ScreenShot
| Created | 2024.08.05 11:12 | Machine | s1_win7_x6401 |
| Filename | SS.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (AIDetectMalware, BlackMoon, malicious, high confidence, score, Zusy, Unsafe, V90u, Attribute, HighConfidence, A suspicious, Artemis, MalwareX, Convagent, CLOUD, ATRAPS, YXEHDZ, Real Protect, high, FakeAV, Detected, Wacatac, OV@6e1pyh, ABTrojan, UYES, R658019, ZexaF, DqKfaiVvFLpb, MachineLearning, Anomalous, 100%, ai score=84, confidence) | ||
| md5 | 1f0754128f1fd32781886c3d9e7dc138 | ||
| sha256 | e5bcef72212f77a5390675d5fc24433af0e682db535969894f967a409eefb8aa | ||
| ssdeep | 12288:EfqiJSvtZDd4YQp7T8BPZ0T9XG1rVBbtpIwaDoS8:GqiWfvQpX8T0h2r/b/IDK | ||
| imphash | ff764c3d5517b7ba18154cf01d80c42b | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwRgsfW1bBnaMBxAdYgW46PWTXmJJcn:VA/DzqYOZ9RgWCJ45NIeX+O | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to stop active services |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4c20c8 LoadLibraryA
0x4c20cc GetProcAddress
0x4c20d0 VirtualProtect
0x4c20d4 VirtualAlloc
0x4c20d8 VirtualFree
0x4c20dc ExitProcess
ADVAPI32.dll
0x4c20e4 RegCloseKey
COMCTL32.dll
0x4c20ec None
GDI32.dll
0x4c20f4 SaveDC
SHELL32.dll
0x4c20fc DragFinish
SHLWAPI.dll
0x4c2104 PathFileExistsA
USER32.dll
0x4c210c GetDC
WININET.dll
0x4c2114 InternetOpenA
WINSPOOL.DRV
0x4c211c ClosePrinter
EAT(Export Address Table) is none
KERNEL32.DLL
0x4c20c8 LoadLibraryA
0x4c20cc GetProcAddress
0x4c20d0 VirtualProtect
0x4c20d4 VirtualAlloc
0x4c20d8 VirtualFree
0x4c20dc ExitProcess
ADVAPI32.dll
0x4c20e4 RegCloseKey
COMCTL32.dll
0x4c20ec None
GDI32.dll
0x4c20f4 SaveDC
SHELL32.dll
0x4c20fc DragFinish
SHLWAPI.dll
0x4c2104 PathFileExistsA
USER32.dll
0x4c210c GetDC
WININET.dll
0x4c2114 InternetOpenA
WINSPOOL.DRV
0x4c211c ClosePrinter
EAT(Export Address Table) is none