ScreenShot
| Created | 2023.03.24 18:12 | Machine | s1_win7_x6401 |
| Filename | huilang.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 56 detected (loFa, DeepScan, Farfli, Save, malicious, confidence, 100%, LBET, Attribute, HighConfidence, moderate confidence, Kryptik, HCAH, score, jmvgmk, BackdoorX, Siggen11, R002C0DCH23, high, Static AI, Malicious PE, XPACK, ai score=88, GrayWare, Wacatac, FK@7jqjxo, Detected, Artemis, unsafe, CLOUD, GenAsa, gBhknYBDYco, susgen, ZexaF, hmGfa84CnWm) | ||
| md5 | f1ec2cf6256a7c8543586065a07da47a | ||
| sha256 | 8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895 | ||
| ssdeep | 3072:yyETbqC8r+DfEnMIXRyGcCHwuWWDPD6QbF6sRa:DEyifMXfcCQ+DOpC | ||
| imphash | 6ed4f5f04d62b18d96b26d6db7c18840 | ||
| impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Expresses interest in specific running processes |
| watch | Installs itself for autorun at Windows startup |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | The executable uses a known packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x462028 LoadLibraryA
0x46202c ExitProcess
0x462030 GetProcAddress
0x462034 VirtualProtect
EAT(Export Address Table) is none
KERNEL32.DLL
0x462028 LoadLibraryA
0x46202c ExitProcess
0x462030 GetProcAddress
0x462034 VirtualProtect
EAT(Export Address Table) is none