ScreenShot
| Created | 2023.06.21 15:55 | Machine | s1_win7_x6401 |
| Filename | 3.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 34 detected (AIDetectMalware, malicious, moderate confidence, Nymeria, unsafe, Save, confidence, many, AutoIt, Eldorado, PSWTool, MailPassView, E potentially unsafe, score, Gencirc, Generic ML PUA, Gen8, TrojanAitInject, high, GrayWare, Kryptik, Detected, ai score=85, Generic@AI, RDML, czcnGeSvfpBnZAqN760VYg) | ||
| md5 | 68749e1f05472d28f9aead6c393da9d2 | ||
| sha256 | 811e59085cb487f0a0f3804b6fb051209d09f31485c6261511c76ae1aef140c9 | ||
| ssdeep | 24576:chloDX0XOf4lLZPs02mOReGh1kLbkZEFK0gmJBphnYf0sO:chloJf6FFOek1kH2EFK0gsBDf | ||
| imphash | b9083dd82a429a49d949568d3647ca0d | ||
| impfuzzy | 12:o1DoABZG/DzpM78r4B3ExjLAkcOaiTQQnd3mxCHoJ:UoC+DFM7PxExjLAkcOV2kw | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Schwerer_IN | Schwerer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x631498 AddAce
COMCTL32.dll
0x6314a0 ImageList_Remove
COMDLG32.dll
0x6314a8 GetSaveFileNameW
GDI32.dll
0x6314b0 LineTo
IPHLPAPI.DLL
0x6314b8 IcmpSendEcho
KERNEL32.DLL
0x6314c0 LoadLibraryA
0x6314c4 ExitProcess
0x6314c8 GetProcAddress
0x6314cc VirtualProtect
MPR.dll
0x6314d4 WNetUseConnectionW
ole32.dll
0x6314dc CoGetObject
OLEAUT32.dll
0x6314e4 VariantInit
PSAPI.DLL
0x6314ec GetProcessMemoryInfo
SHELL32.dll
0x6314f4 DragFinish
USER32.dll
0x6314fc GetDC
USERENV.dll
0x631504 LoadUserProfileW
UxTheme.dll
0x63150c IsThemeActive
VERSION.dll
0x631514 VerQueryValueW
WININET.dll
0x63151c FtpOpenFileW
WINMM.dll
0x631524 timeGetTime
WSOCK32.dll
0x63152c socket
EAT(Export Address Table) is none
ADVAPI32.dll
0x631498 AddAce
COMCTL32.dll
0x6314a0 ImageList_Remove
COMDLG32.dll
0x6314a8 GetSaveFileNameW
GDI32.dll
0x6314b0 LineTo
IPHLPAPI.DLL
0x6314b8 IcmpSendEcho
KERNEL32.DLL
0x6314c0 LoadLibraryA
0x6314c4 ExitProcess
0x6314c8 GetProcAddress
0x6314cc VirtualProtect
MPR.dll
0x6314d4 WNetUseConnectionW
ole32.dll
0x6314dc CoGetObject
OLEAUT32.dll
0x6314e4 VariantInit
PSAPI.DLL
0x6314ec GetProcessMemoryInfo
SHELL32.dll
0x6314f4 DragFinish
USER32.dll
0x6314fc GetDC
USERENV.dll
0x631504 LoadUserProfileW
UxTheme.dll
0x63150c IsThemeActive
VERSION.dll
0x631514 VerQueryValueW
WININET.dll
0x63151c FtpOpenFileW
WINMM.dll
0x631524 timeGetTime
WSOCK32.dll
0x63152c socket
EAT(Export Address Table) is none