ScreenShot
| Created | 2023.03.29 09:55 | Machine | s1_win7_x6402 |
| Filename | atom.xml | ||
| Type | UTF-8 Unicode text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 2 detected (PowerShell, Kryptik, SC185668) | ||
| md5 | bb3afc961cd9b132922db723407508e7 | ||
| sha256 | ff328209c9f4604d3ccc0639621d4c64a4b4cdba7bec8e1626bc258b91e041e4 | ||
| ssdeep | 1536:Jpt+TtlEaMAGD6I24uey6tpCCst3o3EX8df688Qry50Mty87hh38HDvOUmdh7c8E:4TtlEaMqy0AvfVrCL1vZknLVC50H3 | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | File has been identified by 2 AntiVirus engines on VirusTotal as malicious |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Tries to locate where the browsers are installed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | hide_executable_file | Hide executable file | binaries (upload) |
| warning | PowerShell_Script_Include_2_Zero | PowerShell Script Include [Zero] | binaries (upload) |
| warning | PowerShell_Script_MZ_Zero | PowerShell Script MZ [Zero] | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|