ScreenShot
| Created | 2023.08.08 09:30 | Machine | s1_win7_x6403 |
| Filename | Avast.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (Molotov, Tedy, Artemis, Kryptik, V0r5, GenKryptik, malicious, Eldorado, Attribute, HighConfidence, high confidence, GIIA, score, Reflo, Gencirc, Nekark, ziplm, Siggen3, R002C0DH123, Krypt, Xmrig, Detected, R570072, ai score=82, unsafe, tSjl4DNY5BP, confidence) | ||
| md5 | 7735f97175abb2da0cfce029d211dc66 | ||
| sha256 | f973483d000cc45314d1d5df0b6f6f84d06421d4aea1988bfeb04e025aa2c2fc | ||
| ssdeep | 98304:IyZY8x15pS6O7Q1Oaw50T7NxVcNPx60hinhP9D1AJrix7JDg:IsbuQ1BwqJxVY560hQ5Wyls | ||
| imphash | d3be2dc19ba54f7225d7679c3f791cf7 | ||
| impfuzzy | 24:1fPJx+kTdF0tWJd1jIlMblRf5XG6qXZgJkomvlA/GbtcqcJvZJF:1fPL+kT6kSslJJG6qJgk1vm/GbuqcJLF | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
ET MALWARE Win32/Pripyat Activity (POST)
ET MALWARE Win32/Pripyat Activity (POST)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1409f429c CloseHandle
0x1409f42a4 CreateSemaphoreW
0x1409f42ac DeleteCriticalSection
0x1409f42b4 EnterCriticalSection
0x1409f42bc GetCurrentThreadId
0x1409f42c4 GetLastError
0x1409f42cc GetStartupInfoA
0x1409f42d4 InitializeCriticalSection
0x1409f42dc IsDBCSLeadByteEx
0x1409f42e4 LeaveCriticalSection
0x1409f42ec MultiByteToWideChar
0x1409f42f4 RaiseException
0x1409f42fc ReleaseSemaphore
0x1409f4304 RtlCaptureContext
0x1409f430c RtlLookupFunctionEntry
0x1409f4314 RtlUnwindEx
0x1409f431c RtlVirtualUnwind
0x1409f4324 SetLastError
0x1409f432c SetUnhandledExceptionFilter
0x1409f4334 Sleep
0x1409f433c TlsAlloc
0x1409f4344 TlsFree
0x1409f434c TlsGetValue
0x1409f4354 TlsSetValue
0x1409f435c VirtualProtect
0x1409f4364 VirtualQuery
0x1409f436c WaitForSingleObject
0x1409f4374 WideCharToMultiByte
msvcrt.dll
0x1409f4384 __C_specific_handler
0x1409f438c ___lc_codepage_func
0x1409f4394 ___mb_cur_max_func
0x1409f439c __getmainargs
0x1409f43a4 __initenv
0x1409f43ac __iob_func
0x1409f43b4 __set_app_type
0x1409f43bc __setusermatherr
0x1409f43c4 _acmdln
0x1409f43cc _amsg_exit
0x1409f43d4 _cexit
0x1409f43dc _commode
0x1409f43e4 _errno
0x1409f43ec _fmode
0x1409f43f4 _initterm
0x1409f43fc _onexit
0x1409f4404 _wcsicmp
0x1409f440c _wcsnicmp
0x1409f4414 abort
0x1409f441c calloc
0x1409f4424 exit
0x1409f442c fprintf
0x1409f4434 fputc
0x1409f443c fputs
0x1409f4444 fputwc
0x1409f444c free
0x1409f4454 fwprintf
0x1409f445c fwrite
0x1409f4464 localeconv
0x1409f446c malloc
0x1409f4474 memcpy
0x1409f447c memset
0x1409f4484 realloc
0x1409f448c signal
0x1409f4494 strcat
0x1409f449c strcmp
0x1409f44a4 strerror
0x1409f44ac strlen
0x1409f44b4 strncmp
0x1409f44bc strstr
0x1409f44c4 vfprintf
0x1409f44cc wcscat
0x1409f44d4 wcscpy
0x1409f44dc wcslen
0x1409f44e4 wcsncmp
0x1409f44ec wcsstr
EAT(Export Address Table) is none
KERNEL32.dll
0x1409f429c CloseHandle
0x1409f42a4 CreateSemaphoreW
0x1409f42ac DeleteCriticalSection
0x1409f42b4 EnterCriticalSection
0x1409f42bc GetCurrentThreadId
0x1409f42c4 GetLastError
0x1409f42cc GetStartupInfoA
0x1409f42d4 InitializeCriticalSection
0x1409f42dc IsDBCSLeadByteEx
0x1409f42e4 LeaveCriticalSection
0x1409f42ec MultiByteToWideChar
0x1409f42f4 RaiseException
0x1409f42fc ReleaseSemaphore
0x1409f4304 RtlCaptureContext
0x1409f430c RtlLookupFunctionEntry
0x1409f4314 RtlUnwindEx
0x1409f431c RtlVirtualUnwind
0x1409f4324 SetLastError
0x1409f432c SetUnhandledExceptionFilter
0x1409f4334 Sleep
0x1409f433c TlsAlloc
0x1409f4344 TlsFree
0x1409f434c TlsGetValue
0x1409f4354 TlsSetValue
0x1409f435c VirtualProtect
0x1409f4364 VirtualQuery
0x1409f436c WaitForSingleObject
0x1409f4374 WideCharToMultiByte
msvcrt.dll
0x1409f4384 __C_specific_handler
0x1409f438c ___lc_codepage_func
0x1409f4394 ___mb_cur_max_func
0x1409f439c __getmainargs
0x1409f43a4 __initenv
0x1409f43ac __iob_func
0x1409f43b4 __set_app_type
0x1409f43bc __setusermatherr
0x1409f43c4 _acmdln
0x1409f43cc _amsg_exit
0x1409f43d4 _cexit
0x1409f43dc _commode
0x1409f43e4 _errno
0x1409f43ec _fmode
0x1409f43f4 _initterm
0x1409f43fc _onexit
0x1409f4404 _wcsicmp
0x1409f440c _wcsnicmp
0x1409f4414 abort
0x1409f441c calloc
0x1409f4424 exit
0x1409f442c fprintf
0x1409f4434 fputc
0x1409f443c fputs
0x1409f4444 fputwc
0x1409f444c free
0x1409f4454 fwprintf
0x1409f445c fwrite
0x1409f4464 localeconv
0x1409f446c malloc
0x1409f4474 memcpy
0x1409f447c memset
0x1409f4484 realloc
0x1409f448c signal
0x1409f4494 strcat
0x1409f449c strcmp
0x1409f44a4 strerror
0x1409f44ac strlen
0x1409f44b4 strncmp
0x1409f44bc strstr
0x1409f44c4 vfprintf
0x1409f44cc wcscat
0x1409f44d4 wcscpy
0x1409f44dc wcslen
0x1409f44e4 wcsncmp
0x1409f44ec wcsstr
EAT(Export Address Table) is none