ScreenShot
| Created | 2024.06.07 09:29 | Machine | s1_win7_x6403 |
| Filename | xxun.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 62 detected (AIDetectMalware, l7ah, Malicious, score, FarfliRI, S27524112, GenericKD, Unsafe, Farfli, V8fd, Kriz, Attribute, HighConfidence, high confidence, GenKryptik, DZUJ, Artemis, jnxxnz, Gh0st, CLOUD, AGEN, HLLW, Autoruner, R002C0DEQ24, Real Protect, high, Huigezi, Detected, ai score=85, NSPM, ~gen@20n73t, IRCBot, BScope, GdSda, Gencirc, GenAsa, aUeFk+Sxvek, Static AI, Malicious PE, susgen) | ||
| md5 | 3311b8c3707f75831aa443db406c71e0 | ||
| sha256 | 364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7 | ||
| ssdeep | 6144:tSPB0Gyvn8di2sPXZ/9h2r2D6LfMlh4Egky/96sggH4S9K3iwJywrq/eY762d5UO:MU8A/62WOKkU6sgK0y8YW2k0QnY3ZA | ||
| imphash | e58ab46f2a279ded0846d81bf0fa21f7 | ||
| impfuzzy | 3:swBJAEPwS9KTXzhAXwEQaxRAAbsEBJJ67EGV21MOB:dBJAEHGDzyRlbRmVOZB | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 62 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x54009c LoadLibraryA
0x5400a0 GetProcAddress
0x5400a4 VirtualProtect
0x5400a8 VirtualAlloc
0x5400ac VirtualFree
0x5400b0 ExitProcess
EAT(Export Address Table) is none
KERNEL32.DLL
0x54009c LoadLibraryA
0x5400a0 GetProcAddress
0x5400a4 VirtualProtect
0x5400a8 VirtualAlloc
0x5400ac VirtualFree
0x5400b0 ExitProcess
EAT(Export Address Table) is none