ScreenShot
Created | 2023.03.23 13:16 | Machine | s1_win7_x6403 |
Filename | Downloader.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 59 detected (malicious, high confidence, Midie, AgentMF, S19993834, FBWZ, unsafe, Save, confidence, 100%, VBObfuse, VBTrojan, Maxi, score, Aizczvpi, xabduu, fxwldb, Xmhl, DownLoader30, REDLINE, YXDCVZ, Static AI, Suspicious PE, bdxz, Wacatac, Malware@#zmqidmwkoy54, Detected, Vobfus, R326912, ai score=84, 2XZfwNMewX, GenAsa, Ywn5wjDUu9s, susgen, Kryptik, HMTB, GdSda) | ||
md5 | 75d45ac139ac9630ef44d1952e574633 | ||
sha256 | 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e | ||
ssdeep | 96:kIVg6r1wCCbBarsanJtRHJeZW+RElJ869X/QNsgBSEnrtDINyncI+vL/mg56NM69:LVZZrDRgAKErnEnrtDINynT+vCgcNX9 | ||
imphash | 7561f617f3827674993d78a3c48f4610 | ||
impfuzzy | 3:rTHTNT6IJjZzIJRM0HIWTkP1nELBJyJIWnIhsUHEgV8WIhSHzICqkCKpeEjgGUz6:HHTNWIrzGq8rTG1nq4qWWTpTa6n |
Network IP location
Signature (10cnts)
Level | Description |
---|---|
danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
notice | An executable file was downloaded by the process downloader.exe |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 DllFunctionCall
0x40100c __vbaExceptHandler
0x401010 None
0x401014 None
0x401018 None
0x40101c ProcCallEngine
0x401020 None
0x401024 None
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 DllFunctionCall
0x40100c __vbaExceptHandler
0x401010 None
0x401014 None
0x401018 None
0x40101c ProcCallEngine
0x401020 None
0x401024 None
EAT(Export Address Table) is none