ScreenShot
| Created | 2024.07.29 13:53 | Machine | s1_win7_x6401 |
| Filename | gate3.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Scar, malicious, high confidence, score, Tedy, Unsafe, Kryptik, Vjtn, GenericKD, Attribute, HighConfidence, ttjc, PrivateLoader, kcnjzd, lvYFnyV57AB, XPACK, DownLoader46, R002C0DBQ24, Static AI, Suspicious PE, Detected, ai score=89, AMAA, ABTrojan, RSUP, TrojanX, Krypt, Vwhl, r1kXLU1tr68, susgen, confidence, 100%, AZZO3DGW) | ||
| md5 | 1cbf0540443b57f70f8f09dfb0386d94 | ||
| sha256 | 559b465bc7a517cdac15770e26da966a6e3ffb6235ad949bc9e9a66c7dc656bb | ||
| ssdeep | 49152:E8afu8EKK1U6JIdcaKhkzF7H21z2K6OwzcCHKg7Xa8ZBNe7p/mFDy9wH:E8awKK1U6JIdcar7WUKmBaKjeIUw | ||
| imphash | b5fd5c5a28970cfa1aef9750a101db08 | ||
| impfuzzy | 6:aZRHmR1A4GVzRgKLbXwNbsOblJoZ/OiBJAEnERGDW:KAR1A4GZRgIwxvJOZGqAJcDW | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| danger | Disables Windows Security features |
| watch | Communicates with host for which no DNS query was performed |
| notice | Creates hidden or system file |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140401000 InitializeCriticalSectionEx
USER32.dll
0x140401010 CharNextA
ADVAPI32.dll
0x140401020 RegCloseKey
SHELL32.dll
0x140401030 ShellExecuteA
ole32.dll
0x140401040 CoCreateInstance
KERNEL32.dll
0x140401050 HeapAlloc
0x140401058 HeapFree
0x140401060 ExitProcess
0x140401068 LoadLibraryA
0x140401070 GetModuleHandleA
0x140401078 GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x140401000 InitializeCriticalSectionEx
USER32.dll
0x140401010 CharNextA
ADVAPI32.dll
0x140401020 RegCloseKey
SHELL32.dll
0x140401030 ShellExecuteA
ole32.dll
0x140401040 CoCreateInstance
KERNEL32.dll
0x140401050 HeapAlloc
0x140401058 HeapFree
0x140401060 ExitProcess
0x140401068 LoadLibraryA
0x140401070 GetModuleHandleA
0x140401078 GetProcAddress
EAT(Export Address Table) is none