ScreenShot
Created | 2024.06.14 09:43 | Machine | s1_win7_x6401 |
Filename | setup%E4%B8%8B%E8%BD%BD%E5%90%8D%E5%8D%95%E7%9B%AE%E5%BD%956001.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 50 detected (AIDetectMalware, Convagent, malicious, moderate confidence, score, Artemis, Tedy, Unsafe, Save, Attribute, HighConfidence, CLOUD, bmmfl, R002C0XES24, moderate, Detected, Phonzy, Casdet, ABRisk, HKMG, Chgt, Oader, ai score=83, PossibleThreat, PALLAS, confidence) | ||
md5 | 7ff7c6f0c4233bc3c77cdb833764af21 | ||
sha256 | 2230f123368eccb392a097b49de5787b01b9045da5f7f39790004f4714f6895a | ||
ssdeep | 24576:7rR64OP+8f3Xi81y598h4aUR2ioM0wD+Ec0xMkN8JsU3Aoh9lsGAFA:3RFOP+Z81yvqY2io/wO9ljAFA | ||
imphash | 6c29ae5aa6b6070da1952d552421e5b9 | ||
impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGU653EWR:dBJAEoZ/OEGDzyRe3EWR |
Network IP location
Signature (7cnts)
Level | Description |
---|---|
danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Communicates with host for which no DNS query was performed |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
info | Checks amount of memory in system |
info | One or more processes crashed |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x526a38 LoadLibraryA
0x526a40 ExitProcess
0x526a48 GetProcAddress
0x526a50 VirtualProtect
msvcrt.dll
0x526a60 exit
WINHTTP.dll
0x526a70 WinHttpOpen
EAT(Export Address Table) is none
KERNEL32.DLL
0x526a38 LoadLibraryA
0x526a40 ExitProcess
0x526a48 GetProcAddress
0x526a50 VirtualProtect
msvcrt.dll
0x526a60 exit
WINHTTP.dll
0x526a70 WinHttpOpen
EAT(Export Address Table) is none