ScreenShot
Created | 2023.09.19 17:51 | Machine | s1_win7_x6402 |
Filename | qqdownloadftnv5.xls | ||
Type | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 936, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:17:20 2015, Last Saved Time/Date: Mon Sep 18 07:49:44 2023, Security: 0 | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : mailcious | ||
VT API (file) | 48 detected (Kagatang, Laroux, malicious, high confidence, Save, Escoper, ExcelSic, fkbqor, MRACS, MulDrop23, KANGATANG, CPACS, OLE2, Detected, Malware@#3lul0pkw0nefx, score, ai score=81, CLASSIC, Static AI, Malicious OLE, Valyria) | ||
md5 | a0939fe019485426ee55b070d62b7352 | ||
sha256 | 054d32f119d8fa26a040842ebf7e523a4f7203037cb42238490bbdbaf69dbb4d | ||
ssdeep | 768:WvT2CQ6T5Lxk3hOdsylKlgryzc4bNhZFGzE+ch4LgldAlQ5rd142DuG8yC:iPxk3hOdsylKlgryzc4bNhZFGzE+ch4R | ||
imphash | |||
impfuzzy |
Network IP location
Signature (5cnts)
Level | Description |
---|---|
danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
watch | One or more non-whitelisted processes were created |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Yara rule detected in process memory |
Rules (15cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Contains_VBA_macro_code | Detect a MS Office document with embedded VBA macro code [binaries] | binaries (upload) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | ScreenShot | Take ScreenShot | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|