ScreenShot
| Created | 2024.08.05 11:10 | Machine | s1_win7_x6403 |
| Filename | run.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 54 detected (AIDetectMalware, Bsymem, malicious, moderate confidence, score, RealProtect, GenericKD, Unsafe, V491, Attribute, HighConfidence, PowerShell, Artemis, ahvs, kaheck, CLOUD, HLLW, Autoruner2, R002C0DH424, Real Protect, Ruftar, Detected, Malgent, ABTrojan, BSZQ, Gencirc, ai score=84, susgen, CoinMiner, confidence, 100%) | ||
| md5 | adb4d3f87fd5378b718f8972b65c234d | ||
| sha256 | 5e16aaefeefed2eed6d02ccd7111242dec0def15bbc7aee0407df4a30af22a0e | ||
| ssdeep | 768:wnOmPsOqok4CfA38QOXn0FPuZstkALO3:wOmPsOqAC4MQOwuZsS | ||
| imphash | 7045005ef4130348fa4cbfc30a6f9d04 | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/Glcid4mvIcM1c9WNsYbtcUFBu4sL4Bn:VA/DzqYOZOJ43cM5dBu4s0B | ||
Network IP location
Signature (31cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| watch | An executable file was downloaded by the process powershell.exe |
| watch | Communicates with host for which no DNS query was performed |
| watch | Connects to an IRC server |
| watch | Creates a suspicious Powershell process |
| watch | Deletes executed files from disk |
| watch | Drops a binary and executes it |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | NMap | NMAP | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | ftp_command | ftp command | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x14001b4a8 LoadLibraryA
0x14001b4b0 GetProcAddress
0x14001b4b8 VirtualProtect
0x14001b4c0 VirtualAlloc
0x14001b4c8 VirtualFree
0x14001b4d0 ExitProcess
COMCTL32.DLL
0x14001b4e0 InitCommonControlsEx
GDI32.DLL
0x14001b4f0 BitBlt
msvcrt.dll
0x14001b500 fabs
OLE32.DLL
0x14001b510 CoInitialize
SHELL32.DLL
0x14001b520 ShellExecuteExA
SHLWAPI.DLL
0x14001b530 PathGetArgsA
USER32.DLL
0x14001b540 GetDC
WINMM.DLL
0x14001b550 timeBeginPeriod
EAT(Export Address Table) is none
KERNEL32.DLL
0x14001b4a8 LoadLibraryA
0x14001b4b0 GetProcAddress
0x14001b4b8 VirtualProtect
0x14001b4c0 VirtualAlloc
0x14001b4c8 VirtualFree
0x14001b4d0 ExitProcess
COMCTL32.DLL
0x14001b4e0 InitCommonControlsEx
GDI32.DLL
0x14001b4f0 BitBlt
msvcrt.dll
0x14001b500 fabs
OLE32.DLL
0x14001b510 CoInitialize
SHELL32.DLL
0x14001b520 ShellExecuteExA
SHLWAPI.DLL
0x14001b530 PathGetArgsA
USER32.DLL
0x14001b540 GetDC
WINMM.DLL
0x14001b550 timeBeginPeriod
EAT(Export Address Table) is none