ScreenShot
| Created | 2023.09.02 18:43 | Machine | s1_win7_x6401 |
| Filename | soso.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (AIDetectMalware, Lazy, Malicious, score, unsafe, Save, Dapato, Eldorado, Attribute, HighConfidence, high confidence, Fabookie, DcRat, BNER4NzZWDL, AMADEY, YXDIBZ, high, Static AI, Suspicious PE, 102OIFV, Detected, R497632, GenericRXTU, ai score=87, BScope, Nitol, Genetic, Tnega, susgen, Tiny, confidence, 100%) | ||
| md5 | 6dc87042689e8ee4fcf2ad4978251c44 | ||
| sha256 | 836253d5026a357aa7d50bb553c16481812b8462541c1ac16730c72af29508a9 | ||
| ssdeep | 24576:r6Q9aqCsrhw925qvq81iVh7gyR3cx0FVKwxp1:mL0a25FH7gyR9/Kwxp | ||
| imphash | a9c887a4f18a3fede2cc29ceea138ed3 | ||
| impfuzzy | 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x501ac0 malloc
0x501ac4 memset
0x501ac8 strcmp
0x501acc strcpy
0x501ad0 getenv
0x501ad4 sprintf
0x501ad8 fopen
0x501adc fwrite
0x501ae0 fclose
0x501ae4 __argc
0x501ae8 __argv
0x501aec _environ
0x501af0 _XcptFilter
0x501af4 __set_app_type
0x501af8 _controlfp
0x501afc __getmainargs
0x501b00 exit
shell32.dll
0x501b08 ShellExecuteA
kernel32.dll
0x501b10 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x501ac0 malloc
0x501ac4 memset
0x501ac8 strcmp
0x501acc strcpy
0x501ad0 getenv
0x501ad4 sprintf
0x501ad8 fopen
0x501adc fwrite
0x501ae0 fclose
0x501ae4 __argc
0x501ae8 __argv
0x501aec _environ
0x501af0 _XcptFilter
0x501af4 __set_app_type
0x501af8 _controlfp
0x501afc __getmainargs
0x501b00 exit
shell32.dll
0x501b08 ShellExecuteA
kernel32.dll
0x501b10 SetUnhandledExceptionFilter
EAT(Export Address Table) is none