ScreenShot
| Created | 2023.04.06 09:56 | Machine | s1_win7_x6402 |
| Filename | Payment_Copy.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 28 detected (Save, malicious, confidence, 100%, Eldorado, Attribute, HighConfidence, high confidence, score, Kutaki, TSPY, VBKEYLOG, high, Static AI, Suspicious PE, Sabsik, Detected, R526413, unsafe, CLASSIC, ZevbaF, Bo0@aydnObni) | ||
| md5 | fe87505c13a6a986885193cb177d4607 | ||
| sha256 | a7f37926eb21924303d17007e8dd4d87c0bb428d1663a86d24d1ca38442ef845 | ||
| ssdeep | 49152:hlkWk5cS7a+9XYaQHZehc4mTYJ78V9gyBn4cbfmP/SA8N:3ajJ4Z942KQV9hp4UfmP/SA8 | ||
| imphash | d24edab77279df23707d626d3ad31888 | ||
| impfuzzy | 12:nTO+ypTOQ8MYqUwT8zTPMswDQoTdU61n9anSnaICTK9MRUR9lx9GSwmO:nHNW83MBU66nQaa9MRGTNM | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 None
0x40100c None
0x401010 MethCallEngine
0x401014 None
0x401018 None
0x40101c None
0x401020 None
0x401024 None
0x401028 None
0x40102c None
0x401030 None
0x401034 None
0x401038 None
0x40103c None
0x401040 None
0x401044 None
0x401048 None
0x40104c None
0x401050 None
0x401054 EVENT_SINK_AddRef
0x401058 None
0x40105c None
0x401060 None
0x401064 DllFunctionCall
0x401068 None
0x40106c None
0x401070 None
0x401074 EVENT_SINK_Release
0x401078 None
0x40107c None
0x401080 EVENT_SINK_QueryInterface
0x401084 __vbaExceptHandler
0x401088 None
0x40108c None
0x401090 None
0x401094 None
0x401098 None
0x40109c None
0x4010a0 None
0x4010a4 None
0x4010a8 ProcCallEngine
0x4010ac None
0x4010b0 None
0x4010b4 None
0x4010b8 None
0x4010bc None
0x4010c0 None
0x4010c4 None
0x4010c8 None
0x4010cc None
0x4010d0 None
0x4010d4 None
0x4010d8 None
0x4010dc None
0x4010e0 None
0x4010e4 None
0x4010e8 None
0x4010ec None
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 None
0x40100c None
0x401010 MethCallEngine
0x401014 None
0x401018 None
0x40101c None
0x401020 None
0x401024 None
0x401028 None
0x40102c None
0x401030 None
0x401034 None
0x401038 None
0x40103c None
0x401040 None
0x401044 None
0x401048 None
0x40104c None
0x401050 None
0x401054 EVENT_SINK_AddRef
0x401058 None
0x40105c None
0x401060 None
0x401064 DllFunctionCall
0x401068 None
0x40106c None
0x401070 None
0x401074 EVENT_SINK_Release
0x401078 None
0x40107c None
0x401080 EVENT_SINK_QueryInterface
0x401084 __vbaExceptHandler
0x401088 None
0x40108c None
0x401090 None
0x401094 None
0x401098 None
0x40109c None
0x4010a0 None
0x4010a4 None
0x4010a8 ProcCallEngine
0x4010ac None
0x4010b0 None
0x4010b4 None
0x4010b8 None
0x4010bc None
0x4010c0 None
0x4010c4 None
0x4010c8 None
0x4010cc None
0x4010d0 None
0x4010d4 None
0x4010d8 None
0x4010dc None
0x4010e0 None
0x4010e4 None
0x4010e8 None
0x4010ec None
EAT(Export Address Table) is none