ScreenShot
| Created | 2023.06.05 17:55 | Machine | s1_win7_x6401 |
| Filename | 86.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (Malicious, score, SiscosRI, S8512495, unsafe, Save, Siscos, Eldorado, Attribute, HighConfidence, moderate confidence, Farfli, enrcbv, TrojanX, DownLoader23, GenericRXIX, moderate, AutoG, AGEN, SelfDel, GameThief, Magania, ~NWABU@18g2sq, Detected, R302641, ai score=86, Venik, Uqd4uAhaXbC, GenAsa, G5Cq9PqIIJA, Static AI, Suspicious PE, susgen, ZexaF, cmKfa4Gr0Eke, Genetic) | ||
| md5 | ff8a7fe058166ccb1d7822fa873cdca5 | ||
| sha256 | 0c400688f817041082024cae97ebf96ed9048a9403a3330623d4ecdc57abcbbd | ||
| ssdeep | 768:Mw/iOWTK3JWhOM/qZh7UJGcZ/q3X7ffYlo8nbcuyD7U7s9:zQK52fqZSIACjfYlo8nouy87s9 | ||
| imphash | 3d2b95b998469ac775106242f347c0e1 | ||
| impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRG7GW4GRY:dBJAEoZ/OEGDzyRWB4GY | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x41f954 LoadLibraryA
0x41f958 ExitProcess
0x41f95c GetProcAddress
0x41f960 VirtualProtect
MFC42.DLL
0x41f968 None
MSVCRT.dll
0x41f970 exit
USER32.dll
0x41f978 wsprintfA
EAT(Export Address Table) is none
KERNEL32.DLL
0x41f954 LoadLibraryA
0x41f958 ExitProcess
0x41f95c GetProcAddress
0x41f960 VirtualProtect
MFC42.DLL
0x41f968 None
MSVCRT.dll
0x41f970 exit
USER32.dll
0x41f978 wsprintfA
EAT(Export Address Table) is none