ScreenShot
| Created | 2024.08.05 11:03 | Machine | s1_win7_x6401 |
| Filename | Na.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (AIDetectMalware, BlackMoon, malicious, high confidence, score, Zusy, Unsafe, V33t, Attribute, HighConfidence, A suspicious, Artemis, MalwareX, Convagent, CLOUD, ATRAPS, YXEHDZ, Real Protect, high, BlackMoon Packed, FakeAV, Detected, ai score=84, Sabsik, OV@6e1pyh, Wacatac, Eldorado, R658019, ZexaF, FqKfamzNWUcb, ChinAd, Static AI, Malicious PE, Dinwod, frindll, CoinMiner, ESFJ, confidence) | ||
| md5 | e91d7d92b5c5ab6d2c6ee2da175bb119 | ||
| sha256 | b79598539cbd6f285069c82af03bf418adbd5c168802b987c5c690cb71122580 | ||
| ssdeep | 12288:vZVS2bdkdrJ49Fd7yKDbfkPIO1YJF1rX3J2pghjYpAg9ghhvoSi:vtd+4x7LHcweUF1rX3J2pFWDhG | ||
| imphash | ff764c3d5517b7ba18154cf01d80c42b | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwRgsfW1bBnaMBxAdYgW46PWTXmJJcn:VA/DzqYOZ9RgWCJ45NIeX+O | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to stop active services |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4f60c8 LoadLibraryA
0x4f60cc GetProcAddress
0x4f60d0 VirtualProtect
0x4f60d4 VirtualAlloc
0x4f60d8 VirtualFree
0x4f60dc ExitProcess
ADVAPI32.dll
0x4f60e4 RegCloseKey
COMCTL32.dll
0x4f60ec None
GDI32.dll
0x4f60f4 SaveDC
SHELL32.dll
0x4f60fc DragFinish
SHLWAPI.dll
0x4f6104 PathFileExistsA
USER32.dll
0x4f610c GetDC
WININET.dll
0x4f6114 InternetOpenA
WINSPOOL.DRV
0x4f611c ClosePrinter
EAT(Export Address Table) is none
KERNEL32.DLL
0x4f60c8 LoadLibraryA
0x4f60cc GetProcAddress
0x4f60d0 VirtualProtect
0x4f60d4 VirtualAlloc
0x4f60d8 VirtualFree
0x4f60dc ExitProcess
ADVAPI32.dll
0x4f60e4 RegCloseKey
COMCTL32.dll
0x4f60ec None
GDI32.dll
0x4f60f4 SaveDC
SHELL32.dll
0x4f60fc DragFinish
SHLWAPI.dll
0x4f6104 PathFileExistsA
USER32.dll
0x4f610c GetDC
WININET.dll
0x4f6114 InternetOpenA
WINSPOOL.DRV
0x4f611c ClosePrinter
EAT(Export Address Table) is none