ScreenShot
Created | 2024.06.16 10:48 | Machine | s1_win7_x6401 |
Filename | clips.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 51 detected (AIDetectMalware, Tasker, malicious, high confidence, score, Unsafe, V7oq, ZexaF, @J1@aqgpJCii, Attribute, HighConfidence, GenCBL, bdlk, Generic@AI, RDML, 4DtpH, vi73OCqtXRwtA, jtvze, MulDrop27, R002C0DFD24, high, EncPk, Detected, STOP, Malware@#36a3ofwxiz3a1, ABRisk, HGWU, Gencirc, wDSzsRhI, ai score=85, susgen, PossibleThreat, Chgt, confidence, 100%, bbpu) | ||
md5 | 49b56d5b9af9bf4027adf9b2b89971c4 | ||
sha256 | b392d76bc73486b5a61293cb71d75d79b355682d95a7c2f7aa38716b3b241edd | ||
ssdeep | 98304:TBvd04TCsRlx5s7KFJJJbfUtY4ENEK2iFjHfMkeLmmzsdvhBu9CxP9F:TBl7TH3fGK7JythvidMmmY9S9kT | ||
imphash | 7a36c14af9179389b117b2a415173f9a | ||
impfuzzy | 6:546koiV7Q+PbK194wNbsxFwXWkDzpjtlJoZ/O4ErBJAEHGDW:mfz7QR4wxOCRVTOZGJjA/DW |
Network IP location
Signature (20cnts)
Level | Description |
---|---|
danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
watch | Installs itself for autorun at Windows startup |
watch | One or more non-whitelisted processes were created |
watch | The process powershell.exe wrote an executable file to disk |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is likely packed with VMProtect |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | Uses Windows APIs to generate a cryptographic key |
Rules (8cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
WININET.dll
0x721000 InternetQueryDataAvailable
KERNEL32.dll
0x721008 FreeEnvironmentStringsW
USER32.dll
0x721010 OpenClipboard
SHELL32.dll
0x721018 SHGetSpecialFolderPathW
ole32.dll
0x721020 CoCreateInstance
RstrtMgr.DLL
0x721028 RmRegisterResources
ntdll.dll
0x721030 RtlUnwind
KERNEL32.dll
0x721038 GetSystemTimeAsFileTime
KERNEL32.dll
0x721040 HeapAlloc
0x721044 HeapFree
0x721048 ExitProcess
0x72104c GetModuleHandleA
0x721050 LoadLibraryA
0x721054 GetProcAddress
EAT(Export Address Table) is none
WININET.dll
0x721000 InternetQueryDataAvailable
KERNEL32.dll
0x721008 FreeEnvironmentStringsW
USER32.dll
0x721010 OpenClipboard
SHELL32.dll
0x721018 SHGetSpecialFolderPathW
ole32.dll
0x721020 CoCreateInstance
RstrtMgr.DLL
0x721028 RmRegisterResources
ntdll.dll
0x721030 RtlUnwind
KERNEL32.dll
0x721038 GetSystemTimeAsFileTime
KERNEL32.dll
0x721040 HeapAlloc
0x721044 HeapFree
0x721048 ExitProcess
0x72104c GetModuleHandleA
0x721050 LoadLibraryA
0x721054 GetProcAddress
EAT(Export Address Table) is none