ScreenShot
Created | 2023.12.15 18:18 | Machine | s1_win7_x6401 |
Filename | DNS1.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 59 detected (AIDetectMalware, Zegost, Mauvaise, Save, malicious, confidence, 100%, moderate confidence, hgxz, dygxrv, Aujl, SM14, high, score, Static AI, Malicious PE, ai score=81, batqb, Detected, Eldorado, BigBadWolf, Farfli, Redosdru, FG@6j5x7c, R147282, GenericRXAA, unsafe, Lebag, CLOUD, GenAsa, D02KaQdmbtM, susgen) | ||
md5 | 6a23b6e2536f7027a8506c87245eea5d | ||
sha256 | 7d044f688c9c50f08f18bcda8ac384edc065d498b6ef1b1ff84c413da3bba75e | ||
ssdeep | 192:y+8o9QKLn4omNPhjg8BPP5rsls4I1E6SnYe+PjPQu7qrPyIAm+vy6QEr9ZCspE+z:hFLshjg8BPhgTq5SnYPLQjyIANweM | ||
imphash | ec35fdc32140e96ba0e398fab5903c80 | ||
impfuzzy | 3:swBJAEPwS9KTXzhAXwEQaxRAAbsEBJJ67EGV21MO/MMASyhnfXL4LARLMabd:dBJAEHGDzyRlbRmVOZ/M5Syhf946d |
Network IP location
Signature (12cnts)
Level | Description |
---|---|
danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Installs itself for autorun at Windows startup |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a service |
notice | Creates executable files on the filesystem |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
Rules (2cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (8cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
ET HUNTING Rejetto HTTP File Sever Response
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
ET HUNTING Rejetto HTTP File Sever Response
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x407064 LoadLibraryA
0x407068 GetProcAddress
0x40706c VirtualProtect
0x407070 VirtualAlloc
0x407074 VirtualFree
0x407078 ExitProcess
imagehlp.dll
0x407080 MakeSureDirectoryPathExists
MSVCRT.dll
0x407088 exit
WININET.dll
0x407090 InternetOpenA
EAT(Export Address Table) is none
KERNEL32.DLL
0x407064 LoadLibraryA
0x407068 GetProcAddress
0x40706c VirtualProtect
0x407070 VirtualAlloc
0x407074 VirtualFree
0x407078 ExitProcess
imagehlp.dll
0x407080 MakeSureDirectoryPathExists
MSVCRT.dll
0x407088 exit
WININET.dll
0x407090 InternetOpenA
EAT(Export Address Table) is none