ScreenShot
| Created | 2023.06.26 07:45 | Machine | s1_win7_x6401 |
| Filename | BABYLON.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 072428ed08c736d6f81aea71741389b8 | ||
| sha256 | e8eefab37fec532a017d60a2851ed8aff3f4589028e9ca6794d100ea758bddb1 | ||
| ssdeep | 6144:9L1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19N:9LdcfxaeM6fy/KaVUtgKkTZ73coNRJN | ||
| imphash | a459954138cf2a762bc5e5f961bda8c9 | ||
| impfuzzy | 12:VA/DzqYOZ9RgENfcCM9jm3ERXJ5HZSIAGT:V0DBa9+vYEX5HZSIAGT | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Expresses interest in specific running processes |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4c8430 LoadLibraryA
0x4c8434 GetProcAddress
0x4c8438 VirtualProtect
0x4c843c VirtualAlloc
0x4c8440 VirtualFree
0x4c8444 ExitProcess
ADVAPI32.dll
0x4c844c RegCloseKey
COMCTL32.dll
0x4c8454 InitCommonControlsEx
CRYPT32.dll
0x4c845c CryptUnprotectData
GDI32.dll
0x4c8464 GetDIBits
gdiplus.dll
0x4c846c GdipFree
NETAPI32.dll
0x4c8474 NetUserEnum
ole32.dll
0x4c847c CoInitialize
OLEAUT32.dll
0x4c8484 VariantInit
POWRPROF.dll
0x4c848c SetSuspendState
PSAPI.DLL
0x4c8494 GetModuleBaseNameW
SHELL32.dll
0x4c849c ShellExecuteW
SHLWAPI.dll
0x4c84a4 None
urlmon.dll
0x4c84ac URLDownloadToFileW
USER32.dll
0x4c84b4 GetDC
WS2_32.dll
0x4c84bc recv
EAT(Export Address Table) is none
KERNEL32.DLL
0x4c8430 LoadLibraryA
0x4c8434 GetProcAddress
0x4c8438 VirtualProtect
0x4c843c VirtualAlloc
0x4c8440 VirtualFree
0x4c8444 ExitProcess
ADVAPI32.dll
0x4c844c RegCloseKey
COMCTL32.dll
0x4c8454 InitCommonControlsEx
CRYPT32.dll
0x4c845c CryptUnprotectData
GDI32.dll
0x4c8464 GetDIBits
gdiplus.dll
0x4c846c GdipFree
NETAPI32.dll
0x4c8474 NetUserEnum
ole32.dll
0x4c847c CoInitialize
OLEAUT32.dll
0x4c8484 VariantInit
POWRPROF.dll
0x4c848c SetSuspendState
PSAPI.DLL
0x4c8494 GetModuleBaseNameW
SHELL32.dll
0x4c849c ShellExecuteW
SHLWAPI.dll
0x4c84a4 None
urlmon.dll
0x4c84ac URLDownloadToFileW
USER32.dll
0x4c84b4 GetDC
WS2_32.dll
0x4c84bc recv
EAT(Export Address Table) is none