ScreenShot
| Created | 2024.07.11 09:29 | Machine | s1_win7_x6403 |
| Filename | f.exe | ||
| Type | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 16 detected (Unsafe, V4zb, a variant of WinGo, HackTool, Artemis, FScan, CLASSIC, Obfuscated, Wacatac, Xmhl, susgen, Scanner) | ||
| md5 | 79f198f849919600241b898f482d197f | ||
| sha256 | 43c0b3f2764243d665c69a34fb15120cd9befd7a16382605ffa5c78e903c452e | ||
| ssdeep | 98304:xXFFDZxGhP6OhUqvOssB947StpGKfM0Y7kRv87VQQQQQQQQQQQQQ4hl391TO6JGw:PBchU4lg4O4MM0YYRqlPO65 | ||
| imphash | c7269d59926fa4252270f407e4dab043 | ||
| impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6tP:K5O+VAXOmGx0oP | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| watch | Detects the presence of Wine emulator |
| watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x11bd020 WriteFile
0x11bd028 WriteConsoleW
0x11bd030 WaitForMultipleObjects
0x11bd038 WaitForSingleObject
0x11bd040 VirtualQuery
0x11bd048 VirtualFree
0x11bd050 VirtualAlloc
0x11bd058 SwitchToThread
0x11bd060 SuspendThread
0x11bd068 Sleep
0x11bd070 SetWaitableTimer
0x11bd078 SetUnhandledExceptionFilter
0x11bd080 SetProcessPriorityBoost
0x11bd088 SetEvent
0x11bd090 SetErrorMode
0x11bd098 SetConsoleCtrlHandler
0x11bd0a0 ResumeThread
0x11bd0a8 PostQueuedCompletionStatus
0x11bd0b0 LoadLibraryA
0x11bd0b8 LoadLibraryW
0x11bd0c0 SetThreadContext
0x11bd0c8 GetThreadContext
0x11bd0d0 GetSystemInfo
0x11bd0d8 GetSystemDirectoryA
0x11bd0e0 GetStdHandle
0x11bd0e8 GetQueuedCompletionStatusEx
0x11bd0f0 GetProcessAffinityMask
0x11bd0f8 GetProcAddress
0x11bd100 GetEnvironmentStringsW
0x11bd108 GetConsoleMode
0x11bd110 FreeEnvironmentStringsW
0x11bd118 ExitProcess
0x11bd120 DuplicateHandle
0x11bd128 CreateWaitableTimerExW
0x11bd130 CreateThread
0x11bd138 CreateIoCompletionPort
0x11bd140 CreateFileA
0x11bd148 CreateEventA
0x11bd150 CloseHandle
0x11bd158 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x11bd020 WriteFile
0x11bd028 WriteConsoleW
0x11bd030 WaitForMultipleObjects
0x11bd038 WaitForSingleObject
0x11bd040 VirtualQuery
0x11bd048 VirtualFree
0x11bd050 VirtualAlloc
0x11bd058 SwitchToThread
0x11bd060 SuspendThread
0x11bd068 Sleep
0x11bd070 SetWaitableTimer
0x11bd078 SetUnhandledExceptionFilter
0x11bd080 SetProcessPriorityBoost
0x11bd088 SetEvent
0x11bd090 SetErrorMode
0x11bd098 SetConsoleCtrlHandler
0x11bd0a0 ResumeThread
0x11bd0a8 PostQueuedCompletionStatus
0x11bd0b0 LoadLibraryA
0x11bd0b8 LoadLibraryW
0x11bd0c0 SetThreadContext
0x11bd0c8 GetThreadContext
0x11bd0d0 GetSystemInfo
0x11bd0d8 GetSystemDirectoryA
0x11bd0e0 GetStdHandle
0x11bd0e8 GetQueuedCompletionStatusEx
0x11bd0f0 GetProcessAffinityMask
0x11bd0f8 GetProcAddress
0x11bd100 GetEnvironmentStringsW
0x11bd108 GetConsoleMode
0x11bd110 FreeEnvironmentStringsW
0x11bd118 ExitProcess
0x11bd120 DuplicateHandle
0x11bd128 CreateWaitableTimerExW
0x11bd130 CreateThread
0x11bd138 CreateIoCompletionPort
0x11bd140 CreateFileA
0x11bd148 CreateEventA
0x11bd150 CloseHandle
0x11bd158 AddVectoredExceptionHandler
EAT(Export Address Table) is none