ScreenShot
| Created | 2023.05.03 09:29 | Machine | s1_win7_x6403 |
| Filename | 12.ocx | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 42 detected (AIDetectMalware, Jaik, Farfli, malicious, Eldorado, high confidence, VMProtect, Convagent, RATX, Black, Gen2, high, score, VMProtBad, Detected, R573513, ai score=87, BScope, unsafe, Genetic, Generic@AI, RDMK, cmRtazrD+6FZYRn28VMRH45Kk1IC, Static AI, Malicious PE, susgen, Zard, confidence) | ||
| md5 | c7c3f41117bfe6c2635686e7dc2bfc65 | ||
| sha256 | 12ba6e9ec28e702a832577ad78d074db366336d68033c717f72ec2a0ab6cb94a | ||
| ssdeep | 12288:Jjx/uFxRp2kqQh+8++egiHAtc6HrriDkwtGfDDOLMb7gOADfr9Tv4gXS6:xx/WxRp0B+AFeukDDXXyDfRjXi | ||
| imphash | a320e29878a432b145f8a790e7e10f17 | ||
| impfuzzy | 3:sUWLwzsSWLcvbsBQ3QRWDhAAX0JSxqrJSx2AEZsWBJAEPwUgEJJ67UgDkSxqEs1/:AwAcvbVQwDmyfErBJAEf/JLGCZB | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Foreign language identified in PE resource |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x519000 GetVersionExA
0x519004 GetVersion
0x519008 HeapAlloc
USER32.dll
0x519010 MessageBoxW
KERNEL32.dll
0x519018 GetModuleFileNameW
KERNEL32.dll
0x519020 GetModuleHandleA
0x519024 LoadLibraryA
0x519028 LocalAlloc
0x51902c LocalFree
0x519030 GetModuleFileNameA
0x519034 ExitProcess
EAT(Export Address Table) is none
KERNEL32.dll
0x519000 GetVersionExA
0x519004 GetVersion
0x519008 HeapAlloc
USER32.dll
0x519010 MessageBoxW
KERNEL32.dll
0x519018 GetModuleFileNameW
KERNEL32.dll
0x519020 GetModuleHandleA
0x519024 LoadLibraryA
0x519028 LocalAlloc
0x51902c LocalFree
0x519030 GetModuleFileNameA
0x519034 ExitProcess
EAT(Export Address Table) is none