ScreenShot
Created | 2024.05.30 09:55 | Machine | s1_win7_x6401 |
Filename | payload.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 69 detected (AIDetectMalware, Androm, malicious, high confidence, score, MauvaiseRI, S5242859, Doina, unsafe, Save, GenericKD, Kasidet, Patcher, BotX, Gamarue, lctq, None, ccmw, Andromeda, RINyg41Xs7G, Ambler, bdftd, Real Protect, high, Randrew, Detected, ai score=100, B@7a247q, Scar, Eldorado, R299528, BScope, Blocker, Genetic, Gencirc, GenAsa, EMBvfAA7DVw, Static AI, Malicious PE, susgen, GenKryptik, DVPS, confidence, 100%) | ||
md5 | 66ada4e5abd79c602f951401c96d42d9 | ||
sha256 | 7aa4a1adbc52fef01eec5dd0f3024a5cca2238b7e38fc8c00cf5bd954abcc919 | ||
ssdeep | 3072:+TncjPcvClNcy5jUg8ov5ZsxTFEDk2b97:i8gCV5ySkEDk2B7 | ||
imphash | 934381a85d55af4033da1a769f2cce1d | ||
impfuzzy | 6:5vRKvROGy0PEPT2U8VKv5ASb0D4sIWM5GGXHGXnU6nuVRGTEGXVRoGXH5vBGUH0:d4Q1db6I5LwCXGXHX4GQGX5vB6 |
Network IP location
Signature (32cnts)
Level | Description |
---|---|
danger | File has been identified by 69 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to modify Explorer settings to prevent hidden files from being displayed |
watch | Attempts to remove evidence of file being downloaded from the Internet |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Communicates with host for which no DNS query was performed |
watch | Executes one or more WMI queries |
watch | Installs itself for autorun at Windows startup |
watch | Operates on local firewall's policies and settings |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process attempted to delay the analysis task. |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Expresses interest in specific running processes |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Queries for the computername |
info | The executable uses a known packer |
Rules (13cnts)
Level | Name | Description | Collection |
---|---|---|---|
notice | ScreenShot | Take ScreenShot | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (7cnts) ?
Suricata ids
ET INFO Observed DNS Query to .biz TLD
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407000 GetCurrentDirectoryW
0x407004 SetCurrentDirectoryW
0x407008 GetShortPathNameW
0x40700c GetStartupInfoA
0x407010 GetModuleHandleA
0x407014 GetSystemDirectoryW
SHLWAPI.dll
0x407058 PathAppendW
MSVCRT.dll
0x40701c _exit
0x407020 _XcptFilter
0x407024 exit
0x407028 _acmdln
0x40702c __getmainargs
0x407030 _initterm
0x407034 __setusermatherr
0x407038 _adjust_fdiv
0x40703c __p__commode
0x407040 __p__fmode
0x407044 __set_app_type
0x407048 _except_handler3
0x40704c _controlfp
0x407050 memset
EAT(Export Address Table) is none
KERNEL32.dll
0x407000 GetCurrentDirectoryW
0x407004 SetCurrentDirectoryW
0x407008 GetShortPathNameW
0x40700c GetStartupInfoA
0x407010 GetModuleHandleA
0x407014 GetSystemDirectoryW
SHLWAPI.dll
0x407058 PathAppendW
MSVCRT.dll
0x40701c _exit
0x407020 _XcptFilter
0x407024 exit
0x407028 _acmdln
0x40702c __getmainargs
0x407030 _initterm
0x407034 __setusermatherr
0x407038 _adjust_fdiv
0x40703c __p__commode
0x407040 __p__fmode
0x407044 __set_app_type
0x407048 _except_handler3
0x40704c _controlfp
0x407050 memset
EAT(Export Address Table) is none