ScreenShot
| Created | 2024.07.07 18:48 | Machine | s1_win7_x6402 |
| Filename | qwerty.ps1 | ||
| Type | ASCII text, with very long lines | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 29 detected (PowerShell, GenericKD, Malscript, PwrSh, Malicious, score, CLASSIC, DownLoader34, Detected, ZgRAT, S@8b3nm6, Znyonm, DropExe, Camelot, Gajl, ai score=82) | ||
| md5 | b099d0ec774fccc05b662d86eaba027a | ||
| sha256 | 82f7781ebf1aa649a3697ed570fc11ba0a35b810782c953c145850f314c07e21 | ||
| ssdeep | 1536:dgN5UDzCIS4llJ0k2+X6FHkFYx+Sj7ys+6restOmipCmjfXoHLlnUo9RSgqHvjCI:I5U0IFYO9+en/o6Btp | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | A potential heapspray has been detected. 261 megabytes was sprayed onto the heap of the powershell.exe process |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | Drops a binary and executes it |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process eqih.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | One or more processes crashed |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | hide_executable_file | Hide executable file | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | SEH__vba | (no description) | memory |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP