ScreenShot
| Created | 2023.06.13 22:53 | Machine | s1_win7_x6403 |
| Filename | bz.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 33 detected (Tedy, Generic PWS, malicious, ABRisk, KZBF, dypr, RATX, DownLoader45, Artemis, moderate, score, Wacatac, KSOA9V, Detected, ai score=84, Chgt, R002H09FC23, CLOUD, PossibleThreat, confidence) | ||
| md5 | f97dd898670874b524df23d89dc6a12f | ||
| sha256 | 841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110 | ||
| ssdeep | 384:/T1sZrG2iPQWRErIYib+W42KKxPxh8E9VF0Ny5dF:/BsZa2mf+UYib+WnxPxWEj | ||
| imphash | 769adc189c80de1183a16ee3ab5f134a | ||
| impfuzzy | 24:n9wwRfTQ3Nlr3em/EWFNYDGgkSdWTSwMSwC:nqwhQ3Lr3emNFNYigkSgTSwMSwC | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process bz.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c _adj_fdiv_m64
0x401010 _adj_fprem1
0x401014 _adj_fdiv_m32
0x401018 __vbaLateMemSt
0x40101c _adj_fdiv_m16i
0x401020 __vbaObjSetAddref
0x401024 _adj_fdivr_m16i
0x401028 _CIsin
0x40102c __vbaChkstk
0x401030 __vbaObjVar
0x401034 _adj_fpatan
0x401038 None
0x40103c _CIsqrt
0x401040 __vbaExceptHandler
0x401044 _adj_fprem
0x401048 _adj_fdivr_m64
0x40104c None
0x401050 __vbaFPException
0x401054 _CIlog
0x401058 _adj_fdiv_m32i
0x40105c _adj_fdivr_m32i
0x401060 __vbaStrCopy
0x401064 _adj_fdivr_m32
0x401068 _adj_fdiv_r
0x40106c None
0x401070 __vbaLateMemCall
0x401074 __vbaVarDup
0x401078 __vbaLateMemCallLd
0x40107c _CIatan
0x401080 _allmul
0x401084 _CItan
0x401088 _CIexp
0x40108c __vbaFreeObj
0x401090 __vbaFreeStr
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c _adj_fdiv_m64
0x401010 _adj_fprem1
0x401014 _adj_fdiv_m32
0x401018 __vbaLateMemSt
0x40101c _adj_fdiv_m16i
0x401020 __vbaObjSetAddref
0x401024 _adj_fdivr_m16i
0x401028 _CIsin
0x40102c __vbaChkstk
0x401030 __vbaObjVar
0x401034 _adj_fpatan
0x401038 None
0x40103c _CIsqrt
0x401040 __vbaExceptHandler
0x401044 _adj_fprem
0x401048 _adj_fdivr_m64
0x40104c None
0x401050 __vbaFPException
0x401054 _CIlog
0x401058 _adj_fdiv_m32i
0x40105c _adj_fdivr_m32i
0x401060 __vbaStrCopy
0x401064 _adj_fdivr_m32
0x401068 _adj_fdiv_r
0x40106c None
0x401070 __vbaLateMemCall
0x401074 __vbaVarDup
0x401078 __vbaLateMemCallLd
0x40107c _CIatan
0x401080 _allmul
0x401084 _CItan
0x401088 _CIexp
0x40108c __vbaFreeObj
0x401090 __vbaFreeStr
EAT(Export Address Table) is none