ScreenShot
| Created | 2023.06.05 17:56 | Machine | s1_win7_x6403 |
| Filename | iexplore.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 56 detected (Miner, Dacic, BitCoinMiner, Artemis, Unsafe, FlyStudio, Save, Coinminer, malicious, ZexaF, 8pKfaC5bmGlb, ABRisk, ZBIN, Attribute, HighConfidence, moderate confidence, score, jusrbx, FileRepMalware, Misc, Risktool, Bitminer, AGEN, Tool, Nssm, R002C0DB523, Flyagent, high, Static AI, Malicious PE, Wacatac, MUPX, Gen@24tbus, 10TFD8O, Detected, Agentb, ai score=80, HackTool, CLOUD, GenAsa, ReEpzfU58ew, GdSda, confidence, 100%) | ||
| md5 | a3d8b7059f0a4108d38144586fd63ee0 | ||
| sha256 | fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52 | ||
| ssdeep | 98304:kVT8nSXdIs4DzUQeArdcHL9NlTxoUx2ZXOR6wwYIvtQZZuvIsGr:keSXdY/aAm9NRx28cfhvtPY | ||
| imphash | fc4211025d2823f78625f41e8016b470 | ||
| impfuzzy | 6:omRgsyIBM9IVA7ZBJAEoZ/OEGDzyRPLMKJAmzRjLbtuISXmJJcJ1v4V:omRghIBAIVOABZG/DzA+m9xutX+m1vY | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| watch | A command shell or script process was created by an unexpected parent process |
| watch | A stratum cryptocurrency mining command was executed |
| watch | Attempts to stop active services |
| watch | Enumerates services |
| watch | Installs itself for autorun at Windows startup |
| watch | One or more non-whitelisted processes were created |
| watch | Powershell script adds registry entries |
| watch | The process wscript.exe wrote an executable file to disk |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x11a48cc RegCloseKey
COMCTL32.dll
0x11a48d4 None
comdlg32.dll
0x11a48dc ChooseColorA
GDI32.dll
0x11a48e4 PatBlt
KERNEL32.DLL
0x11a48ec LoadLibraryA
0x11a48f0 ExitProcess
0x11a48f4 GetProcAddress
0x11a48f8 VirtualProtect
ole32.dll
0x11a4900 OleInitialize
OLEAUT32.dll
0x11a4908 LoadTypeLib
SHELL32.dll
0x11a4910 ShellExecuteA
USER32.dll
0x11a4918 GetDC
WINMM.dll
0x11a4920 waveOutOpen
WINSPOOL.DRV
0x11a4928 ClosePrinter
WS2_32.dll
0x11a4930 WSACleanup
EAT(Export Address Table) is none
ADVAPI32.dll
0x11a48cc RegCloseKey
COMCTL32.dll
0x11a48d4 None
comdlg32.dll
0x11a48dc ChooseColorA
GDI32.dll
0x11a48e4 PatBlt
KERNEL32.DLL
0x11a48ec LoadLibraryA
0x11a48f0 ExitProcess
0x11a48f4 GetProcAddress
0x11a48f8 VirtualProtect
ole32.dll
0x11a4900 OleInitialize
OLEAUT32.dll
0x11a4908 LoadTypeLib
SHELL32.dll
0x11a4910 ShellExecuteA
USER32.dll
0x11a4918 GetDC
WINMM.dll
0x11a4920 waveOutOpen
WINSPOOL.DRV
0x11a4928 ClosePrinter
WS2_32.dll
0x11a4930 WSACleanup
EAT(Export Address Table) is none