ScreenShot
| Created | 2023.10.05 17:02 | Machine | s1_win7_x6403 |
| Filename | 445.jpg | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (GenericKD, Lotok, CoinMiner, Save, CryptoMiner, Redosdru, malicious, confidence, 100%, ABRisk, LRZF, Attribute, HighConfidence, moderate confidence, score, Tiggre, Inject4, juvirf, FileRepMalware, Misc, Cplw, BlackMoon Packed, USASHC223, high, Static AI, Malicious PE, AGEN, BlackMoon, Malware@#3mcflnpl4b58a, Detected, R478332, Artemis, ai score=83, BScope, Scar, unsafe, liJqKmSiZsG, susgen, ZexaF, jmKfaGYrGVbb) | ||
| md5 | 30000f8e4ee5bce90382de83814fb8c9 | ||
| sha256 | b4d9b5d3d64ad7f196968726aa001a707275989448c4a04f347e954a0497b8c4 | ||
| ssdeep | 3072:Qu1wEL68jjUFQD1FEKwoTLP8lp3b+yqlINNCHvsKG:XwExj4CD1FBwAYl06NNmZG | ||
| imphash | d3bf781bd66135a7bd8deadf2ada0204 | ||
| impfuzzy | 3:oTEKCVRv8sWBJAEPw1MO/OywS9KTXzhAXwEQaxRYNLbK1djWNcEVKSxAdYgGRbKG:omVduBJAEoZ/OEGDzyRMb2oNfxAdYgGx | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | Disables Windows Security features |
| watch | Deletes executed files from disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x47c360 RegFlushKey
KERNEL32.DLL
0x47c368 LoadLibraryA
0x47c36c ExitProcess
0x47c370 GetProcAddress
0x47c374 VirtualProtect
SHELL32.dll
0x47c37c None
SHLWAPI.dll
0x47c384 PathFileExistsA
USER32.dll
0x47c38c wsprintfA
WINSPOOL.DRV
0x47c394 AddMonitorA
EAT(Export Address Table) is none
ADVAPI32.dll
0x47c360 RegFlushKey
KERNEL32.DLL
0x47c368 LoadLibraryA
0x47c36c ExitProcess
0x47c370 GetProcAddress
0x47c374 VirtualProtect
SHELL32.dll
0x47c37c None
SHLWAPI.dll
0x47c384 PathFileExistsA
USER32.dll
0x47c38c wsprintfA
WINSPOOL.DRV
0x47c394 AddMonitorA
EAT(Export Address Table) is none