ScreenShot
| Created | 2023.06.29 09:42 | Machine | s1_win7_x6402 |
| Filename | Setup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 28 detected (AIDetectMalware, V5ek, VMProtect, Attribute, HighConfidence, BC suspicious, Artemis, malicious, moderate, score, ai score=85, unsafe, R053H09FN23) | ||
| md5 | cde3f3bde3a3a82bb4999ce1f4b81d14 | ||
| sha256 | a274df4744566cb76ab42d668d163ef8c73efcd43ffac8545f1213cc951ec6ea | ||
| ssdeep | 393216:reo6wzR++OQ4MTGK6fFdk+Y9GLxIXOa3BLSdOGWQCqnwgGa7zDOt:xs+OQ47gkdIXOXdlCVfmO | ||
| imphash | 91f4e0cc7a687a97a003ff6206e2edfb | ||
| impfuzzy | 12:SDQ3Eo39QO2p5g/gaZZRbjuc8MnbTOZGJjA/DW:SMUo3j4yjRUAa20DW | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
user32.dll
0x10df000 MessageBoxW
pdh.dll
0x10df008 PdhCloseQuery
kernel32.dll
0x10df010 LoadResource
iphlpapi.dll
0x10df018 FreeMibTable
netapi32.dll
0x10df020 NetUserEnum
secur32.dll
0x10df028 DeleteSecurityContext
shell32.dll
0x10df030 ShellExecuteExW
advapi32.dll
0x10df038 AllocateAndInitializeSid
ole32.dll
0x10df040 CoUninitialize
ws2_32.dll
0x10df048 WSASocketW
ntdll.dll
0x10df050 RtlNtStatusToDosError
crypt.dll
0x10df058 BCryptGenRandom
crypt32.dll
0x10df060 CertEnumCertificatesInStore
powrprof.dll
0x10df068 CallNtPowerInformation
oleaut32.dll
0x10df070 SysAllocString
psapi.dll
0x10df078 GetPerformanceInfo
kernel32.dll
0x10df080 GetSystemTimeAsFileTime
kernel32.dll
0x10df088 HeapAlloc
0x10df08c HeapFree
0x10df090 ExitProcess
0x10df094 GetModuleHandleA
0x10df098 LoadLibraryA
0x10df09c GetProcAddress
EAT(Export Address Table) is none
user32.dll
0x10df000 MessageBoxW
pdh.dll
0x10df008 PdhCloseQuery
kernel32.dll
0x10df010 LoadResource
iphlpapi.dll
0x10df018 FreeMibTable
netapi32.dll
0x10df020 NetUserEnum
secur32.dll
0x10df028 DeleteSecurityContext
shell32.dll
0x10df030 ShellExecuteExW
advapi32.dll
0x10df038 AllocateAndInitializeSid
ole32.dll
0x10df040 CoUninitialize
ws2_32.dll
0x10df048 WSASocketW
ntdll.dll
0x10df050 RtlNtStatusToDosError
crypt.dll
0x10df058 BCryptGenRandom
crypt32.dll
0x10df060 CertEnumCertificatesInStore
powrprof.dll
0x10df068 CallNtPowerInformation
oleaut32.dll
0x10df070 SysAllocString
psapi.dll
0x10df078 GetPerformanceInfo
kernel32.dll
0x10df080 GetSystemTimeAsFileTime
kernel32.dll
0x10df088 HeapAlloc
0x10df08c HeapFree
0x10df090 ExitProcess
0x10df094 GetModuleHandleA
0x10df098 LoadLibraryA
0x10df09c GetProcAddress
EAT(Export Address Table) is none