ScreenShot
| Created | 2024.06.14 07:41 | Machine | s1_win7_x6401 |
| Filename | setup%E4%B8%8B%E8%BD%BD%E5%90%8D%E5%8D%95%E7%9B%AE%E5%BD%956001.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 13f784b718e0d45057b628f504a11235 | ||
| sha256 | 2b1b2e2b385c22f12d16b626f6ceeb713eff7f152c6225ee9bc49d8609a6c7d9 | ||
| ssdeep | 1536:v8OJN+kiHVKeBEOAe9zRozT9CmGMlwLl0x8w8qW0KMhXO+kKDZdpXmdAdklV/Mgs:vZJN+FDXAPR7ILl0+50u+kKVzdCf/zx+ | ||
| imphash | c2fbebbc44da23210dba36e6c886aace | ||
| impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRegRWDhn:dBJAEoZ/OEGDzyRzwDh | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x140043ad4 LoadLibraryA
0x140043adc ExitProcess
0x140043ae4 GetProcAddress
0x140043aec VirtualProtect
USER32.dll
0x140043afc MessageBoxW
EAT(Export Address Table) is none
KERNEL32.DLL
0x140043ad4 LoadLibraryA
0x140043adc ExitProcess
0x140043ae4 GetProcAddress
0x140043aec VirtualProtect
USER32.dll
0x140043afc MessageBoxW
EAT(Export Address Table) is none