Report - qwerty.chm

AntiDebug AntiVM CHM Format

ScreenShot

Info
Location map


Created	2023.09.11 18:07	Machine	s1_win7_x6401
Filename	qwerty.chm
Type	MS Windows HtmlHelp Data
AI Score	Not founds	Behavior Score	4.6
ZERO API	file : clean
VT API (file)	19 detected (Bitter, Save, gen150, ActiveX, S2220, ai score=88, MouseJack, CLASSIC)
md5	b556bd47157695e3e0b279d56401026f
sha256	7829b84b5e415ff682f3ef06b9a80f64be5ef6d1d2508597f9e0998b91114499
ssdeep	48:Ebo5gfQ0OQRlEFlErlElT5skJxMNvIfVsK0TWI9i1tsBPTAaS0pTNvmDZ9RFdDr5:AlQZJmROp0TWI9wts71TmBFd/
imphash
impfuzzy

Network IP location

Signature (12cnts)

Level	Description
watch	File has been identified by 19 AntiVirus engines on VirusTotal as malicious
watch	Installs itself for autorun at Windows startup
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates a suspicious process
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername

Rules (9cnts)

Level	Name	Description	Collection
info	anti_dbg	Checks if being debugged	memory
info	chm_file_format	chm file format	binaries (upload)
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure