ScreenShot
| Created | 2023.05.31 09:29 | Machine | s1_win7_x6403 |
| Filename | 1.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 49 detected (Coins, tsjc, malicious, high confidence, GenericKD, Artemis, Gomal, V4et, ABRisk, YVER, Attribute, HighConfidence, a variant of WinGo, score, Yylw, Nekark, hcgrh, MulDrop22, R002C0XET23, Static AI, Suspicious PE, Dapato, adom, ai score=84, Casdet, Detected, unsafe, Chgt, Meterpreter, susgen, confidence, 100%) | ||
| md5 | 3f005ce85f08a09e93679254e35df782 | ||
| sha256 | c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870 | ||
| ssdeep | 49152:m6+OL0vnSGYGY+9C4OXk9PhRBPhILfF/QxamXYOCs5EbNfylJTEXKobB1:m7jHTXXREYJgXK | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Detects the presence of Wine emulator |
| watch | Installs itself for autorun at Windows startup |
| watch | One or more non-whitelisted processes were created |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x80a140 WriteFile
0x80a148 WriteConsoleW
0x80a150 WaitForMultipleObjects
0x80a158 WaitForSingleObject
0x80a160 VirtualQuery
0x80a168 VirtualFree
0x80a170 VirtualAlloc
0x80a178 SwitchToThread
0x80a180 SuspendThread
0x80a188 SetWaitableTimer
0x80a190 SetUnhandledExceptionFilter
0x80a198 SetProcessPriorityBoost
0x80a1a0 SetEvent
0x80a1a8 SetErrorMode
0x80a1b0 SetConsoleCtrlHandler
0x80a1b8 ResumeThread
0x80a1c0 PostQueuedCompletionStatus
0x80a1c8 LoadLibraryA
0x80a1d0 LoadLibraryW
0x80a1d8 SetThreadContext
0x80a1e0 GetThreadContext
0x80a1e8 GetSystemInfo
0x80a1f0 GetSystemDirectoryA
0x80a1f8 GetStdHandle
0x80a200 GetQueuedCompletionStatusEx
0x80a208 GetProcessAffinityMask
0x80a210 GetProcAddress
0x80a218 GetEnvironmentStringsW
0x80a220 GetConsoleMode
0x80a228 FreeEnvironmentStringsW
0x80a230 ExitProcess
0x80a238 DuplicateHandle
0x80a240 CreateWaitableTimerExW
0x80a248 CreateThread
0x80a250 CreateIoCompletionPort
0x80a258 CreateFileA
0x80a260 CreateEventA
0x80a268 CloseHandle
0x80a270 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x80a140 WriteFile
0x80a148 WriteConsoleW
0x80a150 WaitForMultipleObjects
0x80a158 WaitForSingleObject
0x80a160 VirtualQuery
0x80a168 VirtualFree
0x80a170 VirtualAlloc
0x80a178 SwitchToThread
0x80a180 SuspendThread
0x80a188 SetWaitableTimer
0x80a190 SetUnhandledExceptionFilter
0x80a198 SetProcessPriorityBoost
0x80a1a0 SetEvent
0x80a1a8 SetErrorMode
0x80a1b0 SetConsoleCtrlHandler
0x80a1b8 ResumeThread
0x80a1c0 PostQueuedCompletionStatus
0x80a1c8 LoadLibraryA
0x80a1d0 LoadLibraryW
0x80a1d8 SetThreadContext
0x80a1e0 GetThreadContext
0x80a1e8 GetSystemInfo
0x80a1f0 GetSystemDirectoryA
0x80a1f8 GetStdHandle
0x80a200 GetQueuedCompletionStatusEx
0x80a208 GetProcessAffinityMask
0x80a210 GetProcAddress
0x80a218 GetEnvironmentStringsW
0x80a220 GetConsoleMode
0x80a228 FreeEnvironmentStringsW
0x80a230 ExitProcess
0x80a238 DuplicateHandle
0x80a240 CreateWaitableTimerExW
0x80a248 CreateThread
0x80a250 CreateIoCompletionPort
0x80a258 CreateFileA
0x80a260 CreateEventA
0x80a268 CloseHandle
0x80a270 AddVectoredExceptionHandler
EAT(Export Address Table) is none