ScreenShot
| Created | 2023.07.27 10:27 | Machine | s1_win7_x6401 |
| Filename | clp8.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 39 detected (AIDetectMalware, Artemis, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, VMProtect, BC suspicious, score, Tasker, aznb, MalwareX, mcfky, Steam, high, Generic ML PUA, Static AI, Malicious PE, ai score=84, Wacatac, BScope, LClipper, Generic@AI, RDML, XtzoPoWZu06rlT+ZRNcs9A, susgen) | ||
| md5 | 1c88f016b6d72ca7ef779a70c24db73f | ||
| sha256 | ca51d2aa595aa0d00df79e4618d8c51595b1ff839817220c266751f37e7bd37d | ||
| ssdeep | 49152:lAhEmpgdFvlM27jPry6b4CJgGkN8iqXpHMxnTm5xKa8lPMqKWtPBccL8XPT:lcVGDSU66rGhNQXy0t8lPMq/8Xb | ||
| imphash | e5d16971e92a06f5e2ae459738b4c624 | ||
| impfuzzy | 6:546BF1lbbxVY6YbRjtlJoZ/O4ErBJAEHGDW:mSl3xVziTOZGJjA/DW | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
WININET.dll
0x629000 InternetOpenA
WS2_32.dll
0x629008 send
KERNEL32.dll
0x629010 GetACP
USER32.dll
0x629018 CloseClipboard
ADVAPI32.dll
0x629020 RegCreateKeyA
SHELL32.dll
0x629028 ShellExecuteA
KERNEL32.dll
0x629030 GetSystemTimeAsFileTime
KERNEL32.dll
0x629038 HeapAlloc
0x62903c HeapFree
0x629040 ExitProcess
0x629044 GetModuleHandleA
0x629048 LoadLibraryA
0x62904c GetProcAddress
EAT(Export Address Table) is none
WININET.dll
0x629000 InternetOpenA
WS2_32.dll
0x629008 send
KERNEL32.dll
0x629010 GetACP
USER32.dll
0x629018 CloseClipboard
ADVAPI32.dll
0x629020 RegCreateKeyA
SHELL32.dll
0x629028 ShellExecuteA
KERNEL32.dll
0x629030 GetSystemTimeAsFileTime
KERNEL32.dll
0x629038 HeapAlloc
0x62903c HeapFree
0x629040 ExitProcess
0x629044 GetModuleHandleA
0x629048 LoadLibraryA
0x62904c GetProcAddress
EAT(Export Address Table) is none