ScreenShot
| Created | 2023.09.23 20:10 | Machine | s1_win7_x6403 |
| Filename | gate4.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 23 detected (Scar, malicious, high confidence, V6yi, confidence, ABRisk, RMOZ, Attribute, HighConfidence, VMProtect, R suspicious, tqlz, InjectorX, Artemis, Generic Reputation PUA, Sabsik, Detected, unsafe, CLOUD, susgen) | ||
| md5 | 8a6554c54d9040abfbbaa853c9abce67 | ||
| sha256 | acdbcef3bcab8f9a42871c9d85702ab267995726d8874ba5b837c7dfe2222dad | ||
| ssdeep | 196608:3ezOWEWgS5TZmOT94Ii4F8t5QBPYymcbk:3fW75TpT94Iz8t5QBQymcbk | ||
| imphash | a4308f82c6f6f467c58289d16d7acab2 | ||
| impfuzzy | 6:nEJt4GVzRgKLbXwNbsOg/JLGMZ/OiBJAEnERGDW:EJt4GZRgIwxvgZGMZGqAJcDW | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | DEP was bypassed by marking part of the stack executable by the process gate4.exe |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x140907000 GetModuleHandleA
USER32.dll
0x140907010 CharNextA
ADVAPI32.dll
0x140907020 RegCloseKey
SHELL32.dll
0x140907030 ShellExecuteA
ole32.dll
0x140907040 CoCreateInstance
kernel32.dll
0x140907050 LocalAlloc
0x140907058 LocalFree
0x140907060 GetModuleFileNameW
0x140907068 ExitProcess
0x140907070 LoadLibraryA
0x140907078 GetModuleHandleA
0x140907080 GetProcAddress
EAT(Export Address Table) is none
kernel32.dll
0x140907000 GetModuleHandleA
USER32.dll
0x140907010 CharNextA
ADVAPI32.dll
0x140907020 RegCloseKey
SHELL32.dll
0x140907030 ShellExecuteA
ole32.dll
0x140907040 CoCreateInstance
kernel32.dll
0x140907050 LocalAlloc
0x140907058 LocalFree
0x140907060 GetModuleFileNameW
0x140907068 ExitProcess
0x140907070 LoadLibraryA
0x140907078 GetModuleHandleA
0x140907080 GetProcAddress
EAT(Export Address Table) is none