ScreenShot
Created | 2024.07.01 09:23 | Machine | s1_win7_x6401 |
Filename | wmi.jpg.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 60 detected (AIDetectMalware, Farfli, malicious, moderate confidence, Mint, Zard, Aksula, Artemis, Unsafe, Save, Attribute, HighConfidence, score, Zegost, CLOUD, Siggen28, R002C0DFL24, Real Protect, moderate, Behav, hoagb, Detected, c@4m3x9i, KillAV, Eldorado, R582744, BScope, TrojanDDoS, Macri, Gencirc, GenAsa, RYgRsdEvgeU, ai score=88, confidence, 100%, Parite) | ||
md5 | 3d3aedfaeaf39544ff74fe6fe4541fc2 | ||
sha256 | d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71 | ||
ssdeep | 768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G | ||
imphash | 9aebf3da4677af9275c461261e5abde3 | ||
impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGUq:dBJAEoZ/OEGDzyRs |
Network IP location
Signature (21cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
watch | Connects to an IRC server |
watch | Installs itself for autorun at Windows startup |
watch | Operates on local firewall's policies and settings |
notice | A process created a hidden window |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Connects to a Dynamic DNS Domain |
notice | Creates a service |
notice | Creates executable files on the filesystem |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Command line console output was observed |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (38cnts) ?
Suricata ids
ET INFO Packed Executable Download
ET DNS Query for .cc TLD
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M4
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET INFO DYNAMIC_DNS Query to 3322.org Domain
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
ET INFO SSH-2.0-Go version string Observed in Network Traffic
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
ET DNS Query for .cc TLD
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M4
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET INFO DYNAMIC_DNS Query to 3322.org Domain
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
ET INFO SSH-2.0-Go version string Observed in Network Traffic
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x41f494 LoadLibraryA
0x41f498 ExitProcess
0x41f49c GetProcAddress
0x41f4a0 VirtualProtect
MSVCRT.dll
0x41f4a8 exit
EAT(Export Address Table) is none
KERNEL32.DLL
0x41f494 LoadLibraryA
0x41f498 ExitProcess
0x41f49c GetProcAddress
0x41f4a0 VirtualProtect
MSVCRT.dll
0x41f4a8 exit
EAT(Export Address Table) is none