ScreenShot
| Created | 2024.08.04 13:50 | Machine | s1_win7_x6401 |
| Filename | select.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 70 detected (AIDetectMalware, Ranapama, malicious, moderate confidence, score, Ceatrg, ExploitMydoom, Unsafe, Save, Delf, AQZV, GenericRXAA, cjxg, sryri, IPKiller, CLOUD, Delphi, Real Protect, high, DelpDldr, QQPass, adgxy, Detected, gen@1xqow5, Eldorado, Scar, R44539, Toga, Genetic, GenAsa, WFirKA1EW3U, ai score=100, susgen, confidence, 100%) | ||
| md5 | d0e834aed727fe49a51b071c680a282c | ||
| sha256 | 838ce866b55bb2926e233d6b362fa4b2addcdeaaddf87ce0811f0501e3384a5c | ||
| ssdeep | 384:0Ew7wknHOYXQdhLGPvCaV4pLS7OGQ8xy1CzcN6Rne:0Ew7wkHOYEGPvCaV4pLzb1fN | ||
| imphash | b411f30c94b39aeb7f756dde75c64d60 | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwRgSdnoNLbFByLGeDSZo8t4qxn:VA/DzqYOZ9RgKQVwLGgSX4qxn | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 70 AntiVirus engines on VirusTotal as malicious |
| watch | Creates known Ceatrg Trojan files |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Network_Downloader | File Downloader | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x413198 LoadLibraryA
0x41319c GetProcAddress
0x4131a0 VirtualProtect
0x4131a4 VirtualAlloc
0x4131a8 VirtualFree
0x4131ac ExitProcess
advapi32.dll
0x4131b4 RegCloseKey
oleaut32.dll
0x4131bc SysFreeString
shell32.dll
0x4131c4 ShellExecuteA
shfolder.dll
0x4131cc SHGetFolderPathA
urlmon.dll
0x4131d4 URLDownloadToFileA
user32.dll
0x4131dc CharNextA
wsock32.dll
0x4131e4 send
EAT(Export Address Table) is none
KERNEL32.DLL
0x413198 LoadLibraryA
0x41319c GetProcAddress
0x4131a0 VirtualProtect
0x4131a4 VirtualAlloc
0x4131a8 VirtualFree
0x4131ac ExitProcess
advapi32.dll
0x4131b4 RegCloseKey
oleaut32.dll
0x4131bc SysFreeString
shell32.dll
0x4131c4 ShellExecuteA
shfolder.dll
0x4131cc SHGetFolderPathA
urlmon.dll
0x4131d4 URLDownloadToFileA
user32.dll
0x4131dc CharNextA
wsock32.dll
0x4131e4 send
EAT(Export Address Table) is none