, moderate confidence, score, ZippyLoader, Dapato, R002C0DCE23, BadFile, moderate, adrr, tkfbf, ai score=89, Sabsik, GHXZ6U, Artemis, 3iivrlo7YP, susgen) | ||
| md5 | 04694e5e78d0a3dcab0bfea22aa90cfe | ||
| sha256 | 88262a78ce91985653afffc74d9938050e56113840efbc67ee98eb9483fe1f22 | ||
| ssdeep | 12288:UdXvDWopdu11GNJGUOXOoDscvVqILhtgpiEg/ojnSFRsQOoS9cwMd:gv6oLM2GvXOoHdqIdsg/ojn4sQ9S9c1 | ||
| imphash | 217175ecb4b918909da918aebf70d95a | ||
| impfuzzy | 12:omRgNuD1FwBbmIYay4iWdABZG/DzQwv62Sn:Fou5FwBbAb7UC+Dswypn | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO TLS Handshake Failure
ET INFO Pastebin-style Service (textbin .net in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-style Service (textbin .net in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
advapi32.dll
0x140160118 RegCloseKey
api-ms-win-crt-heap-l1-1-0.dll
0x140160128 free
api-ms-win-crt-locale-l1-1-0.dll
0x140160138 _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll
0x140160148 __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll
0x140160158 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x140160168 _set_fmode
crypt.dll
0x140160178 BCryptGenRandom
crypt32.dll
0x140160188 CertOpenStore
KERNEL32.DLL
0x140160198 LoadLibraryA
0x1401601a0 ExitProcess
0x1401601a8 GetProcAddress
0x1401601b0 VirtualProtect
ntdll.dll
0x1401601c0 NtCreateFile
secur32.dll
0x1401601d0 EncryptMessage
VCRUNTIME140.dll
0x1401601e0 memset
ws2_32.dll
0x1401601f0 send
EAT(Export Address Table) is none
advapi32.dll
0x140160118 RegCloseKey
api-ms-win-crt-heap-l1-1-0.dll
0x140160128 free
api-ms-win-crt-locale-l1-1-0.dll
0x140160138 _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll
0x140160148 __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll
0x140160158 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x140160168 _set_fmode
crypt.dll
0x140160178 BCryptGenRandom
crypt32.dll
0x140160188 CertOpenStore
KERNEL32.DLL
0x140160198 LoadLibraryA
0x1401601a0 ExitProcess
0x1401601a8 GetProcAddress
0x1401601b0 VirtualProtect
ntdll.dll
0x1401601c0 NtCreateFile
secur32.dll
0x1401601d0 EncryptMessage
VCRUNTIME140.dll
0x1401601e0 memset
ws2_32.dll
0x1401601f0 send
EAT(Export Address Table) is none