ScreenShot
| Created | 2023.06.05 18:02 | Machine | s1_win7_x6403 |
| Filename | c64.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 52 detected (EquationDrug, Strictor, Temr, IGENERIC, GenericRXNL, unsafe, Save, malicious, confidence, 100%, Miancha, ZexaF, opKfai5DFjhb, Eldorado, Attribute, HighConfidence, moderate confidence, FlyStudio, score, NSABuffMiner, CLOUD, DPulsarShellcode, ykami, R002C0PC323, high, CoinMiner, 18M7LFX, MUPX, Gen@24tbus, HackTool, Eqtonex, Detected, ai score=85, Wmhl, GenAsa, tXL2U6oM+cg, Static AI, Malicious PE, susgen) | ||
| md5 | b1e73ee6b76cdb99e5fcde09936de056 | ||
| sha256 | 1baaa595c6e5c48d0f8de547986623a725caf520d37112ed165497e1286e5c60 | ||
| ssdeep | 98304:AH71JKBJv0G10TH8BACxv46LxeDFuKarviQrHc:Y71ABJv0GaTHix46LED4brviQ | ||
| imphash | 186181567a2843130cb6bc2088563c1b | ||
| impfuzzy | 6:omRgsyIBM9IVbyP1BJAEoZ/OEGDzyRPLMKJAmzRjLbtuISXqVqXvEt2:omRghIBAIVeVABZG/DzA+m9xutXuksI | ||
Network IP location
Signature (30cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Created a service where a service was also not started |
| watch | Deletes executed files from disk |
| watch | Enumerates services |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process wscript.exe wrote an executable file to disk |
| watch | Uses suspicious command line tools or Windows utilities |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Created a process named as a common system process |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (49cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x8cf614 RegCloseKey
COMCTL32.dll
0x8cf61c None
comdlg32.dll
0x8cf624 ChooseColorA
GDI32.dll
0x8cf62c Escape
KERNEL32.DLL
0x8cf634 LoadLibraryA
0x8cf638 ExitProcess
0x8cf63c GetProcAddress
0x8cf640 VirtualProtect
ole32.dll
0x8cf648 OleInitialize
OLEAUT32.dll
0x8cf650 LoadTypeLib
SHELL32.dll
0x8cf658 ShellExecuteA
USER32.dll
0x8cf660 GetDC
WINMM.dll
0x8cf668 waveOutOpen
WINSPOOL.DRV
0x8cf670 OpenPrinterA
WS2_32.dll
0x8cf678 WSAAsyncSelect
EAT(Export Address Table) is none
ADVAPI32.dll
0x8cf614 RegCloseKey
COMCTL32.dll
0x8cf61c None
comdlg32.dll
0x8cf624 ChooseColorA
GDI32.dll
0x8cf62c Escape
KERNEL32.DLL
0x8cf634 LoadLibraryA
0x8cf638 ExitProcess
0x8cf63c GetProcAddress
0x8cf640 VirtualProtect
ole32.dll
0x8cf648 OleInitialize
OLEAUT32.dll
0x8cf650 LoadTypeLib
SHELL32.dll
0x8cf658 ShellExecuteA
USER32.dll
0x8cf660 GetDC
WINMM.dll
0x8cf668 waveOutOpen
WINSPOOL.DRV
0x8cf670 OpenPrinterA
WS2_32.dll
0x8cf678 WSAAsyncSelect
EAT(Export Address Table) is none