ScreenShot
| Created | 2023.06.22 11:10 | Machine | s1_win7_x6403 |
| Filename | 123.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 56 detected (AIDetectMalware, tsnj, GenericKD, unsafe, Save, GenKryptik, malicious, ABRisk, JDYE, Attribute, HighConfidence, high confidence, AGen, score, jwlzcw, Gencirc, Nekark, ldyqm, Siggen20, R002C0PFK23, Generic PWS, moderate, Static AI, Malicious PE, Wacatac, GZHHU5, Detected, R587297, ai score=88, Chgt, N4c784Php0B, p9Ocdg5jnyI, Krypt, susgen, ZexaF, 9K1@aCT, f0hi, confidence, 100%) | ||
| md5 | 0a37c2dbf12101e1f082e345c76fd594 | ||
| sha256 | 0f1a0986662dfca5f0c0fbaa0a8ec6eefdb114ad1eaa7437058ff951f679689c | ||
| ssdeep | 24576:bRAg7EfoR6pOoVqw2HsxwGP2bNsPwHXa6h:bRuHpO3E+bNbv | ||
| imphash | 261814086e5371c08c88b3dcc8b8c70b | ||
| impfuzzy | 12:twRJR6nJC5ARZqRVPXJxqVzT4GQGX5XGXKYIk6lTpJqJiZn:tkf6JxcVkLTX5XGKkoDqoZn | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | infoStealer_browser_b_Zero | browser info stealer | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | icon_file_format | icon file format | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4820e0 CreateThread
0x4820e4 DeleteCriticalSection
0x4820e8 EnterCriticalSection
0x4820ec GetCurrentProcessId
0x4820f0 GetLastError
0x4820f4 GetStartupInfoA
0x4820f8 InitializeCriticalSection
0x4820fc LeaveCriticalSection
0x482100 SetUnhandledExceptionFilter
0x482104 Sleep
0x482108 TlsGetValue
0x48210c VirtualAlloc
0x482110 VirtualProtect
0x482114 VirtualQuery
msvcrt.dll
0x48211c __getmainargs
0x482120 __initenv
0x482124 __lconv_init
0x482128 __p__acmdln
0x48212c __p__commode
0x482130 __p__fmode
0x482134 __set_app_type
0x482138 __setusermatherr
0x48213c _amsg_exit
0x482140 _cexit
0x482144 _initterm
0x482148 _iob
0x48214c _onexit
0x482150 abort
0x482154 calloc
0x482158 exit
0x48215c fprintf
0x482160 free
0x482164 fwrite
0x482168 malloc
0x48216c memcpy
0x482170 signal
0x482174 strlen
0x482178 strncmp
0x48217c vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x4820e0 CreateThread
0x4820e4 DeleteCriticalSection
0x4820e8 EnterCriticalSection
0x4820ec GetCurrentProcessId
0x4820f0 GetLastError
0x4820f4 GetStartupInfoA
0x4820f8 InitializeCriticalSection
0x4820fc LeaveCriticalSection
0x482100 SetUnhandledExceptionFilter
0x482104 Sleep
0x482108 TlsGetValue
0x48210c VirtualAlloc
0x482110 VirtualProtect
0x482114 VirtualQuery
msvcrt.dll
0x48211c __getmainargs
0x482120 __initenv
0x482124 __lconv_init
0x482128 __p__acmdln
0x48212c __p__commode
0x482130 __p__fmode
0x482134 __set_app_type
0x482138 __setusermatherr
0x48213c _amsg_exit
0x482140 _cexit
0x482144 _initterm
0x482148 _iob
0x48214c _onexit
0x482150 abort
0x482154 calloc
0x482158 exit
0x48215c fprintf
0x482160 free
0x482164 fwrite
0x482168 malloc
0x48216c memcpy
0x482170 signal
0x482174 strlen
0x482178 strncmp
0x48217c vfprintf
EAT(Export Address Table) is none