ScreenShot
| Created | 2024.06.29 15:14 | Machine | s1_win7_x6401 |
| Filename | Apep_7.3.5.26365.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (AIDetectMalware, EnigmaProtector, Jaik, Unsafe, Vb5f, malicious, Attribute, HighConfidence, high confidence, M suspicious, Packed2, ZexaF, Vz0@aWmOjGk, Real Protect, high, score, Enigma, Detected, HeurC, KVMH008, Casdet, R564581, Artemis, Wacatac, Probably Heur, ExeHeaderL, R002H09FE24, +jIUVOLra90, ai score=87, susgen, confidence, 100%) | ||
| md5 | 7034f0621dd09fcaced30a72a608d48d | ||
| sha256 | 30cca8eff9a77d856b6ed35c404871f8e1021eb8751ecf738669317297b31864 | ||
| ssdeep | 49152:pI2pz5FicjIOcjC3nJn521DK0Cw12lZ8o:i2h5F18OwGN812Z | ||
| imphash | 2e5467cba76f44a088d39f78c5e807b6 | ||
| impfuzzy | 6:nERGDvZ/OiBJAEcXQwDLzRgSdn8BbMqtYbdxBMf:EcDvZGqA9AwDXRgKQcxBMf | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VMWare through the in instruction feature |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Expresses interest in specific running processes |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | EnigmaProtector_IN | EnigmaProtector | binaries (upload) |
| info | Is_DotNET_EXE | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x7970d4 GetModuleHandleA
0x7970d8 GetProcAddress
0x7970dc ExitProcess
0x7970e0 LoadLibraryA
user32.dll
0x7970e8 MessageBoxA
advapi32.dll
0x7970f0 RegCloseKey
oleaut32.dll
0x7970f8 SysFreeString
gdi32.dll
0x797100 CreateFontA
shell32.dll
0x797108 ShellExecuteA
version.dll
0x797110 GetFileVersionInfoA
mscoree.dll
0x797118 _CorExeMain
EAT(Export Address Table) is none
kernel32.dll
0x7970d4 GetModuleHandleA
0x7970d8 GetProcAddress
0x7970dc ExitProcess
0x7970e0 LoadLibraryA
user32.dll
0x7970e8 MessageBoxA
advapi32.dll
0x7970f0 RegCloseKey
oleaut32.dll
0x7970f8 SysFreeString
gdi32.dll
0x797100 CreateFontA
shell32.dll
0x797108 ShellExecuteA
version.dll
0x797110 GetFileVersionInfoA
mscoree.dll
0x797118 _CorExeMain
EAT(Export Address Table) is none