ScreenShot
| Created | 2023.06.20 07:29 | Machine | s1_win7_x6401 |
| Filename | game2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 23 detected (AIDetectMalware, Tedy, ZevbaCO, bm0@aS3oWghi, Malicious, high, score, ALCI@53390z, Artemis, ai score=88, unsafe, HackTool, CLASSIC, susgen, PossibleThreat) | ||
| md5 | ad0f1f3418da5e70c0e898a6546128ef | ||
| sha256 | cd93805d6fee60c8139820c20aca0872881a71f34218f0cb8de68b722cc128f8 | ||
| ssdeep | 96:afqAebOyg99JjlslDbL9CCmnpooOUxdPzPyuj8MpEJAI5xwg:UMDW92PAjioOUxdPDxESqxw | ||
| imphash | 5a1d35404fe0acce8936f67cc51ec4fe | ||
| impfuzzy | 24:n9wwzjlBCfVgy8Q3Nukx3bT/EWFNg+1hwfGgDSd+JTSwpwMH:nqwzZIgRQ3Dx3bTNFNV1hw+gW8JTSwpz | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process game2.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | One or more processes crashed |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c __vbaLenBstr
0x401010 __vbaEnd
0x401014 _adj_fdiv_m64
0x401018 _adj_fprem1
0x40101c __vbaStrCat
0x401020 __vbaHresultCheckObj
0x401024 _adj_fdiv_m32
0x401028 __vbaLateMemSt
0x40102c _adj_fdiv_m16i
0x401030 __vbaObjSetAddref
0x401034 _adj_fdivr_m16i
0x401038 _CIsin
0x40103c None
0x401040 __vbaChkstk
0x401044 EVENT_SINK_AddRef
0x401048 __vbaObjVar
0x40104c _adj_fpatan
0x401050 EVENT_SINK_Release
0x401054 None
0x401058 _CIsqrt
0x40105c EVENT_SINK_QueryInterface
0x401060 __vbaExceptHandler
0x401064 _adj_fprem
0x401068 _adj_fdivr_m64
0x40106c None
0x401070 __vbaFPException
0x401074 None
0x401078 _CIlog
0x40107c __vbaErrorOverflow
0x401080 _adj_fdiv_m32i
0x401084 _adj_fdivr_m32i
0x401088 __vbaStrCopy
0x40108c __vbaFreeStrList
0x401090 _adj_fdivr_m32
0x401094 _adj_fdiv_r
0x401098 None
0x40109c __vbaLateMemCall
0x4010a0 __vbaFpI4
0x4010a4 __vbaLateMemCallLd
0x4010a8 _CIatan
0x4010ac __vbaStrMove
0x4010b0 _allmul
0x4010b4 _CItan
0x4010b8 _CIexp
0x4010bc __vbaFreeStr
0x4010c0 __vbaFreeObj
0x4010c4 None
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c __vbaLenBstr
0x401010 __vbaEnd
0x401014 _adj_fdiv_m64
0x401018 _adj_fprem1
0x40101c __vbaStrCat
0x401020 __vbaHresultCheckObj
0x401024 _adj_fdiv_m32
0x401028 __vbaLateMemSt
0x40102c _adj_fdiv_m16i
0x401030 __vbaObjSetAddref
0x401034 _adj_fdivr_m16i
0x401038 _CIsin
0x40103c None
0x401040 __vbaChkstk
0x401044 EVENT_SINK_AddRef
0x401048 __vbaObjVar
0x40104c _adj_fpatan
0x401050 EVENT_SINK_Release
0x401054 None
0x401058 _CIsqrt
0x40105c EVENT_SINK_QueryInterface
0x401060 __vbaExceptHandler
0x401064 _adj_fprem
0x401068 _adj_fdivr_m64
0x40106c None
0x401070 __vbaFPException
0x401074 None
0x401078 _CIlog
0x40107c __vbaErrorOverflow
0x401080 _adj_fdiv_m32i
0x401084 _adj_fdivr_m32i
0x401088 __vbaStrCopy
0x40108c __vbaFreeStrList
0x401090 _adj_fdivr_m32
0x401094 _adj_fdiv_r
0x401098 None
0x40109c __vbaLateMemCall
0x4010a0 __vbaFpI4
0x4010a4 __vbaLateMemCallLd
0x4010a8 _CIatan
0x4010ac __vbaStrMove
0x4010b0 _allmul
0x4010b4 _CItan
0x4010b8 _CIexp
0x4010bc __vbaFreeStr
0x4010c0 __vbaFreeObj
0x4010c4 None
EAT(Export Address Table) is none