ScreenShot
| Created | 2023.08.02 16:46 | Machine | s1_win7_x6401 |
| Filename | c9f02f547a430b15b6ba7fdafc885046cdbc0af9eb113250c70b0d3f02e03ee2 | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 35 detected (AIDetectMalware, malicious, moderate confidence, Artemis, unsafe, Vwlr, ABRisk, MQGX, a variant of Generik, BTQRPSQ, uwuw, bthor, score, Malware@#7g8u0287gww3, Chgt, R002H0CBJ23, Gencirc, Bredavi, susgen, PossibleThreat) | ||
| md5 | c467fc9aafa3b840fd94d27e697649b8 | ||
| sha256 | c9f02f547a430b15b6ba7fdafc885046cdbc0af9eb113250c70b0d3f02e03ee2 | ||
| ssdeep | 393216:qK/HZQeUKGFAnHpFWd5ThgtBkyKziLH/gwK519OM:qjeCFbTmtBkyd7/LK5zOM | ||
| imphash | 595d48d7ee1be8572f51c8077df58b1f | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/GllIOGc9KJAm6WNLbS4QG:VA/DzqYOZO/FmzC4QG | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Disables proxy possibly for traffic interception |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for known Chinese AV sofware registry keys |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
Rules (29cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | NSIS_Installer | Null Soft Installer | binaries (download) |
| warning | PhysicalDrive_20181001 | (no description) | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | CAB_file_format | CAB archive file | binaries (download) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (21cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4418c4 LoadLibraryA
0x4418c8 GetProcAddress
0x4418cc VirtualProtect
0x4418d0 VirtualAlloc
0x4418d4 VirtualFree
0x4418d8 ExitProcess
COMCTL32.dll
0x4418e0 None
GDI32.dll
0x4418e8 DeleteDC
MSVCRT.dll
0x4418f0 exit
ole32.dll
0x4418f8 CoInitialize
OLEAUT32.dll
0x441900 SysAllocString
SHELL32.dll
0x441908 SHGetMalloc
USER32.dll
0x441910 GetDC
EAT(Export Address Table) is none
KERNEL32.DLL
0x4418c4 LoadLibraryA
0x4418c8 GetProcAddress
0x4418cc VirtualProtect
0x4418d0 VirtualAlloc
0x4418d4 VirtualFree
0x4418d8 ExitProcess
COMCTL32.dll
0x4418e0 None
GDI32.dll
0x4418e8 DeleteDC
MSVCRT.dll
0x4418f0 exit
ole32.dll
0x4418f8 CoInitialize
OLEAUT32.dll
0x441900 SysAllocString
SHELL32.dll
0x441908 SHGetMalloc
USER32.dll
0x441910 GetDC
EAT(Export Address Table) is none