ScreenShot
| Created | 2024.02.04 17:03 | Machine | s1_win7_x6403 |
| Filename | univ.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 32 detected (GCleaner, Malicious, score, Artemis, unsafe, Save, Genus, Attribute, HighConfidence, high confidence, Doina, AGEN, ICLoader, Eldorado, BScope, TrojanPSW, Tepfer, Oader, Wdkl, Static AI, Malicious PE, susgen, Genetic, confidence, 100%) | ||
| md5 | 9421bb65a9d5ace737e8ebbb04986873 | ||
| sha256 | 8d2a28f4d0d93aaf2e4dedf67b40ba16a68026a27e8b70ab1e82bf244d533682 | ||
| ssdeep | 6144:xowKY/ICXEroFNbmQMbcBt2+ieJBEuwAOCcOwc:xowKY/zXYoFNbmQMb0kuwkcJc | ||
| imphash | 485c402695cff95cd57df5b99f97c30f | ||
| impfuzzy | 48:I919hZlGCBsZ4cpVestmCXCMyn9b0CEGuloLidgmsJ:I91TZlGb4cpVestmCXCMyRulMeC | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| notice | An executable file was downloaded by the process univ.exe |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Performs some HTTP requests |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | CAB_file_format | CAB archive file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (3cnts) ?
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE - Served Attached HTTP
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42a024 SetLastError
0x42a028 VirtualFree
0x42a02c OutputDebugStringA
0x42a030 VirtualAlloc
0x42a034 LocalAlloc
0x42a038 GetLastError
0x42a03c LoadLibraryA
0x42a040 GetNativeSystemInfo
0x42a044 HeapAlloc
0x42a048 GetProcAddress
0x42a04c LocalFree
0x42a050 GetProcessHeap
0x42a054 FreeLibrary
0x42a058 FormatMessageA
0x42a05c IsBadReadPtr
0x42a060 Process32First
0x42a064 FindFirstFileA
0x42a068 HeapFree
0x42a06c FindClose
0x42a070 GetLocaleInfoA
0x42a074 OpenProcess
0x42a078 CreateToolhelp32Snapshot
0x42a07c Sleep
0x42a080 GetTempPathA
0x42a084 K32GetModuleFileNameExA
0x42a088 Process32Next
0x42a08c K32GetModuleBaseNameA
0x42a090 CreateThread
0x42a094 GetCurrentProcessId
0x42a098 K32EnumProcessModules
0x42a09c CreateDirectoryA
0x42a0a0 HeapSize
0x42a0a4 GetFileSizeEx
0x42a0a8 GetConsoleOutputCP
0x42a0ac FlushFileBuffers
0x42a0b0 VirtualProtect
0x42a0b4 WideCharToMultiByte
0x42a0b8 CloseHandle
0x42a0bc CreateFileA
0x42a0c0 MultiByteToWideChar
0x42a0c4 WriteFile
0x42a0c8 FindNextFileA
0x42a0cc CreateFileW
0x42a0d0 SetStdHandle
0x42a0d4 SetEnvironmentVariableW
0x42a0d8 FreeEnvironmentStringsW
0x42a0dc GetEnvironmentStringsW
0x42a0e0 GetCommandLineW
0x42a0e4 GetCommandLineA
0x42a0e8 GetOEMCP
0x42a0ec GetACP
0x42a0f0 IsValidCodePage
0x42a0f4 FindNextFileW
0x42a0f8 FindFirstFileExW
0x42a0fc HeapReAlloc
0x42a100 EnumSystemLocalesW
0x42a104 GetUserDefaultLCID
0x42a108 WriteConsoleW
0x42a10c EnterCriticalSection
0x42a110 LeaveCriticalSection
0x42a114 InitializeCriticalSectionEx
0x42a118 DeleteCriticalSection
0x42a11c EncodePointer
0x42a120 DecodePointer
0x42a124 LCMapStringEx
0x42a128 GetStringTypeW
0x42a12c GetCPInfo
0x42a130 UnhandledExceptionFilter
0x42a134 SetUnhandledExceptionFilter
0x42a138 GetCurrentProcess
0x42a13c TerminateProcess
0x42a140 IsProcessorFeaturePresent
0x42a144 InitializeCriticalSectionAndSpinCount
0x42a148 SetEvent
0x42a14c ResetEvent
0x42a150 WaitForSingleObjectEx
0x42a154 CreateEventW
0x42a158 GetModuleHandleW
0x42a15c IsDebuggerPresent
0x42a160 GetStartupInfoW
0x42a164 QueryPerformanceCounter
0x42a168 GetCurrentThreadId
0x42a16c GetSystemTimeAsFileTime
0x42a170 InitializeSListHead
0x42a174 RtlUnwind
0x42a178 RaiseException
0x42a17c TlsAlloc
0x42a180 TlsGetValue
0x42a184 TlsSetValue
0x42a188 TlsFree
0x42a18c LoadLibraryExW
0x42a190 ExitProcess
0x42a194 GetModuleHandleExW
0x42a198 GetModuleFileNameW
0x42a19c GetStdHandle
0x42a1a0 SetFilePointerEx
0x42a1a4 GetConsoleMode
0x42a1a8 GetFileType
0x42a1ac CompareStringW
0x42a1b0 LCMapStringW
0x42a1b4 GetLocaleInfoW
0x42a1b8 IsValidLocale
USER32.dll
0x42a1cc GetForegroundWindow
0x42a1d0 GetKeyboardLayoutList
0x42a1d4 GetWindowTextA
ADVAPI32.dll
0x42a000 CryptAcquireContextW
0x42a004 GetUserNameA
0x42a008 CryptDecrypt
0x42a00c CryptCreateHash
0x42a010 CryptDeriveKey
0x42a014 CryptHashData
0x42a018 CryptReleaseContext
0x42a01c CryptDestroyKey
SHELL32.dll
0x42a1c0 SHGetFolderPathA
0x42a1c4 ShellExecuteA
ole32.dll
0x42a208 CoCreateInstance
0x42a20c CoInitialize
0x42a210 CoUninitialize
WININET.dll
0x42a1dc InternetSetFilePointer
0x42a1e0 HttpQueryInfoA
0x42a1e4 HttpAddRequestHeadersA
0x42a1e8 InternetSetOptionA
0x42a1ec InternetOpenA
0x42a1f0 InternetCloseHandle
0x42a1f4 HttpSendRequestA
0x42a1f8 InternetConnectA
0x42a1fc HttpOpenRequestA
0x42a200 InternetReadFile
EAT(Export Address Table) is none
KERNEL32.dll
0x42a024 SetLastError
0x42a028 VirtualFree
0x42a02c OutputDebugStringA
0x42a030 VirtualAlloc
0x42a034 LocalAlloc
0x42a038 GetLastError
0x42a03c LoadLibraryA
0x42a040 GetNativeSystemInfo
0x42a044 HeapAlloc
0x42a048 GetProcAddress
0x42a04c LocalFree
0x42a050 GetProcessHeap
0x42a054 FreeLibrary
0x42a058 FormatMessageA
0x42a05c IsBadReadPtr
0x42a060 Process32First
0x42a064 FindFirstFileA
0x42a068 HeapFree
0x42a06c FindClose
0x42a070 GetLocaleInfoA
0x42a074 OpenProcess
0x42a078 CreateToolhelp32Snapshot
0x42a07c Sleep
0x42a080 GetTempPathA
0x42a084 K32GetModuleFileNameExA
0x42a088 Process32Next
0x42a08c K32GetModuleBaseNameA
0x42a090 CreateThread
0x42a094 GetCurrentProcessId
0x42a098 K32EnumProcessModules
0x42a09c CreateDirectoryA
0x42a0a0 HeapSize
0x42a0a4 GetFileSizeEx
0x42a0a8 GetConsoleOutputCP
0x42a0ac FlushFileBuffers
0x42a0b0 VirtualProtect
0x42a0b4 WideCharToMultiByte
0x42a0b8 CloseHandle
0x42a0bc CreateFileA
0x42a0c0 MultiByteToWideChar
0x42a0c4 WriteFile
0x42a0c8 FindNextFileA
0x42a0cc CreateFileW
0x42a0d0 SetStdHandle
0x42a0d4 SetEnvironmentVariableW
0x42a0d8 FreeEnvironmentStringsW
0x42a0dc GetEnvironmentStringsW
0x42a0e0 GetCommandLineW
0x42a0e4 GetCommandLineA
0x42a0e8 GetOEMCP
0x42a0ec GetACP
0x42a0f0 IsValidCodePage
0x42a0f4 FindNextFileW
0x42a0f8 FindFirstFileExW
0x42a0fc HeapReAlloc
0x42a100 EnumSystemLocalesW
0x42a104 GetUserDefaultLCID
0x42a108 WriteConsoleW
0x42a10c EnterCriticalSection
0x42a110 LeaveCriticalSection
0x42a114 InitializeCriticalSectionEx
0x42a118 DeleteCriticalSection
0x42a11c EncodePointer
0x42a120 DecodePointer
0x42a124 LCMapStringEx
0x42a128 GetStringTypeW
0x42a12c GetCPInfo
0x42a130 UnhandledExceptionFilter
0x42a134 SetUnhandledExceptionFilter
0x42a138 GetCurrentProcess
0x42a13c TerminateProcess
0x42a140 IsProcessorFeaturePresent
0x42a144 InitializeCriticalSectionAndSpinCount
0x42a148 SetEvent
0x42a14c ResetEvent
0x42a150 WaitForSingleObjectEx
0x42a154 CreateEventW
0x42a158 GetModuleHandleW
0x42a15c IsDebuggerPresent
0x42a160 GetStartupInfoW
0x42a164 QueryPerformanceCounter
0x42a168 GetCurrentThreadId
0x42a16c GetSystemTimeAsFileTime
0x42a170 InitializeSListHead
0x42a174 RtlUnwind
0x42a178 RaiseException
0x42a17c TlsAlloc
0x42a180 TlsGetValue
0x42a184 TlsSetValue
0x42a188 TlsFree
0x42a18c LoadLibraryExW
0x42a190 ExitProcess
0x42a194 GetModuleHandleExW
0x42a198 GetModuleFileNameW
0x42a19c GetStdHandle
0x42a1a0 SetFilePointerEx
0x42a1a4 GetConsoleMode
0x42a1a8 GetFileType
0x42a1ac CompareStringW
0x42a1b0 LCMapStringW
0x42a1b4 GetLocaleInfoW
0x42a1b8 IsValidLocale
USER32.dll
0x42a1cc GetForegroundWindow
0x42a1d0 GetKeyboardLayoutList
0x42a1d4 GetWindowTextA
ADVAPI32.dll
0x42a000 CryptAcquireContextW
0x42a004 GetUserNameA
0x42a008 CryptDecrypt
0x42a00c CryptCreateHash
0x42a010 CryptDeriveKey
0x42a014 CryptHashData
0x42a018 CryptReleaseContext
0x42a01c CryptDestroyKey
SHELL32.dll
0x42a1c0 SHGetFolderPathA
0x42a1c4 ShellExecuteA
ole32.dll
0x42a208 CoCreateInstance
0x42a20c CoInitialize
0x42a210 CoUninitialize
WININET.dll
0x42a1dc InternetSetFilePointer
0x42a1e0 HttpQueryInfoA
0x42a1e4 HttpAddRequestHeadersA
0x42a1e8 InternetSetOptionA
0x42a1ec InternetOpenA
0x42a1f0 InternetCloseHandle
0x42a1f4 HttpSendRequestA
0x42a1f8 InternetConnectA
0x42a1fc HttpOpenRequestA
0x42a200 InternetReadFile
EAT(Export Address Table) is none