ScreenShot
| Created | 2024.01.10 09:31 | Machine | s1_win7_x6402 |
| Filename | mm.txt.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (AIDetectMalware, KillMBR, Farfli, DeepScan, GenericRI, S26298297, GenericRXNT, Save, malicious, confidence, 100%, Genus, Attribute, HighConfidence, high confidence, Kryptik, HOBH, jozzvh, BackdoorX, Shellex, CLASSIC, ZPACK, R002C0DA924, NSAnti, hjgut, Detected, Eldorado, score, R356012, BScope, unsafe, Genetic, Gencirc, GenAsa, aUeFk+Sxvek, Static AI, Malicious PE, susgen, GenKryptik, DJUZ) | ||
| md5 | af0577837683f80c555a27e9af137a55 | ||
| sha256 | 40e261e7bffce05b06dc3d6feaa430d310ec8bde473e1136255965b8aa28f925 | ||
| ssdeep | 12288:zcWl26g/UBlRn5DzZ3TTP+5WkOVHK/H7sx117ksgSh20RUTMkzVSleJHcT/rBMSD:gWgHN8kSszVSlMHcTDBMGr9chBMGk | ||
| imphash | de6942886ea1706308de6a5dc748b51c | ||
| impfuzzy | 24:f0aMDoocOMiOovVfcP7JHd3iv8ERRvNuCJy9s:X+cOM14fcPr3WJJyW | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | The executable uses a known packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x401000 HeapFree
0x401004 GetProcessHeap
0x401008 HeapAlloc
0x40100c HeapReAlloc
0x401010 VirtualFree
0x401014 FreeLibrary
0x401018 VirtualAlloc
0x40101c VirtualProtect
0x401020 GetProcAddress
0x401024 LoadLibraryA
0x401028 IsBadReadPtr
0x40102c ExitProcess
0x401030 RtlUnwind
0x401034 RaiseException
0x401038 GetModuleHandleA
0x40103c GetStartupInfoA
0x401040 GetCommandLineA
0x401044 GetVersion
0x401048 InitializeCriticalSection
0x40104c EnterCriticalSection
0x401050 LeaveCriticalSection
0x401054 GetCurrentThreadId
0x401058 TlsSetValue
0x40105c TlsAlloc
0x401060 SetLastError
0x401064 TlsGetValue
0x401068 GetLastError
0x40106c SetUnhandledExceptionFilter
0x401070 TerminateProcess
0x401074 GetCurrentProcess
0x401078 UnhandledExceptionFilter
0x40107c GetModuleFileNameA
0x401080 FreeEnvironmentStringsA
0x401084 FreeEnvironmentStringsW
0x401088 WideCharToMultiByte
0x40108c GetEnvironmentStrings
0x401090 GetEnvironmentStringsW
0x401094 SetHandleCount
0x401098 GetStdHandle
0x40109c GetFileType
0x4010a0 GetEnvironmentVariableA
0x4010a4 GetVersionExA
0x4010a8 HeapDestroy
0x4010ac HeapCreate
0x4010b0 WriteFile
0x4010b4 IsBadWritePtr
0x4010b8 IsBadCodePtr
0x4010bc GetCPInfo
0x4010c0 GetACP
0x4010c4 GetOEMCP
0x4010c8 MultiByteToWideChar
0x4010cc LCMapStringA
0x4010d0 LCMapStringW
0x4010d4 GetStringTypeA
0x4010d8 GetStringTypeW
0x4010dc InterlockedDecrement
0x4010e0 InterlockedIncrement
EAT(Export Address Table) is none
KERNEL32.dll
0x401000 HeapFree
0x401004 GetProcessHeap
0x401008 HeapAlloc
0x40100c HeapReAlloc
0x401010 VirtualFree
0x401014 FreeLibrary
0x401018 VirtualAlloc
0x40101c VirtualProtect
0x401020 GetProcAddress
0x401024 LoadLibraryA
0x401028 IsBadReadPtr
0x40102c ExitProcess
0x401030 RtlUnwind
0x401034 RaiseException
0x401038 GetModuleHandleA
0x40103c GetStartupInfoA
0x401040 GetCommandLineA
0x401044 GetVersion
0x401048 InitializeCriticalSection
0x40104c EnterCriticalSection
0x401050 LeaveCriticalSection
0x401054 GetCurrentThreadId
0x401058 TlsSetValue
0x40105c TlsAlloc
0x401060 SetLastError
0x401064 TlsGetValue
0x401068 GetLastError
0x40106c SetUnhandledExceptionFilter
0x401070 TerminateProcess
0x401074 GetCurrentProcess
0x401078 UnhandledExceptionFilter
0x40107c GetModuleFileNameA
0x401080 FreeEnvironmentStringsA
0x401084 FreeEnvironmentStringsW
0x401088 WideCharToMultiByte
0x40108c GetEnvironmentStrings
0x401090 GetEnvironmentStringsW
0x401094 SetHandleCount
0x401098 GetStdHandle
0x40109c GetFileType
0x4010a0 GetEnvironmentVariableA
0x4010a4 GetVersionExA
0x4010a8 HeapDestroy
0x4010ac HeapCreate
0x4010b0 WriteFile
0x4010b4 IsBadWritePtr
0x4010b8 IsBadCodePtr
0x4010bc GetCPInfo
0x4010c0 GetACP
0x4010c4 GetOEMCP
0x4010c8 MultiByteToWideChar
0x4010cc LCMapStringA
0x4010d0 LCMapStringW
0x4010d4 GetStringTypeA
0x4010d8 GetStringTypeW
0x4010dc InterlockedDecrement
0x4010e0 InterlockedIncrement
EAT(Export Address Table) is none