ScreenShot
| Created | 2023.10.27 10:08 | Machine | s1_win7_x6402 |
| Filename | E-FILLING FORM B.bat | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 34 detected (AIDetectMalware, Kutaki, malicious, Attribute, HighConfidence, high confidence, score, CLASSIC, TSPY, VBKEYLOG, moderate, Static AI, Malicious PE, adrmt, Detected, Phonzy, Eldorado, R513616, unsafe, Genetic, ZevbaF, so0@aCxDQMbi, confidence) | ||
| md5 | 252278969fa0d8c1cc719e73b61a76a4 | ||
| sha256 | 617cc50e0428e187c69d94da100ea9d3653a1b557e0cb76ba8a767a919192195 | ||
| ssdeep | 49152:ikWk5cS7a+9XYaQ9Zehc4mTYJ78V9gyBn4c0fmP/SA8N:WajJSZ942KQV9hp4dfmP/SA8 | ||
| imphash | 67a5ce7c8e5c25b362b22ebccab00cb1 | ||
| impfuzzy | 12:nTOWpTOQ8MYqUwT8zTPMswDsoTdU61n9anhmnaICTKTpiMRUR9lx9GSwmRax:nWW83MZU66nSaaTpiMRGTNfax | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 None
0x40100c MethCallEngine
0x401010 None
0x401014 None
0x401018 None
0x40101c None
0x401020 None
0x401024 None
0x401028 None
0x40102c None
0x401030 None
0x401034 None
0x401038 None
0x40103c None
0x401040 None
0x401044 None
0x401048 None
0x40104c None
0x401050 EVENT_SINK_AddRef
0x401054 None
0x401058 None
0x40105c DllFunctionCall
0x401060 None
0x401064 None
0x401068 None
0x40106c EVENT_SINK_Release
0x401070 None
0x401074 None
0x401078 EVENT_SINK_QueryInterface
0x40107c __vbaExceptHandler
0x401080 None
0x401084 None
0x401088 None
0x40108c None
0x401090 None
0x401094 None
0x401098 None
0x40109c None
0x4010a0 None
0x4010a4 None
0x4010a8 ProcCallEngine
0x4010ac None
0x4010b0 None
0x4010b4 None
0x4010b8 None
0x4010bc None
0x4010c0 None
0x4010c4 None
0x4010c8 None
0x4010cc None
0x4010d0 None
0x4010d4 None
0x4010d8 None
0x4010dc None
0x4010e0 None
0x4010e4 None
0x4010e8 None
0x4010ec None
0x4010f0 None
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 None
0x401004 None
0x401008 None
0x40100c MethCallEngine
0x401010 None
0x401014 None
0x401018 None
0x40101c None
0x401020 None
0x401024 None
0x401028 None
0x40102c None
0x401030 None
0x401034 None
0x401038 None
0x40103c None
0x401040 None
0x401044 None
0x401048 None
0x40104c None
0x401050 EVENT_SINK_AddRef
0x401054 None
0x401058 None
0x40105c DllFunctionCall
0x401060 None
0x401064 None
0x401068 None
0x40106c EVENT_SINK_Release
0x401070 None
0x401074 None
0x401078 EVENT_SINK_QueryInterface
0x40107c __vbaExceptHandler
0x401080 None
0x401084 None
0x401088 None
0x40108c None
0x401090 None
0x401094 None
0x401098 None
0x40109c None
0x4010a0 None
0x4010a4 None
0x4010a8 ProcCallEngine
0x4010ac None
0x4010b0 None
0x4010b4 None
0x4010b8 None
0x4010bc None
0x4010c0 None
0x4010c4 None
0x4010c8 None
0x4010cc None
0x4010d0 None
0x4010d4 None
0x4010d8 None
0x4010dc None
0x4010e0 None
0x4010e4 None
0x4010e8 None
0x4010ec None
0x4010f0 None
EAT(Export Address Table) is none