ScreenShot
| Created | 2024.03.26 07:23 | Machine | s1_win7_x6403 |
| Filename | wr.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 48 detected (AIDetectMalware, XMRigMiner, malicious, moderate confidence, score, Artemis, GenericKD, unsafe, Save, Genus, a variant of Generik, NKSOCFN, FileRepMalware, Miner, RiskTool, WinGo, Hacktool, CLOUD, BtcMine, Generic Reputation PUA, Shellcoderunner, Detected, ai score=89, Wacatac, Sabsik, ABMiner, VUKG, R002H09CL24, FalseSign, Jflw, Static AI, Malicious PE, susgen, PossibleThreat, confidence, 100%) | ||
| md5 | e2a072228078e6f3cf5073f4af029913 | ||
| sha256 | a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639 | ||
| ssdeep | 98304:DdTDuHIp8vWucCSSR94RD2rwCL2ZtIjcQyWYkgiDyYNWGtlNRtkG2wpOx1DkkSgB:dDbTJGi2rAZUghYPtXR6GhI9R0n0 | ||
| imphash | 6ed4f5f04d62b18d96b26d6db7c18840 | ||
| impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Created a service where a service was also not started |
| watch | Detects the presence of Wine emulator |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Drops a binary and executes it |
| watch | Looks for the Windows Idle Time to determine the uptime |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | One or more potentially interesting buffers were extracted |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0xbeb028 LoadLibraryA
0xbeb030 ExitProcess
0xbeb038 GetProcAddress
0xbeb040 VirtualProtect
EAT(Export Address Table) is none
KERNEL32.DLL
0xbeb028 LoadLibraryA
0xbeb030 ExitProcess
0xbeb038 GetProcAddress
0xbeb040 VirtualProtect
EAT(Export Address Table) is none