ScreenShot
| Created | 2024.07.11 13:46 | Machine | s1_win7_x6401 |
| Filename | mft.exe | ||
| Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 8 detected (AIDetectMalware, malicious, moderate confidence, Unsafe, Detected, Static AI, Suspicious PE) | ||
| md5 | 387d5dde1f4a235218315898b93df6c1 | ||
| sha256 | ce2c82582a12dac08c75bd58252ec27e6a2bbdfa7f96391ac2364f56d4da40f7 | ||
| ssdeep | 49152:Zxan6HUBwtqTIG31ULlDZ2QqNvp6ukKtbV7VzU9mKjo21fijZrL1R0Aa+LaQCof3:/a6nkIEULlDZuVzJ2p6X7fw9 | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Detects the presence of Wine emulator |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x8351c0 WriteFile
0x8351c4 WriteConsoleW
0x8351c8 WaitForMultipleObjects
0x8351cc WaitForSingleObject
0x8351d0 VirtualQuery
0x8351d4 VirtualFree
0x8351d8 VirtualAlloc
0x8351dc SwitchToThread
0x8351e0 SuspendThread
0x8351e4 SetWaitableTimer
0x8351e8 SetUnhandledExceptionFilter
0x8351ec SetProcessPriorityBoost
0x8351f0 SetEvent
0x8351f4 SetErrorMode
0x8351f8 SetConsoleCtrlHandler
0x8351fc ResumeThread
0x835200 PostQueuedCompletionStatus
0x835204 LoadLibraryA
0x835208 LoadLibraryW
0x83520c SetThreadContext
0x835210 GetThreadContext
0x835214 GetSystemInfo
0x835218 GetSystemDirectoryA
0x83521c GetStdHandle
0x835220 GetQueuedCompletionStatusEx
0x835224 GetProcessAffinityMask
0x835228 GetProcAddress
0x83522c GetEnvironmentStringsW
0x835230 GetConsoleMode
0x835234 FreeEnvironmentStringsW
0x835238 ExitProcess
0x83523c DuplicateHandle
0x835240 CreateWaitableTimerExW
0x835244 CreateThread
0x835248 CreateIoCompletionPort
0x83524c CreateFileA
0x835250 CreateEventA
0x835254 CloseHandle
0x835258 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x8351c0 WriteFile
0x8351c4 WriteConsoleW
0x8351c8 WaitForMultipleObjects
0x8351cc WaitForSingleObject
0x8351d0 VirtualQuery
0x8351d4 VirtualFree
0x8351d8 VirtualAlloc
0x8351dc SwitchToThread
0x8351e0 SuspendThread
0x8351e4 SetWaitableTimer
0x8351e8 SetUnhandledExceptionFilter
0x8351ec SetProcessPriorityBoost
0x8351f0 SetEvent
0x8351f4 SetErrorMode
0x8351f8 SetConsoleCtrlHandler
0x8351fc ResumeThread
0x835200 PostQueuedCompletionStatus
0x835204 LoadLibraryA
0x835208 LoadLibraryW
0x83520c SetThreadContext
0x835210 GetThreadContext
0x835214 GetSystemInfo
0x835218 GetSystemDirectoryA
0x83521c GetStdHandle
0x835220 GetQueuedCompletionStatusEx
0x835224 GetProcessAffinityMask
0x835228 GetProcAddress
0x83522c GetEnvironmentStringsW
0x835230 GetConsoleMode
0x835234 FreeEnvironmentStringsW
0x835238 ExitProcess
0x83523c DuplicateHandle
0x835240 CreateWaitableTimerExW
0x835244 CreateThread
0x835248 CreateIoCompletionPort
0x83524c CreateFileA
0x835250 CreateEventA
0x835254 CloseHandle
0x835258 AddVectoredExceptionHandler
EAT(Export Address Table) is none