popup

Report - clips.exe

Generic Malware Malicious Packer Antivirus PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.16 10:48 Machine s1_win7_x6401
Filename clips.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
1
 Behavior Score
8.0
ZERO API file : malware
VT API (file) 51 detected (AIDetectMalware, Tasker, malicious, high confidence, score, Unsafe, V7oq, ZexaF, @J1@aqgpJCii, Attribute, HighConfidence, GenCBL, bdlk, Generic@AI, RDML, 4DtpH, vi73OCqtXRwtA, jtvze, MulDrop27, R002C0DFD24, high, EncPk, Detected, STOP, Malware@#36a3ofwxiz3a1, ABRisk, HGWU, Gencirc, wDSzsRhI, ai score=85, susgen, PossibleThreat, Chgt, confidence, 100%, bbpu)
md5 49b56d5b9af9bf4027adf9b2b89971c4
sha256 b392d76bc73486b5a61293cb71d75d79b355682d95a7c2f7aa38716b3b241edd
ssdeep 98304:TBvd04TCsRlx5s7KFJJJbfUtY4ENEK2iFjHfMkeLmmzsdvhBu9CxP9F:TBl7TH3fGK7JythvidMmmY9S9kT
imphash 7a36c14af9179389b117b2a415173f9a
impfuzzy 6:546koiV7Q+PbK194wNbsxFwXWkDzpjtlJoZ/O4ErBJAEHGDW:mfz7QR4wxOCRVTOZGJjA/DW
  Network IP location

Signature (20cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
watch One or more non-whitelisted processes were created
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info Uses Windows APIs to generate a cryptographic key

Rules (8cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

WININET.dll
 0x721000 InternetQueryDataAvailable
KERNEL32.dll
 0x721008 FreeEnvironmentStringsW
USER32.dll
 0x721010 OpenClipboard
SHELL32.dll
 0x721018 SHGetSpecialFolderPathW
ole32.dll
 0x721020 CoCreateInstance
RstrtMgr.DLL
 0x721028 RmRegisterResources
ntdll.dll
 0x721030 RtlUnwind
KERNEL32.dll
 0x721038 GetSystemTimeAsFileTime
KERNEL32.dll
 0x721040 HeapAlloc
 0x721044 HeapFree
 0x721048 ExitProcess
 0x72104c GetModuleHandleA
 0x721050 LoadLibraryA
 0x721054 GetProcAddress

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure