ScreenShot
| Created | 2023.08.07 08:38 | Machine | s1_win7_x6403 |
| Filename | demosyscalls.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (Common, Havoc, malicious, high confidence, GenericKD, unsafe, Vndr, ABRisk, HXJN, Attribute, HighConfidence, score, Gencirc, R023C0XFE23, Wacatac, Detected, ai score=88, Chgt, 5kYgA61wTIM, susgen, confidence, 100%) | ||
| md5 | e3f125e7cc88a1c53cc68e1bcb273191 | ||
| sha256 | ebdc54df582be1cafb91a1948657212fe50229b09071b1cbb3d1b660cc707fc5 | ||
| ssdeep | 768:9bgyYWldBM19THIh9TxzGtZ4o+BGwC6M6IT7JAD14lthdxALrCPx1VskZhba/ejR:eyZ4THI7QQy7J84JACjZpbdHQz0PsYr | ||
| imphash | |||
| impfuzzy | 3:: | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed