ScreenShot
Created | 2024.06.15 08:13 | Machine | s1_win7_x6403_us |
Filename | Dispatch of the APC HMLTV technical team.jpg.lnk | ||
Type | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=67, Archive, ctime=Sat Dec 7 00:09:39 2019, mtime=Thu Jun 6 00:34:16 2024 | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | |||
md5 | 73a0170ea882989f6ffc3b4726a3ee56 | ||
sha256 | 960d08384896ca7a160371f7e19b15d804f225d242cade03f55f387cf69e7f15 | ||
ssdeep | 24:8l4BbC6MN4Rn8Ae+AIYf+/+P+kUTibI0ava8CaL4I0kXQaR3+szmCGO+/Mm:8SB0S1NAIYBPj7IBaja0InXv3cvOX | ||
imphash | |||
impfuzzy |
Network IP location
Signature (11cnts)
Level | Description |
---|---|
watch | Attempts to create or modify system certificates |
watch | Disables proxy possibly for traffic interception |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
Rules (11cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | lnk_file_format | Microsoft Windows Shortcut File Format | binaries (upload) |
info | Lnk_Format_Zero | LNK Format | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)