ScreenShot
| Created | 2023.08.02 16:51 | Machine | s1_win7_x6403 |
| Filename | update.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (AIDetectMalware, Artemis, malicious, Attribute, HighConfidence, moderate confidence, score, high, Static AI, Suspicious PE, auxn, PossibleThreat, MUPX, Gen@24tbus, Phonzy, Detected, R325756, BScope, APosT, Generic@AI, RDML, SELtltjpue0, KisSuwg, confidence) | ||
| md5 | 5057042b2949c60f1d598845c26a2a18 | ||
| sha256 | e58d93351234c8ba5f47c653f57a7a45ddcb052afb8f331043836c4408533fa1 | ||
| ssdeep | 6144:ydkzF43SM5dCsenQjq2Zs4ogcAWUwxPk47oLFldV1jJrBBxRdE3ajLoSg84KH:y6zF4vCT4q2Z7NBWrl7EzdH9BL5LoSt | ||
| imphash | 604d14eda74ecb05dc3fd3f2233fd004 | ||
| impfuzzy | 6:omRgsyICeGaWvOYZBJAEoZ/OEGDzyRZr4BJTbBnaOAMyyTcf546PIIsLdJl0yn:omRgUoABZG/Dzgr4BJZLAITRIIIsLHlH | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x4c1644 RegCloseKey
COMCTL32.dll
0x4c164c None
COMDLG32.dll
0x4c1654 GetSaveFileNameA
GDI32.dll
0x4c165c BitBlt
KERNEL32.DLL
0x4c1664 LoadLibraryA
0x4c1668 ExitProcess
0x4c166c GetProcAddress
0x4c1670 VirtualProtect
ole32.dll
0x4c1678 CoGetObject
OLEAUT32.dll
0x4c1680 SysStringLen
PSAPI.DLL
0x4c1688 GetModuleBaseNameA
SHELL32.dll
0x4c1690 DragFinish
USER32.dll
0x4c1698 GetDC
VERSION.dll
0x4c16a0 VerQueryValueA
WININET.dll
0x4c16a8 InternetOpenA
WINMM.dll
0x4c16b0 mixerOpen
WSOCK32.dll
0x4c16b8 WSAStartup
EAT(Export Address Table) is none
ADVAPI32.dll
0x4c1644 RegCloseKey
COMCTL32.dll
0x4c164c None
COMDLG32.dll
0x4c1654 GetSaveFileNameA
GDI32.dll
0x4c165c BitBlt
KERNEL32.DLL
0x4c1664 LoadLibraryA
0x4c1668 ExitProcess
0x4c166c GetProcAddress
0x4c1670 VirtualProtect
ole32.dll
0x4c1678 CoGetObject
OLEAUT32.dll
0x4c1680 SysStringLen
PSAPI.DLL
0x4c1688 GetModuleBaseNameA
SHELL32.dll
0x4c1690 DragFinish
USER32.dll
0x4c1698 GetDC
VERSION.dll
0x4c16a0 VerQueryValueA
WININET.dll
0x4c16a8 InternetOpenA
WINMM.dll
0x4c16b0 mixerOpen
WSOCK32.dll
0x4c16b8 WSAStartup
EAT(Export Address Table) is none