ScreenShot
Created | 2024.06.28 12:59 | Machine | s1_win7_x6401 |
Filename | setup.exe | ||
Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 32 detected (AIDetectMalware, malicious, high confidence, MSILHeracles, Unsafe, Attribute, HighConfidence, FileRepMalware, Cryp, Strab, MSIL@AI, MSIL2, POHGWC00ez3467hOv+26Mw, moderate, score, MalwareCrypter, Detected, ai score=83, Wacatac, ZemsilF, jC0@aqIgTBhO, MachineLearning, Anomalous, 100%, Static AI, Suspicious PE, confidence) | ||
md5 | 578b99fc6beb29265631e1dffe80a719 | ||
sha256 | 33f01b338b4e0492a81dc68e12f177a6717910f3789f30edaf9ed946d6b8e0ff | ||
ssdeep | 1536:5NB0m1Hk7HcDZiOp2blQHDW86L6FIsATqAr1lGLrG60f9u6jV44P29HyaNX:50uZvpalQHDW862FIsAeA3+G6G9hpZU | ||
imphash | c49c1289bbcf26a8cd62a5c41f8a01db | ||
impfuzzy | 48:2Nnxk+0e56dahV8UKCxAzKVLEkNh+kuwg4coTpPbpZYN/2:0OJ82ahV8Eh8wg4coTpPbpZYN/2 |
Network IP location
Signature (17cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Deletes executed files from disk |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | One or more potentially interesting buffers were extracted |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (15cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Network_DNS | Communications use DNS | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_EXE | (no description) | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVCR90.dll
0x40309c _encode_pointer
0x4030a0 __p__fmode
0x4030a4 __p__commode
0x4030a8 _adjust_fdiv
0x4030ac __setusermatherr
0x4030b0 __FrameUnwindFilter
0x4030b4 _encoded_null
0x4030b8 scanf
0x4030bc __set_app_type
0x4030c0 _configthreadlocale
0x4030c4 _initterm_e
0x4030c8 _initterm
0x4030cc _wcmdln
0x4030d0 exit
0x4030d4 _XcptFilter
0x4030d8 _exit
0x4030dc _cexit
0x4030e0 __wgetmainargs
0x4030e4 vsprintf
0x4030e8 ?terminate@@YAXXZ
0x4030ec _unlock
0x4030f0 _amsg_exit
0x4030f4 __dllonexit
0x4030f8 _lock
0x4030fc _onexit
0x403100 _decode_pointer
0x403104 _except_handler4_common
0x403108 _invoke_watson
0x40310c _controlfp_s
0x403110 free
0x403114 _crt_debugger_hook
KERNEL32.dll
0x403024 VirtualProtect
0x403028 LocalAlloc
0x40302c SetLastError
0x403030 ReleaseSemaphore
0x403034 FileTimeToSystemTime
0x403038 LoadLibraryW
0x40303c GetSystemTimes
0x403040 CompareFileTime
0x403044 GetFileSize
0x403048 IsDebuggerPresent
0x40304c UnhandledExceptionFilter
0x403050 GetCurrentProcess
0x403054 InterlockedExchange
0x403058 Sleep
0x40305c InterlockedCompareExchange
0x403060 GetStartupInfoW
0x403064 SetUnhandledExceptionFilter
0x403068 QueryPerformanceCounter
0x40306c GetTickCount
0x403070 GetCurrentThreadId
0x403074 GetCurrentProcessId
0x403078 GetSystemTimeAsFileTime
0x40307c TerminateProcess
USER32.dll
0x403128 ShowWindow
0x40312c UpdateWindow
0x403130 CreateCaret
0x403134 SetCursor
0x403138 SetSystemCursor
0x40313c AdjustWindowRect
GDI32.dll
0x403008 CreateDIBPatternBrush
0x40300c CloseFigure
0x403010 GetPath
0x403014 SetPolyFillMode
0x403018 FillPath
0x40301c SetWinMetaFileBits
SHELL32.dll
0x40311c DragFinish
0x403120 ShellExecuteW
MSIMG32.dll
0x403084 AlphaBlend
0x403088 TransparentBlt
COMCTL32.dll
0x403000 None
WINHTTP.dll
0x403144 WinHttpOpen
0x403148 WinHttpConnect
MSVCP90.dll
0x403090 ??0?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@H@Z
0x403094 ??_D?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
msvcm90.dll
0x403158 ?RegisterModuleUninitializer@@@YAXP$AAVEventHandler@System@@@Z
0x40315c ?DoDllLanguageSupportValidation@@@YAXXZ
0x403160 ?ThrowModuleLoadException@@@YAXP$AAVString@System@@P$AAVException@3@@Z
0x403164 ?ThrowModuleLoadException@@@YAXP$AAVString@System@@@Z
0x403168 ?ThrowNestedModuleLoadException@@@YAXP$AAVException@System@@0@Z
0x40316c ?DoCallBackInDefaultDomain@@@YAXP6GJPAX@Z0@Z
mscoree.dll
0x403150 _CorExeMain
EAT(Export Address Table) is none
MSVCR90.dll
0x40309c _encode_pointer
0x4030a0 __p__fmode
0x4030a4 __p__commode
0x4030a8 _adjust_fdiv
0x4030ac __setusermatherr
0x4030b0 __FrameUnwindFilter
0x4030b4 _encoded_null
0x4030b8 scanf
0x4030bc __set_app_type
0x4030c0 _configthreadlocale
0x4030c4 _initterm_e
0x4030c8 _initterm
0x4030cc _wcmdln
0x4030d0 exit
0x4030d4 _XcptFilter
0x4030d8 _exit
0x4030dc _cexit
0x4030e0 __wgetmainargs
0x4030e4 vsprintf
0x4030e8 ?terminate@@YAXXZ
0x4030ec _unlock
0x4030f0 _amsg_exit
0x4030f4 __dllonexit
0x4030f8 _lock
0x4030fc _onexit
0x403100 _decode_pointer
0x403104 _except_handler4_common
0x403108 _invoke_watson
0x40310c _controlfp_s
0x403110 free
0x403114 _crt_debugger_hook
KERNEL32.dll
0x403024 VirtualProtect
0x403028 LocalAlloc
0x40302c SetLastError
0x403030 ReleaseSemaphore
0x403034 FileTimeToSystemTime
0x403038 LoadLibraryW
0x40303c GetSystemTimes
0x403040 CompareFileTime
0x403044 GetFileSize
0x403048 IsDebuggerPresent
0x40304c UnhandledExceptionFilter
0x403050 GetCurrentProcess
0x403054 InterlockedExchange
0x403058 Sleep
0x40305c InterlockedCompareExchange
0x403060 GetStartupInfoW
0x403064 SetUnhandledExceptionFilter
0x403068 QueryPerformanceCounter
0x40306c GetTickCount
0x403070 GetCurrentThreadId
0x403074 GetCurrentProcessId
0x403078 GetSystemTimeAsFileTime
0x40307c TerminateProcess
USER32.dll
0x403128 ShowWindow
0x40312c UpdateWindow
0x403130 CreateCaret
0x403134 SetCursor
0x403138 SetSystemCursor
0x40313c AdjustWindowRect
GDI32.dll
0x403008 CreateDIBPatternBrush
0x40300c CloseFigure
0x403010 GetPath
0x403014 SetPolyFillMode
0x403018 FillPath
0x40301c SetWinMetaFileBits
SHELL32.dll
0x40311c DragFinish
0x403120 ShellExecuteW
MSIMG32.dll
0x403084 AlphaBlend
0x403088 TransparentBlt
COMCTL32.dll
0x403000 None
WINHTTP.dll
0x403144 WinHttpOpen
0x403148 WinHttpConnect
MSVCP90.dll
0x403090 ??0?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@H@Z
0x403094 ??_D?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
msvcm90.dll
0x403158 ?RegisterModuleUninitializer@
0x40315c ?DoDllLanguageSupportValidation@
0x403160 ?ThrowModuleLoadException@
0x403164 ?ThrowModuleLoadException@
0x403168 ?ThrowNestedModuleLoadException@
0x40316c ?DoCallBackInDefaultDomain@
mscoree.dll
0x403150 _CorExeMain
EAT(Export Address Table) is none