ScreenShot
| Created | 2023.09.06 17:22 | Machine | s1_win7_x6401 |
| Filename | 55aa5e.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (AIDetectMalware, malicious, high confidence, GenericKD, Gencbl, Vblk, ZexaF, @J1@a0x67VhG, ABRisk, ZCOY, Attribute, HighConfidence, score, etqk, MalwareX, Gencirc, srnwd, AMADEY, YXDIBZ, Artemis, high, ai score=82, Wacatac, Detected, BotX, R602829, unsafe, Chgt, h21d4noU50C, susgen, confidence) | ||
| md5 | 78eb8723e130e9fa470b87208650fe31 | ||
| sha256 | a03e2e89dce3e17342eb06426afccb493b05ecc4b41b6f702a2104222a7867ca | ||
| ssdeep | 98304:nS43xahSd6uMY2YDrL+HAiREyJTtJ+BbMdEULa0kGlV35spy45MXFoWMmwTns7ct:nkYBrwEy8BbDGV35spuVRM9nRpc7v+D | ||
| imphash | ecb125da1bbce59b61a3dc18c66efab2 | ||
| impfuzzy | 6:AqFRgKLbV6n9GjXA8VyH/JLGMZ/OiBJAEnERGDW:7RgZ9Ww8sZGMZGqAJcDW | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x7c6000 GetVersionExW
ADVAPI32.dll
0x7c6008 RegCloseKey
SHELL32.dll
0x7c6010 ShellExecuteA
WININET.dll
0x7c6018 HttpOpenRequestA
KERNEL32.dll
0x7c6020 GetSystemTimeAsFileTime
USER32.dll
0x7c6028 CharUpperBuffW
KERNEL32.dll
0x7c6030 LocalAlloc
0x7c6034 LocalFree
0x7c6038 GetModuleFileNameW
0x7c603c ExitProcess
0x7c6040 LoadLibraryA
0x7c6044 GetModuleHandleA
0x7c6048 GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x7c6000 GetVersionExW
ADVAPI32.dll
0x7c6008 RegCloseKey
SHELL32.dll
0x7c6010 ShellExecuteA
WININET.dll
0x7c6018 HttpOpenRequestA
KERNEL32.dll
0x7c6020 GetSystemTimeAsFileTime
USER32.dll
0x7c6028 CharUpperBuffW
KERNEL32.dll
0x7c6030 LocalAlloc
0x7c6034 LocalFree
0x7c6038 GetModuleFileNameW
0x7c603c ExitProcess
0x7c6040 LoadLibraryA
0x7c6044 GetModuleHandleA
0x7c6048 GetProcAddress
EAT(Export Address Table) is none