ScreenShot
| Created | 2024.08.05 09:31 | Machine | s1_win7_x6401 |
| Filename | qs.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, Nullsoft Installer self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 80686d8a775b129d069d232978b94248 | ||
| sha256 | 1a87e111bfd5d1b730faa9f7f77f3e0d85eb9c3c8679d7f90c7160d1c989cb3d | ||
| ssdeep | 98304:QMhCAKEwXPrQquKa0ce0ol1z1XMGgVOWTyGYKHiehURADe:Q7WKaHe0ol19Zede | ||
| imphash | d755625992ed97902fd2d9b03d2b1868 | ||
| impfuzzy | 3:swBJAEPwS9KTXzhAXw1MO/EX9CfmLOXlpBr0V/fIiWbW6LlBGdAXWDTV3eAE:dBJAEHGDvZ/EwbXbtMyyTch | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Creates known TeamViewer mutexes and/or registry changes. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Performs some HTTP requests |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable uses a known packer |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | Obsidium_Zero | Obsidium protector file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | bmp_file_format | bmp file format | binaries (download) |
| info | ftp_command | ftp command | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET POLICY TeamViewer Dyngate User-Agent
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x43bdec LoadLibraryA
0x43bdf0 GetProcAddress
0x43bdf4 ExitProcess
ADVAPI32.dll
0x43bdfc RegEnumKeyA
COMCTL32.dll
0x43be04 None
GDI32.dll
0x43be0c SetBkMode
ole32.dll
0x43be14 CoTaskMemFree
SHELL32.dll
0x43be1c ShellExecuteA
USER32.dll
0x43be24 GetDC
VERSION.dll
0x43be2c VerQueryValueA
EAT(Export Address Table) is none
KERNEL32.DLL
0x43bdec LoadLibraryA
0x43bdf0 GetProcAddress
0x43bdf4 ExitProcess
ADVAPI32.dll
0x43bdfc RegEnumKeyA
COMCTL32.dll
0x43be04 None
GDI32.dll
0x43be0c SetBkMode
ole32.dll
0x43be14 CoTaskMemFree
SHELL32.dll
0x43be1c ShellExecuteA
USER32.dll
0x43be24 GetDC
VERSION.dll
0x43be2c VerQueryValueA
EAT(Export Address Table) is none