ScreenShot
| Created | 2023.12.11 20:00 | Machine | s1_win7_x6401 |
| Filename | setup294.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (AIDetectMalware, Fero, Lazy, unsafe, Zenpak, Kryptik, V5ne, ZedlaF, @I8@ayfXccai, Attribute, HighConfidence, malicious, high confidence, HVNO, score, TrojanX, hdolk, PRIVATELOADER, YXDLJZ, Krypt, RemoteAdmin, NetCat, Eldorado, X9PBD8, Detected, Zusy, ai score=89, Chgt, Generic@AI, RDML, 2oIvsHJRxxv2Yh6SsLCdSg, Static AI, Malicious SFX, HUEI, confidence, 100%) | ||
| md5 | f6817fb73608c56fbae10d7189621efd | ||
| sha256 | 5ee5c46d61a945ad630a4d86a34959cb99242006a87b6d03f6c3f0ac96afa279 | ||
| ssdeep | 49152:cYElmEMylsn4bjNFWXiB5YgAAvtQifHbThuYb7zCsoI8QD016MLmevRCT:cYE0olsn43NASB5cAvtQif74wfCstL0k | ||
| imphash | e24e2b765a0ca8ebb142df10bd69ab5c | ||
| impfuzzy | 24:SVB+5T0v+GdMqhR9F3EDywkOxgO8B4XFjvcW:i+x02GyqdFpO98e5cW | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| watch | Deletes executed files from disk |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable uses a known packer |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x4080f8 MessageBoxA
SHELL32.dll
0x4080f0 ShellExecuteExW
MSVCRT.dll
0x40808c _controlfp
0x408090 _except_handler3
0x408094 __set_app_type
0x408098 __p__fmode
0x40809c __p__commode
0x4080a0 _adjust_fdiv
0x4080a4 __setusermatherr
0x4080a8 _initterm
0x4080ac __getmainargs
0x4080b0 _acmdln
0x4080b4 exit
0x4080b8 _XcptFilter
0x4080bc _exit
0x4080c0 memcpy
0x4080c4 free
0x4080c8 malloc
0x4080cc wcscmp
0x4080d0 memcmp
0x4080d4 memmove
0x4080d8 strlen
0x4080dc wcslen
0x4080e0 wcscpy
0x4080e4 wcscat
0x4080e8 memset
KERNEL32.dll
0x408000 CreateProcessW
0x408004 GetStartupInfoA
0x408008 GetModuleHandleA
0x40800c GetModuleHandleW
0x408010 GetProcAddress
0x408014 GetSystemDirectoryW
0x408018 lstrlenW
0x40801c lstrcatW
0x408020 LoadLibraryExW
0x408024 GetVersionExW
0x408028 SetFilePointer
0x40802c WriteFile
0x408030 ReadFile
0x408034 CreateFileW
0x408038 DeleteFileW
0x40803c FindNextFileW
0x408040 RemoveDirectoryW
0x408044 FindFirstFileW
0x408048 FindClose
0x40804c GetModuleFileNameW
0x408050 GetCommandLineW
0x408054 GetTempPathW
0x408058 GetCurrentThreadId
0x40805c GetTickCount
0x408060 GetCurrentProcessId
0x408064 CreateDirectoryW
0x408068 GetLastError
0x40806c SetFileTime
0x408070 SetFileAttributesW
0x408074 GetExitCodeProcess
0x408078 WaitForSingleObject
0x40807c CloseHandle
0x408080 SetCurrentDirectoryW
0x408084 GetCurrentDirectoryW
EAT(Export Address Table) is none
USER32.dll
0x4080f8 MessageBoxA
SHELL32.dll
0x4080f0 ShellExecuteExW
MSVCRT.dll
0x40808c _controlfp
0x408090 _except_handler3
0x408094 __set_app_type
0x408098 __p__fmode
0x40809c __p__commode
0x4080a0 _adjust_fdiv
0x4080a4 __setusermatherr
0x4080a8 _initterm
0x4080ac __getmainargs
0x4080b0 _acmdln
0x4080b4 exit
0x4080b8 _XcptFilter
0x4080bc _exit
0x4080c0 memcpy
0x4080c4 free
0x4080c8 malloc
0x4080cc wcscmp
0x4080d0 memcmp
0x4080d4 memmove
0x4080d8 strlen
0x4080dc wcslen
0x4080e0 wcscpy
0x4080e4 wcscat
0x4080e8 memset
KERNEL32.dll
0x408000 CreateProcessW
0x408004 GetStartupInfoA
0x408008 GetModuleHandleA
0x40800c GetModuleHandleW
0x408010 GetProcAddress
0x408014 GetSystemDirectoryW
0x408018 lstrlenW
0x40801c lstrcatW
0x408020 LoadLibraryExW
0x408024 GetVersionExW
0x408028 SetFilePointer
0x40802c WriteFile
0x408030 ReadFile
0x408034 CreateFileW
0x408038 DeleteFileW
0x40803c FindNextFileW
0x408040 RemoveDirectoryW
0x408044 FindFirstFileW
0x408048 FindClose
0x40804c GetModuleFileNameW
0x408050 GetCommandLineW
0x408054 GetTempPathW
0x408058 GetCurrentThreadId
0x40805c GetTickCount
0x408060 GetCurrentProcessId
0x408064 CreateDirectoryW
0x408068 GetLastError
0x40806c SetFileTime
0x408070 SetFileAttributesW
0x408074 GetExitCodeProcess
0x408078 WaitForSingleObject
0x40807c CloseHandle
0x408080 SetCurrentDirectoryW
0x408084 GetCurrentDirectoryW
EAT(Export Address Table) is none