ScreenShot
Created | 2024.05.12 02:42 | Machine | s1_win7_x6403 |
Filename | Video.scr | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : mailcious | ||
VT API (file) | 48 detected (AIDetectMalware, Crypren, tpW3, Python, unsafe, Miner, Attribute, HighConfidence, malicious, high confidence, Mozi, score, Crytes, hjtpjc, PhotoMiner, CLASSIC, Infected, WebPage, Gen2, Tool, BtcMine, ZexaF, 0nKfaybz@roi, CoinMiner, Bitcoinworm, ai score=100, HeurC, KVM007, Bflient, ~AD2@3d18gh, 113J9WD, Detected, R342010, Phonzy, Bkjl, Static AI, Suspicious PE, BitMiner) | ||
md5 | 5616a3471565d34d779b5b3d0520bb70 | ||
sha256 | 9194b57673209c8534888f61b0cdefa34f463ae50cd78f72ab2b3348220baaf9 | ||
ssdeep | 98304:RLbSThOfTCiFBXmfFs+JhEpCVoR8oMEOJ6Ty3RvX+UGD823FUuzmH:tBfTCiUs0VSLOJgyBGUA8Ch8 | ||
imphash | 91ae93ed3ff0d6f8a4f22d2edd30a58e | ||
impfuzzy | 24:Skgwt3aDaODu9Wu9T/2bjar9UltMS1hbJnc+pl3rOovbKlvUIoUTlONoEqMo6iMJ:VgSokR9+tMS1hlc+ppaRNUIpONfiQx |
Network IP location
Signature (19cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
watch | Connects to an IRC server |
watch | Enumerates services |
watch | Installs itself for autorun at Windows startup |
watch | Looks for the Windows Idle Time to determine the uptime |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol |
notice | Creates a service |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | Is_DotNET_DLL | (no description) | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (113cnts) ?
Suricata ids
ET P2P BitTorrent DHT ping request
ET MALWARE Mozi Botnet DHT Config Sent
ET P2P BitTorrent DHT nodes reply
SURICATA Applayer Detect protocol only one direction
SURICATA HTTP missing Host header
ET MALWARE Mozi Botnet DHT Config Sent
ET P2P BitTorrent DHT nodes reply
SURICATA Applayer Detect protocol only one direction
SURICATA HTTP missing Host header
PE API
IAT(Import Address Table) Library
USER32.dll
0x420178 MessageBoxW
0x42017c MessageBoxA
KERNEL32.dll
0x420000 SystemTimeToTzSpecificLocalTime
0x420004 DecodePointer
0x420008 GetLastError
0x42000c SetDllDirectoryW
0x420010 GetModuleFileNameW
0x420014 GetProcAddress
0x420018 GetCommandLineW
0x42001c GetEnvironmentVariableW
0x420020 SetEnvironmentVariableW
0x420024 ExpandEnvironmentStringsW
0x420028 GetTempPathW
0x42002c WaitForSingleObject
0x420030 Sleep
0x420034 GetExitCodeProcess
0x420038 CreateProcessW
0x42003c GetStartupInfoW
0x420040 LoadLibraryExW
0x420044 GetShortPathNameW
0x420048 FormatMessageW
0x42004c LoadLibraryA
0x420050 MultiByteToWideChar
0x420054 WideCharToMultiByte
0x420058 SetEndOfFile
0x42005c HeapReAlloc
0x420060 UnhandledExceptionFilter
0x420064 SetUnhandledExceptionFilter
0x420068 GetCurrentProcess
0x42006c TerminateProcess
0x420070 IsProcessorFeaturePresent
0x420074 QueryPerformanceCounter
0x420078 GetCurrentProcessId
0x42007c GetCurrentThreadId
0x420080 GetSystemTimeAsFileTime
0x420084 InitializeSListHead
0x420088 IsDebuggerPresent
0x42008c GetModuleHandleW
0x420090 RtlUnwind
0x420094 SetLastError
0x420098 EnterCriticalSection
0x42009c LeaveCriticalSection
0x4200a0 DeleteCriticalSection
0x4200a4 InitializeCriticalSectionAndSpinCount
0x4200a8 TlsAlloc
0x4200ac TlsGetValue
0x4200b0 TlsSetValue
0x4200b4 TlsFree
0x4200b8 FreeLibrary
0x4200bc GetCommandLineA
0x4200c0 ReadFile
0x4200c4 CreateFileW
0x4200c8 GetDriveTypeW
0x4200cc GetFileType
0x4200d0 CloseHandle
0x4200d4 PeekNamedPipe
0x4200d8 RaiseException
0x4200dc FileTimeToSystemTime
0x4200e0 GetFullPathNameW
0x4200e4 GetFullPathNameA
0x4200e8 CreateDirectoryW
0x4200ec RemoveDirectoryW
0x4200f0 FindClose
0x4200f4 FindFirstFileExW
0x4200f8 FindNextFileW
0x4200fc SetStdHandle
0x420100 SetConsoleCtrlHandler
0x420104 DeleteFileW
0x420108 GetStdHandle
0x42010c WriteFile
0x420110 ExitProcess
0x420114 GetModuleHandleExW
0x420118 GetACP
0x42011c HeapFree
0x420120 HeapAlloc
0x420124 GetConsoleMode
0x420128 ReadConsoleW
0x42012c SetFilePointerEx
0x420130 GetConsoleCP
0x420134 CompareStringW
0x420138 LCMapStringW
0x42013c GetCurrentDirectoryW
0x420140 FlushFileBuffers
0x420144 SetEnvironmentVariableA
0x420148 GetFileAttributesExW
0x42014c IsValidCodePage
0x420150 GetOEMCP
0x420154 GetCPInfo
0x420158 GetEnvironmentStringsW
0x42015c FreeEnvironmentStringsW
0x420160 GetStringTypeW
0x420164 GetProcessHeap
0x420168 WriteConsoleW
0x42016c GetTimeZoneInformation
0x420170 HeapSize
WS2_32.dll
0x420184 ntohl
EAT(Export Address Table) is none
USER32.dll
0x420178 MessageBoxW
0x42017c MessageBoxA
KERNEL32.dll
0x420000 SystemTimeToTzSpecificLocalTime
0x420004 DecodePointer
0x420008 GetLastError
0x42000c SetDllDirectoryW
0x420010 GetModuleFileNameW
0x420014 GetProcAddress
0x420018 GetCommandLineW
0x42001c GetEnvironmentVariableW
0x420020 SetEnvironmentVariableW
0x420024 ExpandEnvironmentStringsW
0x420028 GetTempPathW
0x42002c WaitForSingleObject
0x420030 Sleep
0x420034 GetExitCodeProcess
0x420038 CreateProcessW
0x42003c GetStartupInfoW
0x420040 LoadLibraryExW
0x420044 GetShortPathNameW
0x420048 FormatMessageW
0x42004c LoadLibraryA
0x420050 MultiByteToWideChar
0x420054 WideCharToMultiByte
0x420058 SetEndOfFile
0x42005c HeapReAlloc
0x420060 UnhandledExceptionFilter
0x420064 SetUnhandledExceptionFilter
0x420068 GetCurrentProcess
0x42006c TerminateProcess
0x420070 IsProcessorFeaturePresent
0x420074 QueryPerformanceCounter
0x420078 GetCurrentProcessId
0x42007c GetCurrentThreadId
0x420080 GetSystemTimeAsFileTime
0x420084 InitializeSListHead
0x420088 IsDebuggerPresent
0x42008c GetModuleHandleW
0x420090 RtlUnwind
0x420094 SetLastError
0x420098 EnterCriticalSection
0x42009c LeaveCriticalSection
0x4200a0 DeleteCriticalSection
0x4200a4 InitializeCriticalSectionAndSpinCount
0x4200a8 TlsAlloc
0x4200ac TlsGetValue
0x4200b0 TlsSetValue
0x4200b4 TlsFree
0x4200b8 FreeLibrary
0x4200bc GetCommandLineA
0x4200c0 ReadFile
0x4200c4 CreateFileW
0x4200c8 GetDriveTypeW
0x4200cc GetFileType
0x4200d0 CloseHandle
0x4200d4 PeekNamedPipe
0x4200d8 RaiseException
0x4200dc FileTimeToSystemTime
0x4200e0 GetFullPathNameW
0x4200e4 GetFullPathNameA
0x4200e8 CreateDirectoryW
0x4200ec RemoveDirectoryW
0x4200f0 FindClose
0x4200f4 FindFirstFileExW
0x4200f8 FindNextFileW
0x4200fc SetStdHandle
0x420100 SetConsoleCtrlHandler
0x420104 DeleteFileW
0x420108 GetStdHandle
0x42010c WriteFile
0x420110 ExitProcess
0x420114 GetModuleHandleExW
0x420118 GetACP
0x42011c HeapFree
0x420120 HeapAlloc
0x420124 GetConsoleMode
0x420128 ReadConsoleW
0x42012c SetFilePointerEx
0x420130 GetConsoleCP
0x420134 CompareStringW
0x420138 LCMapStringW
0x42013c GetCurrentDirectoryW
0x420140 FlushFileBuffers
0x420144 SetEnvironmentVariableA
0x420148 GetFileAttributesExW
0x42014c IsValidCodePage
0x420150 GetOEMCP
0x420154 GetCPInfo
0x420158 GetEnvironmentStringsW
0x42015c FreeEnvironmentStringsW
0x420160 GetStringTypeW
0x420164 GetProcessHeap
0x420168 WriteConsoleW
0x42016c GetTimeZoneInformation
0x420170 HeapSize
WS2_32.dll
0x420184 ntohl
EAT(Export Address Table) is none