ScreenShot
| Created | 2023.05.03 16:09 | Machine | s1_win7_x6401 |
| Filename | vpm.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 18 detected (AIDetect, malware2, malicious, high confidence, Unsafe, confidence, Attribute, HighConfidence, VMProtect, Generic ML PUA, R461521, Artemis, Generic@AI, RDML, LzkDLhcVlVXOiiuel7PXQ, ZedlaF, @F8@aeZOldei) | ||
| md5 | 9c99486ea32b953883160b8681b37ff7 | ||
| sha256 | a267915fd52dbfd9f5dd6b7292fec7ff70e0050d1e7000da66df1b5b4b3388ef | ||
| ssdeep | 98304:0uSTLHi3wXQh5ZPWG+x7boZEnylFYCA1H8kFUp2G4B8nWVyve6b+wp8bjca:0luCQh5ZPgx4EylFYhckFS2G46ngO+wK | ||
| imphash | c260007e41c48b7c9e5223c767afc3a7 | ||
| impfuzzy | 12:DBmT8Mim79tqQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:9mT8y9tqQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x108cb000 GetVersionExA
USER32.dll
0x108cb008 GetSystemMetrics
GDI32.dll
0x108cb010 GetStockObject
ADVAPI32.dll
0x108cb018 OpenServiceA
ole32.dll
0x108cb020 CoUninitialize
OLEAUT32.dll
0x108cb028 SysAllocString
ODBC32.dll
0x108cb030 None
WTSAPI32.dll
0x108cb038 WTSSendMessageW
KERNEL32.dll
0x108cb040 VirtualQuery
USER32.dll
0x108cb048 GetProcessWindowStation
KERNEL32.dll
0x108cb050 LocalAlloc
0x108cb054 LocalFree
0x108cb058 GetModuleFileNameW
0x108cb05c GetProcessAffinityMask
0x108cb060 SetProcessAffinityMask
0x108cb064 SetThreadAffinityMask
0x108cb068 Sleep
0x108cb06c ExitProcess
0x108cb070 FreeLibrary
0x108cb074 LoadLibraryA
0x108cb078 GetModuleHandleA
0x108cb07c GetProcAddress
USER32.dll
0x108cb084 GetProcessWindowStation
0x108cb088 GetUserObjectInformationW
EAT(Export Address Table) Library
0x10035abd SendMsg
KERNEL32.dll
0x108cb000 GetVersionExA
USER32.dll
0x108cb008 GetSystemMetrics
GDI32.dll
0x108cb010 GetStockObject
ADVAPI32.dll
0x108cb018 OpenServiceA
ole32.dll
0x108cb020 CoUninitialize
OLEAUT32.dll
0x108cb028 SysAllocString
ODBC32.dll
0x108cb030 None
WTSAPI32.dll
0x108cb038 WTSSendMessageW
KERNEL32.dll
0x108cb040 VirtualQuery
USER32.dll
0x108cb048 GetProcessWindowStation
KERNEL32.dll
0x108cb050 LocalAlloc
0x108cb054 LocalFree
0x108cb058 GetModuleFileNameW
0x108cb05c GetProcessAffinityMask
0x108cb060 SetProcessAffinityMask
0x108cb064 SetThreadAffinityMask
0x108cb068 Sleep
0x108cb06c ExitProcess
0x108cb070 FreeLibrary
0x108cb074 LoadLibraryA
0x108cb078 GetModuleHandleA
0x108cb07c GetProcAddress
USER32.dll
0x108cb084 GetProcessWindowStation
0x108cb088 GetUserObjectInformationW
EAT(Export Address Table) Library
0x10035abd SendMsg