ScreenShot
Created | 2024.07.01 11:03 | Machine | s1_win7_x6402 |
Filename | Hooks.jpg.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 60 detected (AIDetectMalware, malicious, moderate confidence, score, Zusy, Unsafe, Save, CryptoMiner, Attribute, HighConfidence, CoinMiner, Artemis, Gh0stRAT, Zegost, kogggh, ZJ9JS4CoS8B, AGEN, R03BC0DFA24, high, Detected, Blamon, MUPX, Gen@24tbus, Farfli, ZexaF, @pKfae9LWmkb, BScope, Miancha, Gencirc, I6xxh9DQ, ai score=88, susgen, Blackmoon, confidence) | ||
md5 | 422f3763021f8f9bfc31a9a7e4b049f9 | ||
sha256 | a1871f4f0149065abab263411d6afdd8ae962060db732e740e956898b62cee0b | ||
ssdeep | 196608:uBF+gGI892vAQENcXbc7zdgZpbHgCDoZ86F8l/SflHdINv2/sD/afUAbKs8hC3+q:uBvtlEhdwlHgCDoC6F8lYGJgspAbKs88 | ||
imphash | 3222c3f44785a4ac7520003a95ac4f46 | ||
impfuzzy | 6:omElyP1BJAEoZ/OEGDzyRMbK1/QbXqVqE:omVVABZG/Dz0QbXu/ |
Network IP location
Signature (24cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Connects to an IRC server |
watch | Installs itself for autorun at Windows startup |
watch | The process powershell.exe wrote an executable file to disk |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a service |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Queries for the computername |
info | The executable uses a known packer |
info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Network_Downloader | File Downloader | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (22cnts) ?
Suricata ids
ET DNS Query for .cc TLD
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET INFO SSH-2.0-Go version string Observed in Network Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET INFO SSH-2.0-Go version string Observed in Network Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1bf3350 RegOpenKeyA
COMCTL32.dll
0x1bf3358 None
GDI32.dll
0x1bf3360 Escape
KERNEL32.DLL
0x1bf3368 LoadLibraryA
0x1bf336c ExitProcess
0x1bf3370 GetProcAddress
0x1bf3374 VirtualProtect
SHELL32.dll
0x1bf337c SHGetSpecialFolderPathA
USER32.dll
0x1bf3384 GetDC
WINSPOOL.DRV
0x1bf338c OpenPrinterA
EAT(Export Address Table) is none
ADVAPI32.dll
0x1bf3350 RegOpenKeyA
COMCTL32.dll
0x1bf3358 None
GDI32.dll
0x1bf3360 Escape
KERNEL32.DLL
0x1bf3368 LoadLibraryA
0x1bf336c ExitProcess
0x1bf3370 GetProcAddress
0x1bf3374 VirtualProtect
SHELL32.dll
0x1bf337c SHGetSpecialFolderPathA
USER32.dll
0x1bf3384 GetDC
WINSPOOL.DRV
0x1bf338c OpenPrinterA
EAT(Export Address Table) is none